Audit Log Event Schema

This topic describes the Confluent Cloud audit log event schema, which is based on CloudEvents.

Compatibility policy

Confluent will make non-breaking changes to the schema without advance notice. Breaking changes will be widely communicated at least 180 days in advance, and we will continue to maintain compatibility during this time. Exceptions to this policy apply in case of critical security vulnerabilities or functional defects. Refer to Confluent Cloud Release Notes for the latest feature updates.

Confluent considers the following changes to be backwards-compatible:

  • Adding new properties to existing models
  • Changing the order of properties
  • Changing the length or format of opaque strings like identifiers
  • Introducing new possible values for a property where the existing schema does not constrain to a particular set of possible values
  • Introducing new event types with their own data format constraints independent of the data format constraints of existing event types
  • Omitting properties with null values, or any property that is not explicitly declared as required in the schema
  • Omitting or changing the wording of values that appear in message properties

Audit Log Schema Examples

Successful authentication to a Kafka cluster using API key

{
    "type": "io.confluent.kafka.server/authentication",
    "data": {
        "methodName": "kafka.Authentication",
        "serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "authenticationInfo": {
            "principal": "User:123456",
            "metadata": {
                "mechanism": "SASL_SSL/PLAIN",
                "identifier": "MAIDSRFG53RXYTKR"
            }
        },
        "result": {
            "status": "SUCCESS",
            "message": ""
        }
    },
    "id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
    "time": "2021-01-01T12:34:56.789Z",
    "datacontenttype": "application/json",
    "source": "crn://confluent.cloud/kafka=lkc-a1b2c",
    "subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
    "specversion": "1.0"
}

Failed authentication to a Kafka cluster using API key

{
    "type": "io.confluent.kafka.server/authentication",
    "data": {
        "methodName": "kafka.Authentication",
        "serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "authenticationInfo": {
            "principal": "User:123456",
            "metadata": {
                "mechanism": "SASL_SSL/PLAIN",
                "identifier": "MAIDSRFG53RXYTKR"
            }
        },
        "result": {
            "status": "UNAUTHENTICATED",
            "message": "Bad password for user MAIDSRFG53RXYTKR"
        }
    },
    "id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
    "time": "2021-01-01T12:34:56.789Z",
    "datacontenttype": "application/json",
    "source": "crn://confluent.cloud/kafka=lkc-a1b2c",
    "subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
    "specversion": "1.0"
}

Successful authentication to a Kafka cluster using interactive token

{
    "type": "io.confluent.kafka.server/authentication",
    "data": {
        "methodName": "kafka.Authentication",
        "serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "authenticationInfo": {
            "principal": "User:123456",
            "metadata": {
                "mechanism": "SASL_SSL/OAUTHBEARER",
                "identifier": "123456"
            }
        },
        "result": {
            "status": "SUCCESS",
            "message": ""
        }
    },
    "id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
    "time": "2021-01-01T12:34:56.789Z",
    "datacontenttype": "application/json",
    "source": "crn://confluent.cloud/kafka=lkc-a1b2c",
    "subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
    "specversion": "1.0"
}

Failed authentication to a Kafka cluster using interactive token

{
    "type": "io.confluent.kafka.server/authentication",
    "data": {
        "methodName": "kafka.Authentication",
        "serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "authenticationInfo": {
            "principal": "None:UNKNOWN_USER",
            "metadata": {
                "mechanism": "SASL_SSL/OAUTHBEARER",
                "identifier": "654321"
            }
        },
        "result": {
            "status": "UNAUTHENTICATED",
            "message": "The principal 654321's logical cluster lkc-a1b2c is not hosted on this broker."
        }
    },
    "id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
    "time": "2021-01-01T12:34:56.789Z",
    "datacontenttype": "application/json",
    "source": "crn://confluent.cloud/kafka=lkc-a1b2c",
    "subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
    "specversion": "1.0"
}

Authorization to alter topic configurations allowed

{
    "type": "io.confluent.kafka.server/authorization",
    "data": {
        "methodName": "kafka.AlterConfigs",
        "serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/topic=departures",
        "authenticationInfo": {
            "principal": "User:123456"
        },
        "authorizationInfo": {
            "granted": true,
            "operation": "AlterConfigs",
            "resourceType": "Topic",
            "resourceName": "departures",
            "patternType": "LITERAL",
            "superUserAuthorization": true
        },
        "request": {
            "correlationId": "123",
            "clientId": "adminclient-42"
        }
    },
    "id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
    "time": "2021-01-01T12:34:56.789Z",
    "datacontenttype": "application/json",
    "source": "crn://confluent.cloud/kafka=lkc-a1b2c",
    "subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
    "specversion": "1.0"
}

Authorization to create ACL rules on a Kafka cluster allowed

{
    "type": "io.confluent.kafka.server/authorization",
    "data": {
        "methodName": "kafka.CreateAcls",
        "serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "authenticationInfo": {
            "principal": "User:123456"
        },
        "authorizationInfo": {
            "granted": true,
            "operation": "Alter",
            "resourceType": "Cluster",
            "resourceName": "kafka-cluster",
            "patternType": "LITERAL",
            "superUserAuthorization": true
        },
        "request": {
            "correlationId": "123",
            "clientId": "adminclient-42"
        }
    },
    "id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
    "time": "2021-01-01T12:34:56.789Z",
    "datacontenttype": "application/json",
    "source": "crn://confluent.cloud/kafka=lkc-a1b2c",
    "subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
    "specversion": "1.0"
}

Authorization to add partitions to topic not allowed

{
    "type": "io.confluent.kafka.server/authorization",
    "data": {
        "methodName": "kafka.CreatePartitions",
        "serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/topic=departures",
        "authenticationInfo": {
            "principal": "User:123456"
        },
        "authorizationInfo": {
            "granted": false,
            "operation": "Alter",
            "resourceType": "Topic",
            "resourceName": "departures",
            "patternType": "LITERAL",
            "superUserAuthorization": false
        },
        "request": {
            "correlationId": "123",
            "clientId": "adminclient-42"
        }
    },
    "id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
    "time": "2021-01-01T12:34:56.789Z",
    "datacontenttype": "application/json",
    "source": "crn://confluent.cloud/kafka=lkc-a1b2c",
    "subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
    "specversion": "1.0"
}

Authorization to create any topic on a Kafka cluster allowed

{
    "type": "io.confluent.kafka.server/authorization",
    "data": {
        "methodName": "kafka.CreateTopics",
        "serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "authenticationInfo": {
            "principal": "User:123456"
        },
        "authorizationInfo": {
            "granted": true,
            "operation": "Create",
            "resourceType": "Cluster",
            "resourceName": "kafka-cluster",
            "patternType": "LITERAL",
            "superUserAuthorization": true
        },
        "request": {
            "correlationId": "123",
            "clientId": "adminclient-42"
        }
    },
    "id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
    "time": "2021-01-01T12:34:56.789Z",
    "datacontenttype": "application/json",
    "source": "crn://confluent.cloud/kafka=lkc-a1b2c",
    "subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
    "specversion": "1.0"
}

Authorization to create a specific topic allowed

{
    "type": "io.confluent.kafka.server/authorization",
    "data": {
        "serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "methodName": "kafka.CreateTopics",
        "resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/topic=departures",
        "authenticationInfo": {
            "principal": "User:123456"
        },
        "authorizationInfo": {
            "granted": true,
            "operation": "DescribeConfigs",
            "resourceType": "Topic",
            "resourceName": "departures",
            "patternType": "LITERAL",
            "superUserAuthorization": true
        },
        "request": {
            "correlationId": "123",
            "clientId": "adminclient-42"
        }
    },
    "id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
    "time": "2021-01-01T12:34:56.789Z",
    "datacontenttype": "application/json",
    "source": "crn://confluent.cloud/kafka=lkc-a1b2c",
    "subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
    "specversion": "1.0"
}

Authorization to create a specific topic not allowed

{
    "type": "io.confluent.kafka.server/authorization",
    "data": {
        "methodName": "kafka.CreateTopics",
        "serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/topic=departures",
        "authenticationInfo": {
            "principal": "User:123456"
        },
        "authorizationInfo": {
            "granted": false,
            "operation": "Create",
            "resourceType": "Topic",
            "resourceName": "departures",
            "patternType": "LITERAL",
            "superUserAuthorization": false
        },
        "request": {
            "correlationId": "123",
            "clientId": "adminclient-42"
        }
    },
    "id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
    "time": "2021-01-01T12:34:56.789Z",
    "datacontenttype": "application/json",
    "source": "crn://confluent.cloud/kafka=lkc-a1b2c",
    "subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
    "specversion": "1.0"
}

Authorization to delete ACL rules from a Kafka cluster allowed

{
    "type": "io.confluent.kafka.server/authorization",
    "data": {
        "serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "methodName": "kafka.DeleteAcls",
        "resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "authenticationInfo": {
            "principal": "User:123456"
        },
        "authorizationInfo": {
            "granted": true,
            "operation": "Alter",
            "resourceType": "Cluster",
            "resourceName": "kafka-cluster",
            "patternType": "LITERAL",
            "superUserAuthorization": true
        },
        "request": {
            "correlationId": "123",
            "clientId": "adminclient-42"
        }
    },
    "id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
    "time": "2021-01-01T12:34:56.789Z",
    "datacontenttype": "application/json",
    "source": "crn://confluent.cloud/kafka=lkc-a1b2c",
    "subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
    "specversion": "1.0"
}

Authorization to delete consumer group allowed

{
    "type": "io.confluent.kafka.server/authorization",
    "data": {
        "methodName": "kafka.DeleteGroups",
        "serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/group=delivery-estimator",
        "authenticationInfo": {
            "principal": "User:123456"
        },
        "authorizationInfo": {
            "granted": true,
            "operation": "Delete",
            "resourceType": "Group",
            "resourceName": "delivery-estimator",
            "patternType": "LITERAL",
            "superUserAuthorization": false,
            "aclAuthorization": {
                "host": "*",
                "permissionType": "ALLOW"
            }
        },
        "request": {
            "correlationId": "123",
            "clientId": "adminclient-42"
        }
    },
    "id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
    "time": "2021-01-01T12:34:56.789Z",
    "datacontenttype": "application/json",
    "source": "crn://confluent.cloud/kafka=lkc-a1b2c",
    "subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
    "specversion": "1.0"
}

Authorization to delete records from topic allowed

{
    "type": "io.confluent.kafka.server/authorization",
    "data": {
        "methodName": "kafka.DeleteRecords",
        "serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/topic=foo-KSTREAM-REPARTITION-0000000016-repartition",
        "authenticationInfo": {
            "principal": "User:123456"
        },
        "authorizationInfo": {
            "granted": true,
            "operation": "Delete",
            "resourceType": "Topic",
            "resourceName": "foo-KSTREAM-REPARTITION-0000000016-repartition",
            "patternType": "LITERAL",
            "superUserAuthorization": true
        },
        "request": {
            "correlationId": "123",
            "clientId": "adminclient-42"
        }
    },
    "id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
    "time": "2021-01-01T12:34:56.789Z",
    "datacontenttype": "application/json",
    "source": "crn://confluent.cloud/kafka=lkc-a1b2c",
    "subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
    "specversion": "1.0"
}

Authorization to delete topic allowed based on prefix match

{
    "type": "io.confluent.kafka.server/authorization",
    "data": {
        "methodName": "kafka.DeleteTopics",
        "serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/topic=departures-2021-01-01",
        "authenticationInfo": {
            "principal": "User:123456"
        },
        "authorizationInfo": {
            "granted": true,
            "operation": "Delete",
            "resourceType": "Topic",
            "resourceName": "departures-",
            "patternType": "PREFIX",
            "superUserAuthorization": false,
            "aclAuthorization": {
                "permissionType": "ALLOW",
                "host": "*"
            }
        },
        "request": {
            "correlationId": "123",
            "clientId": "adminclient-42"
        }
    },
    "id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
    "time": "2021-01-01T12:34:56.789Z",
    "datacontenttype": "application/json",
    "source": "crn://confluent.cloud/kafka=lkc-a1b2c",
    "subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
    "specversion": "1.0"
}

Authorization to alter cluster configurations allowed based on super user

{
    "type": "io.confluent.kafka.server/authorization",
    "data": {
        "methodName": "kafka.IncrementalAlterConfigs",
        "serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "authenticationInfo": {
            "principal": "User:123456"
        },
        "authorizationInfo": {
            "granted": true,
            "operation": "AlterConfigs",
            "resourceType": "Cluster",
            "resourceName": "kafka-cluster",
            "patternType": "LITERAL",
            "superUserAuthorization": true
        },
        "request": {
            "correlationId": "123",
            "clientId": "adminclient-42"
        }
    },
    "id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
    "time": "2021-01-01T12:34:56.789Z",
    "datacontenttype": "application/json",
    "source": "crn://confluent.cloud/kafka=lkc-a1b2c",
    "subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
    "specversion": "1.0"
}

Authorization to alter topic configurations allowed based on ACL

{
    "type": "io.confluent.kafka.server/authorization",
    "data": {
        "methodName": "kafka.IncrementalAlterConfigs",
        "serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/topic=departures",
        "authenticationInfo": {
            "principal": "User:123456"
        },
        "authorizationInfo": {
            "granted": true,
            "operation": "AlterConfigs",
            "resourceType": "Topic",
            "resourceName": "departures",
            "patternType": "LITERAL",
            "superUserAuthorization": false,
            "aclAuthorization": {
                "permissionType": "ALLOW",
                "host": "*"
            }
        },
        "request": {
            "correlationId": "123",
            "clientId": "adminclient-42"
        }
    },
    "id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
    "time": "2021-01-01T12:34:56.789Z",
    "datacontenttype": "application/json",
    "source": "crn://confluent.cloud/kafka=lkc-a1b2c",
    "subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
    "specversion": "1.0"
}

Authorization to delete consumer group offsets not allowed

{
    "type": "io.confluent.kafka.server/authorization",
    "data": {
        "methodName": "kafka.OffsetDelete",
        "serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/group=delivery-estimator",
        "authenticationInfo": {
            "principal": "User:123456"
        },
        "authorizationInfo": {
            "granted": false,
            "operation": "Delete",
            "resourceType": "Group",
            "resourceName": "delivery-estimator",
            "patternType": "LITERAL",
            "superUserAuthorization": false
        },
        "request": {
            "correlationId": "123",
            "clientId": "adminclient-42"
        }
    }
    },
    "id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
    "time": "2021-01-01T12:34:56.789Z",
    "datacontenttype": "application/json",
    "source": "crn://confluent.cloud/kafka=lkc-a1b2c",
    "subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
    "specversion": "1.0"
}

Authorization to create a Kafka cluster

{
  "data": {
    "serviceName": "crn://confluent.cloud/",
    "methodName": "mds.Authorize",
    "resourceName": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/environment=env-1ab2c",
    "authenticationInfo": {
      "principal": "User:u-1abc2d"
    },
    "authorizationInfo": {
      "granted": true,
      "operation": "CreateCloudCluster",
      "resourceType": "Environment",
      "resourceName": "environment",
      "patternType": "LITERAL",
      "rbacAuthorization": {
        "role": "OrganizationAdmin",
        "scope": {
          "outerScope": [
            "organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d"
          ],
          "clusters": {}
        }
      }
  },
  "id": "f07bdde7-c633-41c9-abab-5ff3539e9967",
  "source": "crn://confluent.cloud/",
  "specversion": "1.0",
  "type": "io.confluent.kafka.server/authorization",
  "datacontenttype": "application/json",
  "subject": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/environment=env-1ab2c",
  "time": "2021-06-07T18:49:40.331Z"
}

Authorization to create an API key

{
  "data": {
    "serviceName": "crn://confluent.cloud/",
    "methodName": "mds.Authorize",
    "resourceName": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/cloud-api-key=%2A",
    "authenticationInfo": {
      "principal": "User:u-1abc2d"
    },
    "authorizationInfo": {
      "granted": true,
      "operation": "Create",
      "resourceType": "CloudApiKey",
      "resourceName": "*",
      "patternType": "LITERAL",
      "rbacAuthorization": {
        "role": "OrganizationAdmin",
        "scope": {
          "outerScope": [
            "organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d"
          ],
          "clusters": {}
        }
      }
  },
  "id": "87d5f2fe-b642-48e2-95cc-fafe87160288",
  "source": "crn://confluent.cloud/",
  "specversion": "1.0",
  "type": "io.confluent.kafka.server/authorization",
  "datacontenttype": "application/json",
  "subject": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/cloud-api-key=%2A",
  "time": "2021-06-07T18:57:09.348Z"
}

Authorization to delete an API key

{
  "data": {
    "serviceName": "crn://confluent.cloud/",
    "methodName": "mds.Authorize",
    "resourceName": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/cloud-api-key=238661",
    "authenticationInfo": {
      "principal": "User:u-4vmx7p"
    },
    "authorizationInfo": {
      "granted": true,
      "operation": "Delete",
      "resourceType": "CloudApiKey",
      "resourceName": "238661",
      "patternType": "LITERAL",
      "rbacAuthorization": {
        "role": "OrganizationAdmin",
        "scope": {
          "outerScope": [
            "organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d"
          ],
          "clusters": {}
        }
      }
  },
  "id": "20441c90-7d42-428c-a52e-40f6d1d46c59",
  "source": "crn://confluent.cloud/",
  "specversion": "1.0",
  "type": "io.confluent.kafka.server/authorization",
  "datacontenttype": "application/json",
  "subject": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/cloud-api-key=238661",
  "time": "2021-06-07T18:54:30.928Z"
}

Authorization to update billing information

{
  "data": {
    "serviceName": "crn://confluent.cloud/",
    "methodName": "mds.Authorize",
    "resourceName": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/billing=payment-info",
    "authenticationInfo": {
      "principal": "User:u-c1mv02"
    },
    "authorizationInfo": {
      "granted": true,
      "operation": "Alter",
      "resourceType": "Billing",
      "resourceName": "payment-info",
      "patternType": "LITERAL",
      "rbacAuthorization": {
        "role": "OrganizationAdmin",
        "scope": {
          "outerScope": [
            "organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d"
          ],
          "clusters": {}
        }
      }
  },
  "id": "08503aa2-e712-436b-ad8e-5fb7f46e99b5",
  "source": "crn://confluent.cloud/",
  "specversion": "1.0",
  "type": "io.confluent.kafka.server/authorization",
  "datacontenttype": "application/json",
  "subject": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/billing=payment-info",
  "time": "2021-06-15T02:21:41.251Z"
}

Authorization to create a role binding

{
  "data": {
    "serviceName": "crn://confluent.cloud/",
    "methodName": "mds.Authorize",
    "resourceName": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/environment=env-j123c/cloud-cluster=lkc-abc12/security-metadata=security-metadata",
    "authenticationInfo": {
      "principal": "User:u-a1bc23"
    },
    "authorizationInfo": {
      "granted": true,
      "operation": "Alter",
      "resourceType": "SecurityMetadata",
      "resourceName": "security-metadata",
      "patternType": "LITERAL",
      "rbacAuthorization": {
        "role": "OrganizationAdmin",
        "scope": {
          "outerScope": [
            "organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d"
          ],
          "clusters": {}
        }
      }
  },
  "id": "cc4f82c9-4794-4cb6-a2ad-d4d9a38a4ab1",
  "source": "crn://confluent.cloud/",
  "specversion": "1.0",
  "type": "io.confluent.kafka.server/authorization",
  "datacontenttype": "application/json",
  "subject": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/environment=env-j123c/cloud-cluster=lkc-abc12/security-metadata=security-metadata",
  "time": "2021-06-15T02:28:03.769Z"
}

Full audit log event schema

Following is the full audit log event schema:

{
    "$schema": "http://json-schema.org/draft-07/schema#",
    "type": "object",
    "description": "This is v1 of the Confluent cloud audit log event schema. It is based on CloudEvents. Links to the latest version can be found at https://docs.confluent.io/cloud/current/access-management/audit-logs.html. Confluent will make non-breaking changes to the schema without advance notice. Breaking changes will be widely communicated at least 180 days in advance, and we will continue to maintain compatibility during this time. Exceptions to this policy apply in case of critical security vulnerabilities or functional defects. Check the above web page for links to our announcement channels and details about our compatibility policy.",
    "properties": {
        "id": {
            "type": "string",
            "minLength": 1,
            "description": "Uniquely identifies the event.",
            "examples": ["c72a3d0c-e6f3-4196-9b49-a835614452df"]
        },
        "specversion": {
            "type": "string",
            "minLength": 1,
            "description": "The version of the CloudEvents specification which the event uses.",
            "examples": ["1.0"]
        },
        "source": {
            "type": "string",
            "format": "uri-reference",
            "minLength": 1,
            "description": "Identifies the context in which an event happened.",
            "examples": [
                "crn://confluent.cloud",
                "crn://confluent.cloud/kafka=lkc-a1b2c",
                "crn:///kafka=lkc-a1b2c"
            ]
        },
        "subject": {
            "type": ["string","null"],
            "minLength": 1,
            "description": "Identifies the resource that would be affected by the event.",
            "examples": [
                "crn:///kafka=lkc-a1b2c",
                "crn://confluent.cloud/kafka=lkc-a1b2c",
                "crn://confluent.cloud/kafka=lkc-xyz01/topic=departures",
                "crn://confluent.cloud/kafka=lkc-xyz01/group=delivery-estimator"
            ]
        },
        "type": {
            "type": "string",
            "minLength": 1,
            "description": "Describes the type of event.",
            "examples": [
                "io.confluent.kafka.server/authentication",
                "io.confluent.kafka.server/authorization"
            ]
        },
        "time": {
            "type": ["string", "null"],
            "format": "date-time",
            "minLength": 1,
            "description": "Timestamp of when the occurrence happened. Adheres to RFC 3339.",
            "examples": [
                "2020-12-06T13:39:03Z",
                "2020-12-06T13:39:03.123Z"
            ]
        },
        "datacontenttype": {
            "type": ["string","null"],
            "description": "Content type of the data value. Adheres to RFC 2046 format.",
            "minLength": 1,
            "examples": [
                "application/json"
            ]
        },
        "dataschema": {
            "type": ["string", "null"],
            "format": "uri",
            "minLength": 1,
            "description": "Identifies the schema that data adheres to. Currently unused."
        },
        "data": {
            "type": "object",
            "description": "Additional details about the audited occurrence.",
            "properties": {
                "serviceName": {
                    "type": "string",
                    "description": "The resource identifier of the service (the source) that received the request being logged.",
                    "examples": [
                        "crn://confluent.cloud",
                        "crn://confluent.cloud/kafka=lkc-a1b2c",
                        "crn:///kafka=lkc-a1b2c"
                    ]
                },
                "resourceName": {
                    "type": "string",
                    "description": "The resource identifier of the target (subject) of the request",
                    "examples": [
                        "crn:///kafka=lkc-a1b2c",
                        "crn://confluent.cloud/kafka=lkc-a1b2c",
                        "crn://confluent.cloud/kafka=lkc-xyz01/topic=departures",
                        "crn://confluent.cloud/kafka=lkc-xyz01/group=delivery-estimator"
                    ]
                },
                "request": {
                    "type": ["object","null"],
                    "description": "Unordered map of dynamically typed values.",
                    "additionalProperties": {
                        "type": ["array","boolean","number","object","string","null"]
                    }
                },
                "requestMetadata": {
                    "type": ["object","null"],
                    "description": "Unordered map of dynamically typed values.",
                    "additionalProperties": {
                        "type": ["array","boolean","number","object","string","null"]
                    }
                },
                "result": {
                    "type": ["object","null"],
                    "description": "Unordered map of dynamically typed values.",
                    "additionalProperties": {
                        "type": ["array","boolean","number","object","string","null"]
                    }
                }
            }
    },
    "required": [
        "id",
        "source",
        "specversion",
        "type"
    ],
    "allOf": [
        {
            "if": {
                "required": ["type"],
                "properties": {
                    "type": { "const": "io.confluent.kafka.server/authentication" }
                }
            },
            "then": {
                "properties" : {
                    "data": {
                        "type": "object",
                        "description": "Additional details about the authentication check.",
                        "properties": {
                            "methodName": {
                                "type": "string",
                                "description": "The type of request being logged.",
                                "examples": [
                                    "kafka.Authentication"
                                ]
                            },
                            "authenticationInfo": {
                                "type": "object",
                                "properties": {
                                    "principal": {
                                        "type": "string",
                                        "description": "Identifies the authenticated principal.",
                                        "examples": [
                                            "User:12345",
                                            "None:UNKNOWN_USER"
                                        ]
                                    },
                                    "metadata": {
                                        "type": "object",
                                        "properties": {
                                            "mechanism": {
                                                "type": "string",
                                                "description": "Authentication mechanism.",
                                                "examples": [
                                                    "SASL_SSL/PLAIN",
                                                    "SASL_SSL/OAUTHBEARER"
                                                ]
                                            },
                                            "identifier": {
                                                "type": "string",
                                                "description": "Identifies the numeric user ID or API key supplied by the requester.",
                                                "examples": [
                                                    "MAIDSRFG53RXYTKR",
                                                    "12345"
                                                ]
                                            }
                                        }
                                    }
                                }
                            },
                            "requestMetadata": {
                                "type": "object",
                                "properties": {
                                    "client_address": {
                                        "type": "string",
                                        "description": "Ignore this field until further notice. The address of the client making the request. This field may be missing, or even if present, have an unhelpful value."
                                    }
                                }
                            },
                            "result": {
                                "type": "object",
                                "properties": {
                                    "status": {
                                        "type": "string",
                                        "examples": [
                                            "SUCCESS",
                                            "UNAUTHENTICATED"
                                        ]
                                    },
                                    "message": {
                                        "type": "string",
                                        "description": "Indicates the result status."
                                    }
                                }
                            }
                        }
                    }
                }
            }
        },
        {
            "if": {
                "required": ["type"],
                "properties": {
                    "type": { "const": "io.confluent.kafka.server/authorization" }
                }
            },
            "then": {
                "properties": {
                    "data": {
                        "type": "object",
                        "properties": {
                            "methodName": {
                                "type": "string",
                                "description": "The type of request being logged.",
                                "examples": [
                                    "kafka.AlterConfigs",
                                    "kafka.CreateAcls",
                                    "kafka.CreateTopics",
                                    "kafka.DeleteAcls",
                                    "kafka.DeleteGroups"
                                ]
                            },
                            "authenticationInfo": {
                                "type": "object",
                                "properties": {
                                    "principal": {
                                        "type": "string",
                                        "description": "Identifies the authenticated principal that made the request.",
                                        "examples": [
                                            "User:12345"
                                        ]
                                    }
                                }
                            },
                            "authorizationInfo": {
                                "type": "object",
                                "properties": {
                                    "granted": {
                                        "type": "boolean",
                                        "description": "The result of the authorization check."
                                    },
                                    "operation": {
                                        "type": "string",
                                        "description": "Identifies the operation being checked for authorization.",
                                        "examples": [
                                            "Alter",
                                            "AlterConfigs",
                                            "Create",
                                            "Delete",
                                            "DescribeConfigs"
                                        ]
                                    },
                                    "resourceType": {
                                        "type": "string",
                                        "description": "The type of the resource being checked for authorization.",
                                        "examples": [
                                            "Cluster",
                                            "Group",
                                            "Topic"
                                        ]
                                    },
                                    "resourceName": {
                                        "type": "string",
                                        "description": "The resource name of the checked authorization rule.",
                                        "examples": [
                                            "kafka-cluster",
                                            "delivery-estimator",
                                            "departures"
                                        ]
                                    },
                                    "patternType": {
                                        "type": "string",
                                        "description": "The pattern, LITERAL or PREFIX, used to match the resource against the authorization rule.",
                                        "examples": [
                                            "LITERAL",
                                            "PREFIX"
                                        ]
                                    },
                                    "aclAuthorization": {
                                        "type": "object",
                                        "description": "Details about an ACL rule.",
                                        "properties": {
                                            "permissionType": {
                                                "type": "string",
                                                "examples": [
                                                    "ALLOW",
                                                    "DENY"
                                                ]
                                            },
                                            "host": {
                                                "type": "string",
                                                "description": "Host to which the ACL rule applies, usually wildcard (*).",
                                                "examples": ["*"]
                                            }
                                        }
                                    },
                                    "rbacAuthorization": {
                                        "type": "object",
                                        "properties": {
                                            "role": {
                                                "type": "string",
                                                "description": "The role the action was authorized for",
                                                "examples": [
                                                    "OrganizationAdmin",
                                                    "EnvironmentAdmin",
                                                    "CloudClusterAdmin",
                                                    "MetricsViewer"
                                                ]
                                            },
                                            "scope": {
                                                "type": "object",
                                                "properties": {
                                                    "outerScope": {
                                                        "type": "array",
                                                        "description": "The path elements in the outer scopes with the outermost first",
                                                        "items": {
                                                            "type": "string"
                                                        }
                                                    }
                                                },
                                                "description": "The scope the action was authorized in"
                                            }
                                        }
                                    },
                                    "superUserAuthorization": {
                                        "type": "boolean",
                                        "description": "If true, access was authorized because principal is a super-user."
                                    }
                                }
                            },
                            "request": {
                                "type": "object",
                                "properties": {
                                    "clientId": {
                                        "type": "string",
                                        "description": "This is a user-supplied identifier for the client application. The user can use any identifier they like. This ID acts as a logical grouping across all requests from a particular client.",
                                        "examples": [
                                            "invoice-processor-admin",
                                            "adminclient-42",
                                            "the-replicator"
                                        ]
                                    },
                                    "correlationId": {
                                        "type": "string",
                                        "description": "This is a user-supplied integer. It will be passed back in the response by the server, unmodified. It is useful for matching request and response between the client and server."
                                    }
                                }
                            },
                            "requestMetadata": {
                                "type": "object",
                                "properties": {
                                    "client_address": {
                                        "type": "string",
                                        "description": "Ignore this field until further notice. The address of the client making the request. This field may be missing, or even if present, have an unhelpful value."
                                    }
                                }
                            }
                        }
                    }
                }
            }
        }
    ]
}