Audit Log Event Categories on Confluent Cloud
Confluent Cloud audit logs capture event records from auditable event methods for the following event categories. For details on the auditable event methods, click the event category name.
For conceptual information about audit logs, see Audit Log Concepts on Confluent Cloud.
Note
Resource types indicate the scope at which the audited event occurs (for example, topic-level, cluster-level, and organization-level).
Event type reference
For quick reference, here are all the event types used in Confluent Cloud audit logs:
Event type | Service | Description |
|---|---|---|
| Kafka | User or service account sign-in attempts to Kafka clusters |
| Kafka | Permission checks for Kafka operations (produce, consume, admin) |
| Kafka | Administrative operations on Kafka clusters (topics, ACLs, cluster linking) |
| Schema Registry | User or service account sign-in attempts to Schema Registry clusters |
| Schema Registry | Permission checks for Schema Registry operations |
| Schema Registry | Schema management operations (create, update, delete schemas) |
| ksqlDB | User or service account sign-in attempts to ksqlDB clusters |
| ksqlDB | Permission checks for ksqlDB stream processing operations |
| Flink | User or service account sign-in attempts to Flink regions and clusters |
| Flink | Permission checks for Flink SQL statements and workspace access |
| Flink, Tableflow, Organization | Organization and resource management operations |
| Organization | Organization-level authorization checks (for example, IP filters) |
| Access Transparency | Confluent personnel access to customer resources for support, maintenance, or operational purposes |
Kafka cluster event categories
Kafka cluster event categories capture authentication, authorization, and management operations performed on Kafka clusters. These events track user and service account access, permission checks, and administrative operations like topic creation and ACL management.
Event category | Event type | Resource type | Description |
|---|---|---|---|
| n/a | User and service account authentication to Kafka clusters | |
|
| Authorization checks for Kafka operations (produce, consume, admin) | |
|
| Administrative operations like creating topics, managing ACLs, cluster linking | |
|
| Role-based access control authorization for cluster resources |
Note
Kafka authentication events show “n/a” for resource type because authentication occurs at the cluster connection level, before any resource-specific operations. Once authenticated, subsequent operations (authorization, management) operate on specific resource types like Topic, Cluster, or Group.
Schema Registry cluster event categories
Schema Registry cluster event categories capture authentication, authorization, and management operations performed on Schema Registry clusters. These events track access to schema operations and schema lifecycle management activities.
Event category | Event type | Resource type | Description |
|---|---|---|---|
|
| Authentication to Schema Registry clusters | |
|
| Authorization checks for schema operations | |
|
| Schema management operations (create, update, delete schemas) |
ksqlDB cluster event categories
ksqlDB cluster event categories capture authentication and authorization operations performed on ksqlDB clusters. These events track access to stream processing operations and SQL statement execution.
Event category | Event type | Resource type | Description |
|---|---|---|---|
|
| Authentication to ksqlDB clusters | |
|
| Authorization checks for stream processing operations |
Flink cluster event categories
Flink cluster event categories capture authentication, authorization, and management operations performed on Flink regions and clusters. These events track access to Flink SQL statements, workspace operations, and resource management.
Event category | Event type | Resource type | Description |
|---|---|---|---|
|
| Authentication to Flink regions and clusters | |
|
| Authorization checks for Flink SQL statements and workspace access | |
|
| Management of Flink resources (regions, compute pools, workspaces, statements) |
Tableflow event categories
Tableflow event categories capture various operations related to data lake management and table operations. These events track catalog integration, topic management, data plane operations, and OAuth authentication for Tableflow services.
Event category | Event type | Resource type | Description |
|---|---|---|---|
|
| Integration with external catalog systems (for example, AWS Glue) | |
|
| Creating, updating, and managing Tableflow topics | |
|
| Data plane catalog operations for Iceberg tables and namespaces | |
|
| OAuth authentication and authorization for Tableflow | |
|
| Data plane signing operations for secure access | |
|
| Tableflow topic enablement, configuration, and lifecycle management |
Access Transparency event categories
Access Transparency event categories capture when Confluent personnel access customer resources for support, maintenance, or operational purposes. These events provide visibility into privileged access for compliance and transparency requirements.
For an overview of Access Transparency, see Access Transparency on Confluent Cloud.
Event category | Event type | Resource type | Description |
|---|---|---|---|
|
| Confluent personnel access to customer resources for support, maintenance, or operational purposes |
Organization event categories
Organization events are split into separate sections due to the large number of management operations.
Note
Users may attempt to authorize a task solely to find out if they can perform the task, and not follow through with it. In these instances, the authorization is still captured in the audit log.
Organization management and operations
The following subcategories represent different resource types and their associated operations (create, read, update, delete):
Access Management
Event subcategory | Event type | Resource type | Description |
|---|---|---|---|
|
| API key management operations | |
|
| Identity pool management operations | |
|
| Identity provider management operations | |
|
| RBAC management operations | |
|
| Service account management operations | |
|
| SSO connection management operations | |
|
| User account management operations | |
|
| User invitation management operations |
Infrastructure and Resources
Event subcategory | Event type | Resource type | Description |
|---|---|---|---|
|
| Connector management operations | |
|
| Custom connector plugin management operations | |
|
| Environment management operations | |
|
| Kafka cluster management operations | |
|
| ksqlDB cluster management operations | |
|
| Schema Registry cluster management operations |
Networking
Event subcategory | Event type | Resource type | Description |
|---|---|---|---|
|
| DNS forwarder management operations | |
|
| Network management operations | |
|
| Peering connection management operations | |
|
| Private link access management operations | |
|
| Private link attachment management operations | |
|
| Private link attachment connection management operations | |
|
| Transit gateway attachment management operations |
Services and Integrations
Event subcategory | Event type | Resource type | Description |
|---|---|---|---|
|
| Billing management operations | |
|
| Marketplace entitlement management operations | |
|
| Notification integration management operations | |
|
| Notification subscription management operations | |
|
| Notification type management operations | |
|
| Sign-in attempt tracking operations |