Security Metrics

This topic describes JMX metrics related to Kafka security features, including audit logging, authorization, RBAC, and LDAP. These metrics are useful for monitoring security and access control in your Kafka cluster.

For information about how to configure JMX, see Configure JMX for Monitoring.

Search for a metric

Audit metrics

These audit metrics are specific Confluent Enterprise. For information about how audit logging works, see Audit Log Concepts in Confluent Platform.

audit-log-fallback-rate-per-minute

MBean: confluent-audit-metrics:name=audit-log-fallback-rate-per-minute: The rate of audit log fallback entries per minute. If the audit logging mechanism tries to write to the Kafka topic and doesn’t succeed for any reason, it writes the JSON audit log message to log4j instead. This metric is useful in cases where you need to know the fallback rate of your audit logs.

audit-log-rate-per-minute

MBean: confluent-audit-metrics:name=audit-log-rate-per-minute: The number of audit log entries created per minute. This metric is useful in cases where you need to know the number of audit logs created.

authentication-audit-log-failure-rate

MBean: confluent-audit-metrics:name=authentication-audit-log-rate: The number of authentication failure entries per second.

authentication-audit-log-rate

MBean: confluent-audit-metrics:name=authentication-audit-log-rate: The number authentication audit log entries created per second.

authorization-audit-log-failure-rate

MBean: confluent-audit-metrics:name=authorization-audit-log-failure-rate: The number of authorization audit log failure entries per second.

authorization-audit-log-rate

MBean: confluent-audit-metrics:name=authentication-audit-log-failure-rate: The number of authorization audit log entries created per second.

kafka-request-event-audit-log-failure-rate

MBean: confluent-audit-metrics:name=kafka-request-event-audit-log-failure-rate: The number of Kafka request event audit log failure entries per second.

kafka-request-event-audit-log-rate

MBean: confluent-audit-metrics:name=kafka-request-event-audit-log-rate: The number of Kafka request event audit log entries per second.

Authorizer metrics

The following metrics are exposed by Confluent Server. For more about Confluent Server Authorizer, see Configure Confluent Server Authorizer in Confluent Platform.

authorization-allowed-rate-per-minute

MBean: confluent-authorizer-metrics:name=authorization-allowed-rate-per-minute: The number of authorizations allowed per minute. This metric is useful in cases where you need to know the rate of authorizations allowed per minute.

authorization-denied-rate-per-minute

MBean: confluent-authorizer-metrics:name=authorization-denied-rate-per-minute: The number of authorizations denied per minute. This metric is useful in cases where you need to know the rate of authorizations denied per minute.

authorization-request-rate-per-minute

MBean: confluent-authorizer-metrics:name=authorization-request-rate-per-minute: The number of authorization requests per minute. This metric is useful in cases where you need to know the exact number of authorization requests per minute.

authorizer-authorization-latency-p90

MBean: confluent-authorizer-metrics:name=authorizer-authorization-latency-p90: The 90th percentile for time spent in milliseconds of requests going through the authorization process.

authorizer-authorization-latency-p99

MBean: confluent-authorizer-metrics:name=authorizer-authorization-latency-p99: The 99th percentile for time spent in milliseconds of requests going through the authorization process.

RBAC and LDAP metrics

The following metrics are relevant when Role-Based Access Control (RBAC) and LDAP integration are enabled. They monitor the health of the metadata service and the synchronization of ACLs/ or roles.

acl-access-rules-count

MBean: kafka.server:type=confluent-auth-store-metrics:name=acl-access-rules-count: The number of ACL access rules defined. This metric is useful in cases where you need to know the exact number of ACLs that exist.

active-writer-count

MBean: confluent.metadata:type=KafkaAuthStore,name=active-writer-count: The number of active writers in the metadata cluster. Alert if the sum is any number other than one because there should be exactly one writer in the metadata cluster.

failure-start-seconds-ago

MBean: confluent.metadata:type=LdapGroupManager,name=failure-start-seconds-ago: The number of seconds since the last failed attempt to process metadata from the LDAP server. This is reset to zero on the next successful metadata refresh. This metric is available on brokers in the metadata cluster if LDAP group-based authorization is enabled. Alert if value is greater than zero.

metadata-status

MBean: confluent.metadata:type=KafkaAuthStore,name=metadata-status,topic=([-.\w]+),partition=([0-9]+): The current status of metadata on each metadata topic partition. Value may be UNKNOWN, INITIALIZING, INITIALIZED or FAILED.

rbac-access-rules-count

MBean: kafka.server:type=confluent-auth-store-metrics:name=rbac-access-rules-count: The number of RBAC access rules defined. This metric is useful in cases where you need to know the exact number of RBAC access rules that exist. Access rules allow or deny access to specific resources within a specific scope, unlike role bindings, which assign an RBAC role for a specific resource to a specific principal.

rbac-role-bindings

MBean: kafka.server:type=confluent-auth-store-metrics Attribute: rbac-role-bindings-count: The number of role bindings defined. This metric is useful in cases where you need to know the exact number of role bindings that exist.

reader-failure-start-seconds-ago

MBean: confluent.metadata:type=KafkaAuthStore,name=reader-failure-start-seconds-ago: The number of seconds since the last failure in the consumer that processes authentication or authorization metadata from the topics in the metadata cluster. This is reset to zero after the next successful metadata refresh. This metric is available on all brokers configured to use RBAC. Alert if value is greater than zero.

record-error-rate

MBean: confluent.metadata:type=KafkaAuthStore,name=record-error-rate,topic=([-.\w]+),partition=([0-9]+): The average number of record send attempts per second to the metadata topic partitions that failed.

record-send-rate

MBean: confluent.metadata:type=KafkaAuthStore,name=record-send-rate,topic=([-.\w]+),partition=([0-9]+): The average number of records sent per second to the metadata topic partitions.

remote-failure-start-seconds-ago

MBean: confluent.metadata:type=KafkaAuthStore,name=remote-failure-start-seconds-ago: The number of seconds since the last failure in the metadata service, for example, due to LDAP refresh failures for a long duration. This is reset to zero when notification of successful refresh from the metadata service is processed. This metric is available on all brokers configured to use RBAC. Alert if value is greater than zero.

writer-failure-start-seconds-ago

MBean: confluent.metadata:type=KafkaAuthStore,name=writer-failure-start-seconds-ago: The number of seconds since the last failure in the writer that updates authentication or authorization metadata on topics in the metadata cluster. This is reset to zero after the next successful metadata update. This metric is available on brokers in the metadata cluster. Alert if value is greater than zero.