Auditable Events in Confluent Platform¶
Note
These are event authorizations, so at the time of logging the event is about to occur. Also, users may attempt to authorize a task solely to see if they can perform the task, but not follow through with it. In these instances, the authorization is still captured in the audit log.
Each type of audit log event belongs to exactly one event category,
and you can configure audit log routing rules to match specific event categories.
Only MANAGEMENT and AUTHORIZE events are captured by default.
You can configure audit logs to capture the following events.
AUTHORIZE events¶
The AUTHORIZE events include the actions, or operations, on authorization requests
that generate auditable event messages. AUTHORIZE events are captured by default.
| Method name | Action triggering an auditable event message | Captured by default |
|---|---|---|
| mds.Authorize | A request by MDS for RBAC authorization. | Yes |
MANAGEMENT events¶
The MANAGEMENT events include here are the actions, or operations, on Kafka components
that generate auditable event messages. Management events are captured
by default.
| Method name | Action triggering an auditable event message | Captured by default |
|---|---|---|
| kafka.AlterClientQuotas | Client quota configurations are being altered. | Yes |
| kafka.AlterConfigs | A Kafka configuration is being altered or updated. | Yes |
| kafka.AlterIsr | The leader or ISR state is being updated by the controller. | Yes |
| kafka.AlterMirrors | A request to create, alter, or update mirror topics. | Yes |
| kafka.AlterPartitionReassignments | A request to alter reassignments for a topic partition. | Yes |
| kafka.AlterReplicaLogDirs | A request to alter the log directories of a partition. | Yes |
| kafka.AlterUserScramCredentials | A request to create or change SCRAM user credentials. | Yes |
| kafka.CreateAcls | A request to create a Confluent Server broker ACL. | Yes |
| kafka.CreateClusterLinks | A request to create Kafka cluster links. | Yes |
| kafka.CreatePartitions | A request to add a partition to a topic. | Yes |
| kafka.CreateTopics | A request to create a topic. | Yes |
| kafka.DeleteAcls | A request to delete a Confluent Server broker ACL. | Yes |
| kafka.DeleteClusterLinks | A request to delete a Kafka cluster link. | Yes |
| kafka.DeleteGroups | A request to delete consumer groups. | Yes |
| kafka.DeleteRecords | A request to delete records from a topic. | Yes |
| kafka.DeleteTopics | A request to delete topics. | Yes |
| kafka.ElectLeaders | A request to elect a replica as the leader of a topic partition. | Yes |
| kafka.IncrementalAlterConfigs | A request to alter the dynamic configuration of a Confluent Server broker. | Yes |
| kafka.InitiateShutdown | A request for a controlled shutdown of a Confluent Server broker. | Yes |
| kafka.OffsetDelete | A request to delete a committed offset for a partition in a consumer group. | Yes |
| kafka.RemoveBrokers | A request to remove Confluent Server brokers. | Yes |
| kafka.UpdateFeatures | A request for a new write path to a finalized feature. | Yes |
PRODUCE events¶
The PRODUCE events include the actions, or operations, on a producer that
generate auditable event messages. PRODUCE events are not captured by default.
| Method name | Action triggering an auditable event message | Captured by default |
|---|---|---|
| kafka.AddPartitionsToTxn | A partition is being added to a transaction. | No |
| kafka.EndTxn | A partition is being completed. | No |
| kafka.InitProducerId | A transaction or idempotent write is initialized by a Kafka producer. | No |
| kafka.Produce | A Kafka producer is writing a batch of records to a topic. | No |
CONSUME events¶
The CONSUME events include the actions, or operations, on a consumer group
that generate auditable event messages. CONSUME events are not
captured by default.
| Method name | Action triggering an auditable event message | Captured by default |
|---|---|---|
| kafka.AddOffsetsToTxn | A producer is sending offsets to the consumer group coordinator and marking those offsets as part of the current transaction. | No |
| kafka.FetchConsumer | A Kafka consumer is reading a batch of records from a topic. | No |
| kafka.JoinGroup | A Kafka consumer is joining a consumer group. | No |
| kafka.LeaveGroup | A Kafka consumer is leaving a group. | No |
| kafka.ListOffsets | The offsets of a topic partition are being requested. | No |
| kafka.OffsetCommit | A consumer is committing offsets of a partition that have been processed. | No |
| kafka.OffsetFetch | Committed offsets of a consumer group are being requested. | No |
| kafka.SyncGroup | A Kafka consumer is participating in a group rebalance. | No |
| kafka.TxnOffsetCommit | Consumer offsets are being committed for a consumer group within a transaction. | No |
INTERBROKER events¶
The INTERBROKER events include the actions, or operations, on the interbroker
that generate auditable event messages. INTERBROKER events are not captured
by default.
| Method name | Action triggering an auditable event message | Captured by default |
|---|---|---|
| kafka.AllocateProducerIDs | A broker is requesting a new block of producer IDs from the controller. | No |
| kafka.ControlledShutdown | A broker is being shut down. | No |
| kafka.FetchFollower | A broker with a follower replica of a partition is fetching records for replication. | No |
| kafka.LeaderAndIsr | Controller is sending leader and ISR (in-sync replica) states to a broker. | No |
| kafka.StopReplica | Replication is being stopped for the replica of a topic partition. | No |
| kafka.UpdateMetadata | Controller is sending new metadata to a broker. | No |
| kafka.WriteTxnMarkers | A broker is writing transaction markers to update transaction state. | No |
DESCRIBE events¶
The DESCRIBE events include the actions, or operations, on requests
for details that generate auditable event messages. DESCRIBE events
are not captured by default.
| Method name | Action triggering an auditable event message | Captured by default |
|---|---|---|
| kafka.ComputeEvenClusterLoadPlan | Compute an even cluster load plan. | No |
| kafka.DescribeAcls | A request for details about Confluent Server broker ACLs. | No |
| kafka.DescribeBrokerAdditions | A request for details about Confluent Server broker additions. | No |
| kafka.DescribeBrokerRemovals | A request for details about about Confluent Server broker removals. | No |
| kafka.DescribeClientQuotas | A request for details about client quota configuration. | No |
| kafka.DescribeConfigs | A request for details about the broker configuration. | No |
| kafka.DescribeGroups | A request for details about consumer groups. | No |
| kafka.DescribeLogDirs | A request for details about replica log directories. | No |
| kafka.DescribeMirrors | A request for details about mirrored topics. | No |
| kafka.DescribeUserScramCredentials | A request for details about the currently configured SCRAM user credentials. | No |
| kafka.FindCoordinator | A request from a Kafka consumer for details about its group coordinator. | No |
| kafka.ListClusterLinks | A request for a list of Kafka cluster links. | No |
| kafka.ListGroups | A request for a list of consumer groups. | No |
| kafka.ListMirrors | A request for a list of mirrored topics. | No |
| kafka.ListPartitionReassignments | A request for the current partition reassignments. | No |
| kafka.Metadata | A request for topic metadata. | No |
| kafka.OffsetForLeaderEpoch | A request for the last offsets corresponding to a leader epoch. | No |
| kafka.ReplicaStatus | A request for details about the topic replication status. | No |
HEARTBEAT events¶
The HEARTBEAT events include the actions, or operations, on heartbeat
information that generate auditable event messages. HEARTBEAT events are
not captured by default.
| Method name | Action triggering an auditable event message | Captured by default |
|---|---|---|
| kafka.Heartbeat | A consumer is letting the group know that it is still active. | No |