Auditable Events in Confluent Platform

Note

These are event authorizations, so at the time of logging the event is about to occur. Also, users may attempt to authorize a task solely to see if they can perform the task, but not follow through with it. In these instances, the authorization is still captured in the audit log.

Each type of audit log event belongs to exactly one event category, and you can configure audit log routing rules to match specific event categories. Only MANAGEMENT and AUTHORIZE events are captured by default.

You can configure audit logs to capture the following events.

AUTHORIZE events

The AUTHORIZE events include the actions, or operations, on authorization requests that generate auditable event messages. AUTHORIZE events are captured by default.

Method name Action triggering an auditable event message Captured by default
mds.Authorize A request by MDS for RBAC authorization. Yes

MANAGEMENT events

The MANAGEMENT events include here are the actions, or operations, on Kafka components that generate auditable event messages. Management events are captured by default.

Method name Action triggering an auditable event message Captured by default
kafka.AlterClientQuotas Client quota configurations are being altered. Yes
kafka.AlterConfigs A Kafka configuration is being altered or updated. Yes
kafka.AlterIsr The leader or ISR state is being updated by the controller. Yes
kafka.AlterMirrors A request to create, alter, or update mirror topics. Yes
kafka.AlterPartitionReassignments A request to alter reassignments for a topic partition. Yes
kafka.AlterReplicaLogDirs A request to alter the log directories of a partition. Yes
kafka.AlterUserScramCredentials A request to create or change SCRAM user credentials. Yes
kafka.CreateAcls A request to create a Confluent Server broker ACL. Yes
kafka.CreateClusterLinks A request to create Kafka cluster links. Yes
kafka.CreatePartitions A request to add a partition to a topic. Yes
kafka.CreateTopics A request to create a topic. Yes
kafka.DeleteAcls A request to delete a Confluent Server broker ACL. Yes
kafka.DeleteClusterLinks A request to delete a Kafka cluster link. Yes
kafka.DeleteGroups A request to delete consumer groups. Yes
kafka.DeleteRecords A request to delete records from a topic. Yes
kafka.DeleteTopics A request to delete topics. Yes
kafka.ElectLeaders A request to elect a replica as the leader of a topic partition. Yes
kafka.IncrementalAlterConfigs A request to alter the dynamic configuration of a Confluent Server broker. Yes
kafka.InitiateShutdown A request for a controlled shutdown of a Confluent Server broker. Yes
kafka.OffsetDelete A request to delete a committed offset for a partition in a consumer group. Yes
kafka.RemoveBrokers A request to remove Confluent Server brokers. Yes
kafka.UpdateFeatures A request for a new write path to a finalized feature. Yes

PRODUCE events

The PRODUCE events include the actions, or operations, on a producer that generate auditable event messages. PRODUCE events are not captured by default.

Method name Action triggering an auditable event message Captured by default
kafka.AddPartitionsToTxn A partition is being added to a transaction. No
kafka.EndTxn A partition is being completed. No
kafka.InitProducerId A transaction or idempotent write is initialized by a Kafka producer. No
kafka.Produce A Kafka producer is writing a batch of records to a topic. No

CONSUME events

The CONSUME events include the actions, or operations, on a consumer group that generate auditable event messages. CONSUME events are not captured by default.

Method name Action triggering an auditable event message Captured by default
kafka.AddOffsetsToTxn A producer is sending offsets to the consumer group coordinator and marking those offsets as part of the current transaction. No
kafka.FetchConsumer A Kafka consumer is reading a batch of records from a topic. No
kafka.JoinGroup A Kafka consumer is joining a consumer group. No
kafka.LeaveGroup A Kafka consumer is leaving a group. No
kafka.ListOffsets The offsets of a topic partition are being requested. No
kafka.OffsetCommit A consumer is committing offsets of a partition that have been processed. No
kafka.OffsetFetch Committed offsets of a consumer group are being requested. No
kafka.SyncGroup A Kafka consumer is participating in a group rebalance. No
kafka.TxnOffsetCommit Consumer offsets are being committed for a consumer group within a transaction. No

INTERBROKER events

The INTERBROKER events include the actions, or operations, on the interbroker that generate auditable event messages. INTERBROKER events are not captured by default.

Method name Action triggering an auditable event message Captured by default
kafka.AllocateProducerIDs A broker is requesting a new block of producer IDs from the controller. No
kafka.ControlledShutdown A broker is being shut down. No
kafka.FetchFollower A broker with a follower replica of a partition is fetching records for replication. No
kafka.LeaderAndIsr Controller is sending leader and ISR (in-sync replica) states to a broker. No
kafka.StopReplica Replication is being stopped for the replica of a topic partition. No
kafka.UpdateMetadata Controller is sending new metadata to a broker. No
kafka.WriteTxnMarkers A broker is writing transaction markers to update transaction state. No

DESCRIBE events

The DESCRIBE events include the actions, or operations, on requests for details that generate auditable event messages. DESCRIBE events are not captured by default.

Method name Action triggering an auditable event message Captured by default
kafka.ComputeEvenClusterLoadPlan Compute an even cluster load plan. No
kafka.DescribeAcls A request for details about Confluent Server broker ACLs. No
kafka.DescribeBrokerAdditions A request for details about Confluent Server broker additions. No
kafka.DescribeBrokerRemovals A request for details about about Confluent Server broker removals. No
kafka.DescribeClientQuotas A request for details about client quota configuration. No
kafka.DescribeConfigs A request for details about the broker configuration. No
kafka.DescribeGroups A request for details about consumer groups. No
kafka.DescribeLogDirs A request for details about replica log directories. No
kafka.DescribeMirrors A request for details about mirrored topics. No
kafka.DescribeUserScramCredentials A request for details about the currently configured SCRAM user credentials. No
kafka.FindCoordinator A request from a Kafka consumer for details about its group coordinator. No
kafka.ListClusterLinks A request for a list of Kafka cluster links. No
kafka.ListGroups A request for a list of consumer groups. No
kafka.ListMirrors A request for a list of mirrored topics. No
kafka.ListPartitionReassignments A request for the current partition reassignments. No
kafka.Metadata A request for topic metadata. No
kafka.OffsetForLeaderEpoch A request for the last offsets corresponding to a leader epoch. No
kafka.ReplicaStatus A request for details about the topic replication status. No

HEARTBEAT events

The HEARTBEAT events include the actions, or operations, on heartbeat information that generate auditable event messages. HEARTBEAT events are not captured by default.

Method name Action triggering an auditable event message Captured by default
kafka.Heartbeat A consumer is letting the group know that it is still active. No