Audit event typesedit

Each request may generate multiple audit events. The following is a list of the events that can be generated:

anonymous_access_denied

Logged when a request is denied due to a missing authentication token.

authentication_success

Logged when a user successfully authenticates.

authentication_failed

Logged when the authentication token cannot be matched to a known user.

realm_authentication_failed

Logged for every realm that fails to present a valid authentication token. <realm> represents the realm type.

access_denied

Logged when an authenticated user attempts to execute an action they do not have the necessary privilege to perform.

access_granted

Logged when an authenticated user attempts to execute an action they have the necessary privilege to perform. When the system_access_granted event is included, all system (internal) actions are also logged. The default setting does not log system actions to avoid cluttering the logs.

run_as_granted

Logged when an authenticated user attempts to run as another user that they have the necessary privileges to do.

run_as_denied

Logged when an authenticated user attempts to run as another user action they do not have the necessary privilege to do so.

tampered_request

Logged when X-Pack security detects that the request has been tampered with. Typically relates to search/scroll requests when the scroll ID is believed to have been tampered with.

connection_granted

Logged when an incoming TCP connection passes the IP Filter for a specific profile.

connection_denied

Logged when an incoming TCP connection does not pass the IP Filter for a specific profile.

Audit event attributesedit

The following table shows the common attributes that can be associated with every event.

Table 2. Common attributes

Attribute Description

timestamp

When the event occurred.

node_name

The name of the node.

node_host_name

The hostname of the node.

node_host_address

The IP address of the node.

layer

The layer from which this event originated: rest, transport or ip_filter

event_type

The type of event that occurred: anonymous_access_denied, authentication_failed, access_denied, access_granted, connection_granted, connection_denied, tampered_request, run_as_granted, run_as_denied.


The following tables show the attributes that can be associated with each type of event. The log level determines which attributes are included in a log entry.

Table 3. REST anonymous_access_denied attributes

Attribute Description

origin_address

The IP address from which the request originated.

uri

The REST endpoint URI.

request_body

The body of the request, if enabled.


Table 4. REST authentication_success attributes

Attribute Description

user

The authenticated user.

realm

The realm that authenticated the user.

uri

The REST endpoint URI.

params

The REST URI query parameters.

request_body

The body of the request, if enabled.


Table 5. REST authentication_failed attributes

Attribute Description

origin_address

The IP address from which the request originated.

principal

The principal (username) that failed authentication.

uri

The REST endpoint URI.

request_body

The body of the request, if enabled.


Table 6. REST realm_authentication_failed attributes

Attribute Description

origin_address

The IP address from which the request originated.

principal

The principal (username) that failed authentication.

uri

The REST endpoint URI.

request_body

The body of the request, if enabled.

realm

The realm that failed to authenticate the user. NOTE: A separate entry is logged for each consulted realm.


Table 7. Transport anonymous_access_denied attributes

Attribute Description

origin_type

Where the request originated: rest (request originated from a REST API request), transport (request was received on the transport channel), local_node (the local node issued the request).

origin_address

The IP address from which the request originated.

action

The name of the action that was executed.

request

The type of request that was executed.

indices

A comma-separated list of indices this request pertains to (when applicable).


Table 8. Transport authentication_success attributes

Attribute Description

origin_type

Where the request originated: rest (request originated from a REST API request), transport (request was received on the transport channel), local_node (the local node issued the request).

origin_address

The IP address from which the request originated.

user

The authenticated user.

realm

The realm that authenticated the user.

action

The name of the action that was executed.

request

The type of request that was executed.


Table 9. Transport authentication_failed attributes

Attribute Description

origin_type

Where the request originated: rest (request originated from a REST API request), transport (request was received on the transport channel), local_node (the local node issued the request).

origin_address

The IP address from which the request originated.

principal

The principal (username) that failed authentication.

action

The name of the action that was executed.

request

The type of request that was executed.

indices

A comma-separated list of indices this request pertains to (when applicable).


Table 10. Transport realm_authentication_failed attributes

Attribute Description

origin_type

Where the request originated: rest (request originated from a REST API request), transport (request was received on the transport channel), local_node (the local node issued the request).

origin_address

The IP address from which the request originated.

principal

The principal (username) that failed authentication.

action

The name of the action that was executed.

request

The type of request that was executed.

indices

A comma-separated list of indices this request pertains to (when applicable).

realm

The realm that failed to authenticate the user. NOTE: A separate entry is logged for each consulted realm.


Table 11. Transport access_granted attributes

Attribute Description

origin_type

Where the request originated: rest (request originated from a REST API request), transport (request was received on the transport channel), local_node (the local node issued the request).

origin_address

The IP address from which the request originated.

principal

The principal (username) that passed authentication.

roles

The set of roles granting permissions.

action

The name of the action that was executed.

request

The type of request that was executed.

indices

A comma-separated list of indices this request pertains to (when applicable).


Table 12. Transport access_denied attributes

Attribute Description

origin_type

Where the request originated: rest (request originated from a REST API request), transport (request was received on the transport channel), local_node (the local node issued the request).

origin_address

The IP address from which the request originated.

principal

The principal (username) that failed authentication.

roles

The set of roles granting permissions.

action

The name of the action that was executed.

request

The type of request that was executed.

indices

A comma-separated list of indices this request relates to (when applicable).


Table 13. Transport tampered_request attributes

Attribute Description

origin_type

Where the request originated: rest (request originated from a REST API request), transport (request was received on the transport channel), local_node (the local node issued the request).

origin_address

The IP address from which the request originated.

principal

The principal (username) that failed to authenticate.

action

The name of the action that was executed.

request

The type of request that was executed.

indices

A comma-separated list of indices this request pertains to (when applicable).


Table 14. IP filter connection_granted attributes

Attribute Description

origin_address

The IP address from which the request originated.

transport_profile

The transport profile the request targeted.

rule

The IP filtering rule that granted the request.


Table 15. IP filter connection_denied attributes

Attribute Description

origin_address

The IP address from which the request originated.

transport_profile

The transport profile the request targeted.

rule

The IP filtering rule that denied the request.