Audit event types | Elasticsearch Guide [6.3]

IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

› › ›

« Auditing security events Logfile audit output »

Audit event typesedit

Each request may generate multiple audit events. The following is a list of the events that can be generated:

`anonymous_access_denied`			Logged when a request is denied due to a missing authentication token.
`authentication_success`			Logged when a user successfully authenticates.
`authentication_failed`			Logged when the authentication token cannot be matched to a known user.
`realm_authentication_failed`			Logged for every realm that fails to present a valid authentication token. `<realm>` represents the realm type.
`access_denied`			Logged when an authenticated user attempts to execute an action they do not have the necessary privilege to perform.
`access_granted`			Logged when an authenticated user attempts to execute an action they have the necessary privilege to perform. When the `system_access_granted` event is included, all system (internal) actions are also logged. The default setting does not log system actions to avoid cluttering the logs.
`run_as_granted`			Logged when an authenticated user attempts to run as another user that they have the necessary privileges to do.
`run_as_denied`			Logged when an authenticated user attempts to run as another user action they do not have the necessary privilege to do so.
`tampered_request`			Logged when X-Pack security detects that the request has been tampered with. Typically relates to `search/scroll` requests when the scroll ID is believed to have been tampered with.
`connection_granted`			Logged when an incoming TCP connection passes the IP Filter for a specific profile.
`connection_denied`			Logged when an incoming TCP connection does not pass the IP Filter for a specific profile.

Audit event attributesedit

The following table shows the common attributes that can be associated with every event.

Table 39. Common attributes

Attribute	Description
`timestamp`	When the event occurred.
`node_name`	The name of the node.
`node_host_name`	The hostname of the node.
`node_host_address`	The IP address of the node.
`layer`	The layer from which this event originated: `rest`, `transport` or `ip_filter`
`event_type`	The type of event that occurred: `anonymous_access_denied`, `authentication_failed`, `access_denied`, `access_granted`, `connection_granted`, `connection_denied`, `tampered_request`, `run_as_granted`, `run_as_denied`.

The following tables show the attributes that can be associated with each type of event. The log level determines which attributes are included in a log entry.

Table 40. REST anonymous_access_denied attributes

Attribute	Description
`origin_address`	The IP address from which the request originated.
`uri`	The REST endpoint URI.
`request_body`	The body of the request, if enabled.

Table 41. REST authentication_success attributes

Attribute	Description
`user`	The authenticated user.
`realm`	The realm that authenticated the user.
`uri`	The REST endpoint URI.
`params`	The REST URI query parameters.
`request_body`	The body of the request, if enabled.

Table 42. REST authentication_failed attributes

Attribute	Description
`origin_address`	The IP address from which the request originated.
`principal`	The principal (username) that failed authentication.
`uri`	The REST endpoint URI.
`request_body`	The body of the request, if enabled.

Table 43. REST realm_authentication_failed attributes

Attribute	Description
`origin_address`	The IP address from which the request originated.
`principal`	The principal (username) that failed authentication.
`uri`	The REST endpoint URI.
`request_body`	The body of the request, if enabled.
`realm`	The realm that failed to authenticate the user. NOTE: A separate entry is logged for each consulted realm.

Table 44. Transport anonymous_access_denied attributes

Attribute	Description
`origin_type`	Where the request originated: `rest` (request originated from a REST API request), `transport` (request was received on the transport channel), `local_node` (the local node issued the request).
`origin_address`	The IP address from which the request originated.
`action`	The name of the action that was executed.
`request`	The type of request that was executed.
`indices`	A comma-separated list of indices this request pertains to (when applicable).

Table 45. Transport authentication_success attributes

Attribute	Description
`origin_type`	Where the request originated: `rest` (request originated from a REST API request), `transport` (request was received on the transport channel), `local_node` (the local node issued the request).
`origin_address`	The IP address from which the request originated.
`user`	The authenticated user.
`realm`	The realm that authenticated the user.
`action`	The name of the action that was executed.
`request`	The type of request that was executed.

Table 46. Transport authentication_failed attributes

Attribute	Description
`origin_type`	Where the request originated: `rest` (request originated from a REST API request), `transport` (request was received on the transport channel), `local_node` (the local node issued the request).
`origin_address`	The IP address from which the request originated.
`principal`	The principal (username) that failed authentication.
`action`	The name of the action that was executed.
`request`	The type of request that was executed.
`indices`	A comma-separated list of indices this request pertains to (when applicable).

Table 47. Transport realm_authentication_failed attributes

Attribute	Description
`origin_type`	Where the request originated: `rest` (request originated from a REST API request), `transport` (request was received on the transport channel), `local_node` (the local node issued the request).
`origin_address`	The IP address from which the request originated.
`principal`	The principal (username) that failed authentication.
`action`	The name of the action that was executed.
`request`	The type of request that was executed.
`indices`	A comma-separated list of indices this request pertains to (when applicable).
`realm`	The realm that failed to authenticate the user. NOTE: A separate entry is logged for each consulted realm.

Table 48. Transport access_granted attributes

Attribute	Description
`origin_type`	Where the request originated: `rest` (request originated from a REST API request), `transport` (request was received on the transport channel), `local_node` (the local node issued the request).
`origin_address`	The IP address from which the request originated.
`principal`	The principal (username) that passed authentication.
`roles`	The set of roles granting permissions.
`action`	The name of the action that was executed.
`request`	The type of request that was executed.
`indices`	A comma-separated list of indices this request pertains to (when applicable).

Table 49. Transport access_denied attributes

Attribute	Description
`origin_type`	Where the request originated: `rest` (request originated from a REST API request), `transport` (request was received on the transport channel), `local_node` (the local node issued the request).
`origin_address`	The IP address from which the request originated.
`principal`	The principal (username) that failed authentication.
`roles`	The set of roles granting permissions.
`action`	The name of the action that was executed.
`request`	The type of request that was executed.
`indices`	A comma-separated list of indices this request relates to (when applicable).

Table 50. Transport tampered_request attributes

Attribute	Description
`origin_type`	Where the request originated: `rest` (request originated from a REST API request), `transport` (request was received on the transport channel), `local_node` (the local node issued the request).
`origin_address`	The IP address from which the request originated.
`principal`	The principal (username) that failed to authenticate.
`action`	The name of the action that was executed.
`request`	The type of request that was executed.
`indices`	A comma-separated list of indices this request pertains to (when applicable).

Table 51. IP filter connection_granted attributes

Attribute	Description
`origin_address`	The IP address from which the request originated.
`transport_profile`	The transport profile the request targeted.
`rule`	The IP filtering rule that granted the request.

Table 52. IP filter connection_denied attributes

Attribute	Description
`origin_address`	The IP address from which the request originated.
`transport_profile`	The transport profile the request targeted.
`rule`	The IP filtering rule that denied the request.

« Auditing security events Logfile audit output »