Understand Audit Log Event Records on Confluent Cloud

When an auditable event occurs in Confluent Cloud, an event method is triggered and generates an event message that is sent to the audit log cluster, where an event record is stored in the Kafka topic confluent-audit-log-events.

Each event record stored in the audit log includes a unique identifier (id) that is unique across all events related to an event source (source).

Each audit log record comprises the following details:

  • event context
    • Metadata about the event, including the source, type of event, data content type, subject, and time.
  • event data
    • Details about the event data, including the service name, the method name, resource name, authentication, authorization, and request.

Note

Auditable event messages do not capture the content of events. Audit log records inform you that an event happened and only contain metadata about the event context and event data.

Audit log record example

The following audit log record example shows the contents of an audit log message that is returned from a cluster when a user creates a new topic:

{
    "id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
    "source": "crn://confluent.cloud/kafka=lkc-a1b2c",
    "specversion": "1.0",
    "type": "io.confluent.kafka.server/authorization",
    "datacontenttype": "application/json",
    "subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
    "time": "2021-01-01T12:34:56.789Z",
    "data": {
        "serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
        "methodName": "kafka.CreateTopics",
        "resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/topic=departures",
        "authenticationInfo": {
            "principal": "User:123456"
        },
        "authorizationInfo": {
            "granted": true,
            "operation": "DescribeConfigs",
            "resourceType": "Topic",
            "resourceName": "departures",
            "patternType": "LITERAL"
        },
        "request": {
            "correlationId": "123",
            "clientId": "adminclient-42"
        }
    }
}

In the example, the event context properties give values related to metadata of the event occurrence.

  • The source of the auditable event message is defined in the Confluent Resource Name (CRN) crn://confluent.cloud/kafka=lkc-a1b2c, which shows that the event occurred in the Kafka cluster lkc-a1b2s.
  • The type of event, io.confluent.kafka.server/authorization, indicates that the auditable event message was triggered as a result of an authorization check.
  • The time shows the timestamp for the authorization event.

In the event data properties section, the data payload includes event data details for the authorization event.

  • The serviceName shows the event occurred in the Kafka cluster lkc-a1b2s.
  • The methodName shows the authorization was for creating a topic.
  • The resourceName shows the topic is departures.
  • The authenticationInfo shows that the authenticated user account was 123456.
  • The authorizationInfo section shows that authorization was granted to run the operation DescribeConfigs on the topic departures.
  • The request section includes the request correlation identifier and the client identifier.

Complete details about all event context and event data properties are included in the next two sections.

Event context properties

The first section of an audit log entry includes contextual information about the event, including a unique identifier, the source of the event, the event log schema version, type of event, data content type, subject of the event, and the time the event occurred.

Event context property Description
id A randomly-generated UUID that ensures uniqueness across all sources.
source The source location of the auditable event. For events on Kafka clusters, this will be a Confluent Resource Name (CRN) that identifies the cluster. For other events, it will be the top-level CRN (crn://confluent.cloud/).
subject The resource affected by the auditable event. For Kafka clusters, this is the CRN of the cluster itself. For other resources, it is the CRN for the resource.
specversion The version of the CloudEvents specification in use.
type

The type of event that occurred. The value in this property corresponds with the presence or absence of certain other event properties. Valid types are:

  • io.confluent.kafka.server/authentication
  • io.confluent.kafka.server/authorization
  • io.confluent.cloud/request

For more details, read the audit log event schema.

datacontenttype The CloudEvent format the audit log data is presented in (JSON).
time The timestamp, in RFC 3339 format, for when the event occurred.

Event data properties

The event payload is encoded into the media format specified in the datacontenttype context property.

All of the data properties are included in the data section of audit log record. Because these properties vary between different event types, see the relevant section below for:

Authentication event data properties

Event type: io.confluent.kafka.server/authentication

Event data property Description
data The event data payload for the auditable event.
methodName Always kafka.Authentication.
serviceName The CRN of the Kafka cluster where a principal is attempting authentication.
resourceName The CRN of the Kafka cluster where a principal is attempting authentication.
authenticationInfo Details about the principal being authenticated.
result The outcome of the authentication.

Authorization event data properties

Event type: io.confluent.kafka.server/authorization

Event data property Description
data The event data payload for the auditable event.
methodName The type of operation for which authorization is performed. For resources on a Kafka cluster, methodName properties start with a “kafka.” prefix. For resources elsewhere, the methodName is “mds.Authorize”
serviceName The service that generated this audit log. For authorization on a Kafka cluster, it is the CRN of that specific Kafka cluster. For authorization elsewhere, it is the top level Confluent Cloud CRN.
resourceName Canonical CRN of the resource for which authorization was being requested. For creation of new resources, authorization is checked before the entity even exists. So the included CRN is of the parent scope, and not the entity itself.
authenticationInfo Details about the principal for which the authorization was checked. For nested properties, see the audit log schema file.
authorizationInfo Details of the resource type, authorization policy applied, and whether the authorization was granted or denied.
request Additional user-supplied information in the request.

Organization event data properties

Event type: io.confluent.cloud/request

Event data property Description
data The event data payload for the auditable event.
methodName The type of request that triggered the auditable event message.
serviceName The top-level Confluent Cloud CRN (crn://confluent.cloud)
resourceName The CRN of the affected resource.
cloudResources A list of resources affected by the organization event.
authenticationInfo Details about the principal that made the request.
requestMetadata Additional metadata, such as the client IP address, that can be used to correlate multiple auditable event actions triggered by a single user account. A single action by a user account (for example, trying to create a Kafka cluster might result in multiple audit log records (for example, authorization checks, result or response, and more). You can use the request ID to connect these audit log records.
request Details about what the request is about.
result The result of what happened with the request (resource created, etc.)

Authentication properties

The authenticationInfo section contains details about the principal being authenticated.

Property Name Type Description Examples
principal string Identifies the authenticated principal that made the request. User:12345
identity string Identity of the requester in Confluent Resource Name (CRN) format. Included when group mapping is enabled. crn://confluent.cloud/organization=uuid-for-ourcorp/identity-provider=ourcorp-idp/identity=u-yw9507

Authorization properties

The authorizationInfo section contains details about the principal being authorized.

Property Name Type Description Examples Additional Properties
granted boolean The result of the authorization check.    
operation $ref   Refers to #/$defs/operation  
resourceType string The type of the resource being checked for authorization. Cluster, Group, Topic  
resourceName string The resource name of the checked authorization rule. kafka-cluster, delivery-estimator, departures  
patternType string The pattern, LITERAL or PREFIX, used to match the resource against the authorization rule. LITERAL or PREFIX  
aclAuthorization object Details about an ACL rule.   Refer to aclAuthorization properties
rbacAuthorization object     Refer to rbacAuthorization properties
assignedPrincipals array The list of principals the user has access to, including user itself and group mappings. Included when group mapping is enabled. Array of strings  

aclAuthorization properties

Property Name Type Description Examples Additional Properties
permissionType $ref   Refers to #/$defs/permissionType  
host $ref   Refers to #/$defs/host  
actingPrincipal string The decisive principal used for authorization. Included when group mapping is enabled.    

rbacAuthorization properties

Property Name Type Description Examples Additional Properties
role $ref   Refers to #/$defs/role  
scope object The scope the action was authorized in   Refer to scope properties - rbacAuthorization
actingPrincipal string The decisive principal used for authorization. Included when group mapping is enabled.    

scope properties - rbacAuthorization

Property Name Type Description Examples Additional Properties
outerScope array The path elements in the outer scopes with the outermost first. Array of strings