Audit log field reference
The following attributes are logged for all event categories, independent of the layer.
REST FAILED_LOGIN attributes
| Name | Description |
|---|
audit_request_effective_user | The username that failed to authenticate. |
audit_rest_request_path | The REST endpoint URI. |
audit_rest_request_params | The HTTP request parameters, if any. |
audit_rest_request_headers | The HTTP headers, if any. |
audit_request_initiating_user | The user that initiated the request. Only logged if it differs from the effective user. |
audit_request_body | The HTTP request body, if any (and if request body logging is enabled). |
REST AUTHENTICATED attributes
| Name | Description |
|---|
audit_request_effective_user | The username that failed to authenticate. |
audit_request_initiating_user | The user that initiated the request. Only logged if it differs from the effective user. |
audit_rest_request_path | The REST endpoint URI. |
audit_rest_request_params | The HTTP request parameters, if any. |
audit_rest_request_headers | The HTTP headers, if any. |
audit_request_body | The HTTP request body, if any (and if request body logging is enabled). |
REST SSL_EXCEPTION attributes
| Name | Description |
|---|
audit_request_exception_stacktrace | The stack trace of the SSL exception. |
Transport FAILED_LOGIN attributes
| Name | Description |
|---|
audit_trace_task_id | The ID of the request. |
audit_transport_headers | The headers of the request, if any. |
audit_request_effective_user | The username that failed to authenticate. |
audit_request_initiating_user | The user that initiated the request. Only logged if it differs from the effective user. |
audit_transport_request_type | The type of request (e.g. IndexRequest). |
audit_request_body | The HTTP request body, if any (and if request body logging is enabled). |
audit_trace_indices | The index name(s) included in the request. Can contain wildcards, date patterns, and aliases. Only logged if resolve_indices is true. |
audit_trace_resolved_indices | The resolved index name(s) affected by the request. Only logged if resolve_indices is true. |
| The document types affected by the request. Only logged if resolve_indices is true. |
Transport AUTHENTICATED attributes
| Name | Description |
|---|
audit_trace_task_id | The ID of the request. |
audit_transport_headers | The headers of the request, if any. |
audit_request_effective_user | The username that failed to authenticate. |
audit_request_initiating_user | The user that initiated the request. Only logged if it differs from the effective user. |
audit_transport_request_type | The type of request (e.g. IndexRequest). |
audit_request_body | The HTTP request body, if any (and if request body logging is enabled). |
audit_trace_indices | The index name(s) included in the request. Can contain wildcards, date patterns, and aliases. Only logged if resolve_indices is true. |
audit_trace_resolved_indices | The resolved index name(s) affected by the request. Only logged if resolve_indices is true. |
audit_trace_doc_types | The document types affected by the request. Only logged if resolve_indices is true. |
Transport MISSING_PRIVILEGES attributes
| Name | Description |
|---|
audit_trace_task_id | The ID of the request. |
audit_trace_task_parent_id | The parent ID of this request, if any. |
audit_transport_headers | The headers of the request, if any. |
audit_request_effective_user | The username that failed to authenticate. |
audit_request_initiating_user | The user that initiated the request. Only logged if it differs from the effective user. |
audit_transport_request_type | The type of request (e.g. IndexRequest). |
audit_request_privilege | The required privilege of the request (e.g. indices:data/read/search). |
audit_request_body | The HTTP request body, if any (and if request body logging is enabled). |
audit_trace_indices | The index name(s) included in the request. Can contain wildcards, date patterns, and aliases. Only logged if resolve_indices is true. |
audit_trace_resolved_indices | The resolved index name(s) affected by the request. Only logged if resolve_indices is true. |
audit_trace_doc_types | The document types affected by the request. Only logged if resolve_indices is true. |
Transport SSL_EXCEPTION attributes
| Name | Description |
|---|
audit_request_exception_stacktrace | The stack trace of the SSL exception. |
| Name | Description |
|---|
audit_trace_task_id | The ID of the request. |
audit_trace_task_parent_id | The parent ID of this request, if any. |
audit_transport_headers | The headers of the request, if any. |
audit_request_effective_user | The username that failed to authenticate. |
audit_request_initiating_user | The user that initiated the request. Only logged if it differs from the effective user. |
audit_transport_request_type | The type of request (e.g. IndexRequest). |
audit_request_body | The HTTP request body, if any (and if request body logging is enabled). |
audit_trace_indices | The index name(s) included in the request. Can contain wildcards, date patterns, and aliases. Only logged if resolve_indices is true. |
audit_trace_resolved_indices | The resolved index name(s) affected by the request. Only logged if resolve_indices is true. |
audit_trace_doc_types | The document types affected by the request. Only logged if resolve_indices is true. |
Transport opensearch_SECURITY_INDEX_ATTEMPT attributes
| Name | Description |
|---|
audit_trace_task_id | The ID of the request. |
audit_transport_headers | The headers of the request, if any. |
audit_request_effective_user | The username that failed to authenticate. |
audit_request_initiating_user | The user that initiated the request. Only logged if it differs from the effective user. |
audit_transport_request_type | The type of request (e.g. IndexRequest). |
audit_request_body | The HTTP request body, if any (and if request body logging is enabled). |
audit_trace_indices | The index name(s) included in the request. Can contain wildcards, date patterns, and aliases. Only logged if resolve_indices is true. |
audit_trace_resolved_indices | The resolved index name(s) affected by the request. Only logged if resolve_indices is true. |
audit_trace_doc_types | The document types affected by the request. Only logged if is true. |
我的书签
添加书签
移除书签