diff --git a/x-pack/docs/en/security/auditing/event-types.asciidoc b/x-pack/docs/en/security/auditing/event-types.asciidoc index 34b8e6dc5680b..f4544ea94e150 100644 --- a/x-pack/docs/en/security/auditing/event-types.asciidoc +++ b/x-pack/docs/en/security/auditing/event-types.asciidoc @@ -2,136 +2,425 @@ [[audit-event-types]] === Audit event types -When you are <>, a single client request -might generate multiple audit events, across multiple cluster nodes. The common -`request.id` attribute can be used to correlate the associated events. - -|====== -| Event action | Description | Example - -| `access_denied` -| Logged when an authenticated user attempts to execute an action they do not +When you are <>, a single client +request might generate multiple audit events, across multiple cluster nodes. +The common `request.id` attribute can be used to correlate the associated events. + +To specify the type of events you want to include in the auditing output, add +one or more of the following values for +<> in +`elasticsearch.yml`. + +[[event-access-denied]] +`access_denied`:: +Logged when an authenticated user attempts to execute an action they do not have the necessary <> to perform. -| `{"type":"audit", "timestamp":"2020-12-30T22:30:06,949+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"transport", "event.action":"access_denied", "authentication.type":"REALM", "user.name":"user1", "user.realm":"default_native", "user.roles":["test_role"], "origin.type":"rest", "origin.address":"[::1]:52434", "request.id":"yKOgWn2CRQCKYgZRz3phJw", "action":"indices:admin/auto_create", "request.name":"CreateIndexRequest", "indices":[""]}` - -| `access_granted` -| Logged when an authenticated user attempts to execute an action they have the -necessary privilege to perform. When the `system_access_granted` event is -included, all system (internal) actions are also logged. The default setting -does not log system actions to avoid cluttering the logs. -| `{"type":"audit", "timestamp":"2020-12-30T22:30:06,947+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"transport", "event.action":"access_granted", "authentication.type":"REALM", "user.name":"user1", "user.realm":"default_native", "user.roles":["test_role"], "origin.type":"rest", "origin.address":"[::1]:52434", "request.id":"yKOgWn2CRQCKYgZRz3phJw", "action":"indices:data/write/bulk", "request.name":"BulkRequest"}` - -| `anonymous_access_denied` -| Logged when a request is denied due to missing authentication credentials. -| `{"type":"audit", "timestamp":"2020-12-30T21:56:43,608+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"rest", "event.action":"anonymous_access_denied", "origin.type":"rest", "origin.address":"[::1]:50543", "url.path":"/twitter/_async_search", "url.query":"pretty", "request.method":"POST", "request.id":"TqA9OisyQ8WTl1ivJUV1AA"}` - -| `authentication_failed` -| Logged when the authentication credentials cannot be matched to a known user. -| `{"type":"audit", "timestamp":"2020-12-30T22:10:15,510+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"rest", "event.action":"authentication_failed", "user.name":"elastic", "origin.type":"rest", "origin.address":"[::1]:51504", "url.path":"/_security/user/user1", "url.query":"pretty", "request.method":"POST", "request.id":"POv8p_qeTl2tb5xoFl0HIg"}` - -| `authentication_success` -| Logged when a user successfully authenticates. -| `{"type":"audit", "timestamp":"2020-12-30T22:03:35,018+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"rest", "event.action":"authentication_success", "authentication.type":"REALM", "user.name":"elastic", "user.realm":"reserved", "origin.type":"rest", "origin.address":"[::1]:51014", "realm":"reserved", "url.path":"/twitter/_search", "url.query":"pretty", "request.method":"POST", "request.id":"nHV3UMOoSiu-TaSPWCfxGg"}` - -| `change_disable_user` -| Logged when the <> is invoked to ++ +.Example +[%collapsible%open] +==== +[source,js] +{"type":"audit", "timestamp":"2020-12-30T22:30:06,949+0200", "node.id": +"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"transport", "event.action": +"access_denied", "authentication.type":"REALM", "user.name":"user1", +"user.realm":"default_native", "user.roles":["test_role"], "origin.type": +"rest", "origin.address":"[::1]:52434", "request.id":"yKOgWn2CRQCKYgZRz3phJw", +"action":"indices:admin/auto_create", "request.name":"CreateIndexRequest", +"indices":[""]} +==== + +[[event-access-granted]] +`access_granted`:: +Logged when an authenticated user attempts to execute an action they have the +necessary privilege to perform. These events will be logged only for non-system +users. ++ +If you want to include `access_granted` events for all users (including +internal users such as `_xpack`), add +<> to the list of +event types in addition to `access_granted`. The `system_access_granted` +privilege is not included by default to avoid cluttering the logs. ++ +.Example +[%collapsible%open] +==== +[source,js] +{"type":"audit", "timestamp":"2020-12-30T22:30:06,947+0200", "node.id": +"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"transport", "event.action": +"access_granted", "authentication.type":"REALM", "user.name":"user1", "user +realm":"default_native", "user.roles":["test_role"], "origin.type":"rest", +"origin.address":"[::1]:52434", "request.id":"yKOgWn2CRQCKYgZRz3phJw", +"action":"indices:data/write/bulk", "request.name":"BulkRequest"} +==== + +[[event-anonymous-access-denied]] +`anonymous_access_denied`:: +Logged when a request is denied due to missing authentication credentials. ++ +.Example +[%collapsible%open] +==== +[source,js] +{"type":"audit", "timestamp":"2020-12-30T21:56:43,608+0200", "node.id": +"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"rest", "event.action": +"anonymous_access_denied", "origin.type":"rest", "origin.address": +"[::1]:50543", "url.path":"/twitter/_async_search", "url.query":"pretty", +"request.method":"POST", "request.id":"TqA9OisyQ8WTl1ivJUV1AA"} +==== + +[[event-authentication-failed]] +`authentication_failed`:: +Logged when the authentication credentials cannot be matched to a known user. ++ +.Example +[%collapsible%open] +==== +[source,js] +{"type":"audit", "timestamp":"2020-12-30T22:10:15,510+0200", "node.id": +"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"rest", "event.action": +"authentication_failed", "user.name":"elastic", "origin.type":"rest", +"origin.address":"[::1]:51504", "url.path":"/_security/user/user1", +"url.query":"pretty", "request.method":"POST", +"request.id":"POv8p_qeTl2tb5xoFl0HIg"} +==== + +[[event-authentication-success]] +`authentication_success`:: +Logged when a user successfully authenticates. ++ +.Example +[%collapsible%open] +==== +[source,js] +{"type":"audit", "timestamp":"2020-12-30T22:03:35,018+0200", "node.id": +"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"rest", "event.action": +"authentication_success", "authentication.type":"REALM", "user.name": +"elastic", "user.realm":"reserved", "origin.type":"rest", "origin.address": +"[::1]:51014", "realm":"reserved", "url.path":"/twitter/_search", +"url.query":"pretty", "request.method":"POST", +"request.id":"nHV3UMOoSiu-TaSPWCfxGg"} +==== + +[[event-change-disable-user]] +`change_disable_user`:: +Logged when the <> is invoked to disable a native or a built-in user. -| `{"type":"audit", "timestamp":"2020-12-30T23:17:28,308+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"change_disable_user", "request.id":"qvLIgw_eTvyK3cgV-GaLVg", "change":{"disable":{"user":{"name":"user1"}}}}` - -| `change_enable_user` -| Logged when the <> is invoked to ++ +.Example +[%collapsible%open] +==== +[source,js] +{"type":"audit", "timestamp":"2020-12-30T23:17:28,308+0200", "node.id": +"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event. +action":"change_disable_user", "request.id":"qvLIgw_eTvyK3cgV-GaLVg", +"change":{"disable":{"user":{"name":"user1"}}}} +==== + +[[event-change-enable-user]] +`change_enable_user`:: +Logged when the <> is invoked to enable a native or a built-in user. -| `{"type":"audit", "timestamp":"2020-12-30T23:17:34,843+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"change_enable_user", "request.id":"BO3QU3qeTb-Ei0G0rUOalQ", "change":{"enable":{"user":{"name":"user1"}}}}` - -| `change_password` -| Logged when the <> is ++ +.Example +[%collapsible%open] +==== +[source,js] +{"type":"audit", "timestamp":"2020-12-30T23:17:34,843+0200", "node.id": +"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event. +action":"change_enable_user", "request.id":"BO3QU3qeTb-Ei0G0rUOalQ", +"change":{"enable":{"user":{"name":"user1"}}}} +==== + +[[event-change-password]] +`change_password`:: +Logged when the <> is invoked to change the password of a native or built-in user. -| `{"type":"audit", "timestamp":"2019-12-30T22:19:41,345+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"change_password", "request.id":"bz5a1Cc3RrebDMitMGGNCw", "change":{"password":{"user":{"name":"user1"}}}}` - -| `connection_denied` -| Logged when an incoming TCP connection does not pass the ++ +.Example +[%collapsible%open] +==== +[source,js] +{"type":"audit", "timestamp":"2019-12-30T22:19:41,345+0200", "node.id": +"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event. +action":"change_password", "request.id":"bz5a1Cc3RrebDMitMGGNCw", +"change":{"password":{"user":{"name":"user1"}}}} +==== + +[[event-connection-denied]] +`connection_denied`:: +Logged when an incoming TCP connection does not pass the <> for a specific profile. -| `{"type":"audit", "timestamp":"2020-12-30T21:47:31,526+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"ip_filter", "event.action":"connection_denied", "origin.type":"rest", "origin.address":"10.10.0.20", "transport.profile":".http", "rule":"deny 10.10.0.0/16"}` - -| `connection_granted` -| Logged when an incoming TCP connection passes the <> ++ +.Example +[%collapsible%open] +==== +[source,js] +{"type":"audit", "timestamp":"2020-12-30T21:47:31,526+0200", "node.id": +"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"ip_filter", "event.action": +"connection_denied", "origin.type":"rest", "origin.address":"10.10.0.20", +"transport.profile":".http", "rule":"deny 10.10.0.0/16"} +==== + +[[event-connection-granted]] +`connection_granted`:: +Logged when an incoming TCP connection passes the <> for a specific profile. -| `{"type":"audit", "timestamp":"2020-12-30T21:47:31,526+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"ip_filter", "event.action":"connection_granted", "origin.type":"rest", "origin.address":"::1", "transport.profile":".http", "rule":"allow ::1,127.0.0.1"}` - -| `create_apikey` -| Logged when the <> or the ++ +.Example +[%collapsible%open] +==== +[source,js] +{"type":"audit", "timestamp":"2020-12-30T21:47:31,526+0200", "node.id": +"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"ip_filter", "event.action": +"connection_granted", "origin.type":"rest", "origin.address":"::1", +"transport.profile":".http", "rule":"allow ::1,127.0.0.1"} +==== + +[[event-create-apikey]] +`create_apikey`:: +Logged when the <> or the <> APIs are invoked to create a new API key. -| `{"type":"audit", "timestamp":"2020-12-31T00:33:52,521+0200", "node.id":"9clhpgjJRR-iKzOw20xBNQ", "event.type":"security_config_change", "event.action":"create_apikey", "request.id":"9FteCmovTzWHVI-9Gpa_vQ", "create":{"apikey":{"name":"test-api-key-1","expiration":"10d","role_descriptors":[{"cluster":["monitor","manage_ilm"],"indices":[{"names":["index-a*"],"privileges":["read","maintenance"]},{"names":["in*","alias*"],"privileges":["read"],"field_security":{"grant":["field1*","@timestamp"],"except":["field11"]}}],"applications":[],"run_as":[]},{"cluster":["all"],"indices":[{"names":["index-b*"],"privileges":["all"]}],"applications":[],"run_as":[]}]}}}` - -| `delete_privileges` -| Logged when the ++ +.Example +[%collapsible%open] +==== +[source,js] +{"type":"audit", "timestamp":"2020-12-31T00:33:52,521+0200", "node.id": +"9clhpgjJRR-iKzOw20xBNQ", "event.type":"security_config_change", "event.action": +"create_apikey", "request.id":"9FteCmovTzWHVI-9Gpa_vQ", "create":{"apikey": +{"name":"test-api-key-1","expiration":"10d","role_descriptors":[{"cluster": +["monitor","manage_ilm"],"indices":[{"names":["index-a*"],"privileges": +["read","maintenance"]},{"names":["in*","alias*"],"privileges":["read"], +"field_security":{"grant":["field1*","@timestamp"],"except":["field11"]}}], +"applications":[],"run_as":[]},{"cluster":["all"],"indices":[{"names": +["index-b*"],"privileges":["all"]}],"applications":[],"run_as":[]}]}}} +==== + +[[event-delete-privileges]] +`delete_privileges`:: +Logged when the <> is invoked to remove one or more application privileges. -| `{"type":"audit", "timestamp":"2020-12-31T00:39:30,246+0200", "node.id":"9clhpgjJRR-iKzOw20xBNQ", "event.type":"security_config_change", "event.action":"delete_privileges", "request.id":"7wRWVxxqTzCKEspeSP7J8g", "delete":{"privileges":{"application":"myapp","privileges":["read"]}}}` - -| `delete_role` -| Logged when the <> is invoked to ++ +.Example +[%collapsible%open] +==== +[source,js] +{"type":"audit", "timestamp":"2020-12-31T00:39:30,246+0200", "node.id": +"9clhpgjJRR-iKzOw20xBNQ", "event.type":"security_config_change", "event. +action":"delete_privileges", "request.id":"7wRWVxxqTzCKEspeSP7J8g", +"delete":{"privileges":{"application":"myapp","privileges":["read"]}}} +==== + +[[event-delete-role]] +`delete_role`:: +Logged when the <> is invoked to delete a role. -| `{"type":"audit", "timestamp":"2020-12-31T00:08:11,678+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"delete_role", "request.id":"155IKq3zQdWq-12dgKZRnw", "delete":{"role":{"name":"my_admin_role"}}}` - -| `delete_role_mapping` -| Logged when the <> ++ +.Example +[%collapsible%open] +==== +[source,js] +{"type":"audit", "timestamp":"2020-12-31T00:08:11,678+0200", "node.id": +"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action": +"delete_role", "request.id":"155IKq3zQdWq-12dgKZRnw", +"delete":{"role":{"name":"my_admin_role"}}} +==== + +[[event-delete-role-mapping]] +`delete_role_mapping`:: +Logged when the <> is invoked to delete a role mapping. -| `{"type":"audit", "timestamp":"2020-12-31T00:12:09,349+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"delete_role_mapping", "request.id":"Stim-DuoSTCWom0S_xhf8g", "delete":{"role_mapping":{"name":"mapping1"}}}` - -| `delete_user` -| Logged when the <> is invoked to ++ +.Example +[%collapsible%open] +==== +[source,js] +{"type":"audit", "timestamp":"2020-12-31T00:12:09,349+0200", "node.id": +"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event. +action":"delete_role_mapping", "request.id":"Stim-DuoSTCWom0S_xhf8g", +"delete":{"role_mapping":{"name":"mapping1"}}} +==== + +[[event-delete-user]] +`delete_user`:: +Logged when the <> is invoked to delete a specific native user. -| `{"type":"audit", "timestamp":"2020-12-30T22:19:41,345+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"delete_user", "request.id":"au5a1Cc3RrebDMitMGGNCw", "delete":{"user":{"name":"jacknich"}}}` - -| `invalidate_apikeys` -| Logged when the <> is ++ +.Example +[%collapsible%open] +==== +[source,js] +{"type":"audit", "timestamp":"2020-12-30T22:19:41,345+0200", "node.id": +"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", +"event.action":"delete_user", "request.id":"au5a1Cc3RrebDMitMGGNCw", +"delete":{"user":{"name":"jacknich"}}} +==== + +[[event-invalidate-apikeys]] +`invalidate_apikeys`:: +Logged when the <> is invoked to invalidate one or more API keys. -| `{"type":"audit", "timestamp":"2020-12-31T00:36:30,247+0200", "node.id":"9clhpgjJRR-iKzOw20xBNQ", "event.type":"security_config_change", "event.action":"invalidate_apikeys", "request.id":"7lyIQU9QTFqSrTxD0CqnTQ", "invalidate":{"apikeys":{"owned_by_authenticated_user":false,"user":{"name":"myuser","realm":"native1"}}}}` - -| `put_privileges` -| Logged when the <> is invoked ++ +.Example +[%collapsible%open] +==== +[source,js] +{"type":"audit", "timestamp":"2020-12-31T00:36:30,247+0200", "node.id": +"9clhpgjJRR-iKzOw20xBNQ", "event.type":"security_config_change", "event. +action":"invalidate_apikeys", "request.id":"7lyIQU9QTFqSrTxD0CqnTQ", +"invalidate":{"apikeys":{"owned_by_authenticated_user":false, +"user":{"name":"myuser","realm":"native1"}}}} +==== + +[[event-put-privileges]] +`put_privileges`:: +Logged when the <> is invoked to add or update one or more application privileges. -| `{"type":"audit", "timestamp":"2020-12-31T00:39:07,779+0200", "node.id":"9clhpgjJRR-iKzOw20xBNQ", "event.type":"security_config_change", "event.action":"put_privileges", "request.id":"1X2VVtNgRYO7FmE0nR_BGA", "put":{"privileges":[{"application":"myapp","name":"read","actions":["data:read/*","action:login"],"metadata":{"description":"Read access to myapp"}}]}}` - -| `put_role` -| Logged when the <> is invoked to create or ++ +.Example +[%collapsible%open] +==== +[source,js] +{"type":"audit", "timestamp":"2020-12-31T00:39:07,779+0200", "node.id": +"9clhpgjJRR-iKzOw20xBNQ", "event.type":"security_config_change", +"event.action":"put_privileges", "request.id":"1X2VVtNgRYO7FmE0nR_BGA", +"put":{"privileges":[{"application":"myapp","name":"read","actions": +["data:read/*","action:login"],"metadata":{"description":"Read access to myapp"}}]}} +==== + +[[event-put-role]] +`put_role`:: +Logged when the <> is invoked to create or update a role. -| `{"type":"audit", "timestamp":"2020-12-30T22:27:01,978+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"put_role", "request.id":"tDYQhv5CRMWM4Sc5Zkk2cQ", "put":{"role":{"name":"test_role","role_descriptor":{"cluster":["all"],"indices":[{"names":["apm*"],"privileges":["all"],"field_security":{"grant":["granted"]},"query":"{\"term\": {\"service.name\": \"bar\"}}"},{"names":["apm-all*"],"privileges":["all"],"query":"{\"term\": {\"service.name\": \"bar2\"}}"}],"applications":[],"run_as":[]}}}}` - -| `put_role_mapping` -| Logged when the <> is ++ +.Example +[%collapsible%open] +==== +[source,js] +{"type":"audit", "timestamp":"2020-12-30T22:27:01,978+0200", "node.id": +"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", +"event.action":"put_role", "request.id":"tDYQhv5CRMWM4Sc5Zkk2cQ", +"put":{"role":{"name":"test_role","role_descriptor":{"cluster":["all"], +"indices":[{"names":["apm*"],"privileges":["all"],"field_security": +{"grant":["granted"]},"query":"{\"term\": {\"service.name\": \"bar\"}}"}, +{"names":["apm-all*"],"privileges":["all"],"query":"{\"term\": +{\"service.name\": \"bar2\"}}"}],"applications":[],"run_as":[]}}}} +==== + +[[event-put-role-mapping]] +`put_role_mapping`:: +Logged when the <> is invoked to create or update a role mapping. -| `{"type":"audit", "timestamp":"2020-12-31T00:11:13,932+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"put_role_mapping", "request.id":"kg4h1l_kTDegnLC-0A-XxA", "put":{"role_mapping":{"name":"mapping1","roles":["user"],"rules":{"field":{"username":"*"}},"enabled":true,"metadata":{"version":1}}}}` - -| `put_user` -| Logged when the <> is invoked to create or ++ +.Example +[%collapsible%open] +==== +[source,js] +{"type":"audit", "timestamp":"2020-12-31T00:11:13,932+0200", "node.id": +"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event. +action":"put_role_mapping", "request.id":"kg4h1l_kTDegnLC-0A-XxA", +"put":{"role_mapping":{"name":"mapping1","roles":["user"],"rules": +{"field":{"username":"*"}},"enabled":true,"metadata":{"version":1}}}} +==== + +[[event-put-user]] +`put_user`:: +Logged when the <> is invoked to create or update a native user. Note that user updates can also change the user's password. -| `{"type":"audit", "timestamp":"2020-12-30T22:10:09,749+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"put_user", "request.id":"VIiSvhp4Riim_tpkQCVSQA", "put":{"user":{"name":"user1","enabled":false,"roles":["admin","other_role1"],"full_name":"Jack Sparrow","email":"jack@blackpearl.com","has_password":true,"metadata":{"cunning":10}}}}` - -| `realm_authentication_failed` -| Logged for every realm that fails to present a valid authentication token. -| `{"type":"audit", "timestamp":"2020-12-30T22:10:15,510+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"rest", "event.action":"realm_authentication_failed", "user.name":"elastic", "origin.type":"rest", "origin.address":"[::1]:51504", "realm":"myTestRealm1", "url.path":"/_security/user/user1", "url.query":"pretty", "request.method":"POST", "request.id":"POv8p_qeTl2tb5xoFl0HIg"}` - -| `run_as_denied` -| Logged when an authenticated user attempts to <> ++ +.Example +[%collapsible%open] +==== +[source,js] +{"type":"audit", "timestamp":"2020-12-30T22:10:09,749+0200", "node.id": +"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", +"event.action":"put_user", "request.id":"VIiSvhp4Riim_tpkQCVSQA", +"put":{"user":{"name":"user1","enabled":false,"roles":["admin","other_role1"], +"full_name":"Jack Sparrow","email":"jack@blackpearl.com", +"has_password":true,"metadata":{"cunning":10}}}} +==== + +[[event-realm-auth-failed]] +`realm_authentication_failed`:: +Logged for every realm that fails to present a valid authentication token. ++ +.Example +[%collapsible%open] +==== +[source,js] +{"type":"audit", "timestamp":"2020-12-30T22:10:15,510+0200", "node.id": +"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"rest", "event.action": +"realm_authentication_failed", "user.name":"elastic", "origin.type":"rest", +"origin.address":"[::1]:51504", "realm":"myTestRealm1", "url.path": +"/_security/user/user1", "url.query":"pretty", "request.method":"POST", +"request.id":"POv8p_qeTl2tb5xoFl0HIg"} +==== + +[[event-runas-denied]] +`run_as_denied`:: +Logged when an authenticated user attempts to <> another user that they do not have the necessary <> to do so. -| `{"type":"audit", "timestamp":"2020-12-30T22:49:34,859+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"transport", "event.action":"run_as_denied", "user.name":"user1", "user.run_as.name":"user1", "user.realm":"default_native", "user.run_as.realm":"default_native", "user.roles":["test_role"], "origin.type":"rest", "origin.address":"[::1]:52662", "request.id":"RcaSt872RG-R_WJBEGfYXA", "action":"indices:data/read/search", "request.name":"SearchRequest", "indices":["alias1"]}` - -| `run_as_granted` -| Logged when an authenticated user attempts to <> ++ +.Example +[%collapsible%open] +==== +[source,js] +{"type":"audit", "timestamp":"2020-12-30T22:49:34,859+0200", "node.id": +"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"transport", "event.action": +"run_as_denied", "user.name":"user1", "user.run_as.name":"user1", +"user.realm":"default_native", "user.run_as.realm":"default_native", +"user.roles":["test_role"], "origin.type":"rest", "origin.address": +"[::1]:52662", "request.id":"RcaSt872RG-R_WJBEGfYXA", +"action":"indices:data/read/search", "request.name":"SearchRequest", "indices":["alias1"]} +==== + +[[event-runas-granted]] +`run_as_granted`:: +Logged when an authenticated user attempts to <> another user that they have the necessary privileges to do so. -| `{"type":"audit", "timestamp":"2020-12-30T22:44:42,068+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"transport", "event.action":"run_as_granted", "user.name":"elastic", "user.run_as.name":"user1", "user.realm":"reserved", "user.run_as.realm":"default_native", "user.roles":["superuser"], "origin.type":"rest", "origin.address":"[::1]:52623", "request.id":"dGqPTdEQSX2TAPS3cvc1qA", "action":"indices:data/read/search", "request.name":"SearchRequest", "indices":["alias1"]}` - -| `tampered_request` -| Logged when the {security-features} detect that the request has been tampered ++ +.Example +[%collapsible%open] +==== +[source,js] +{"type":"audit", "timestamp":"2020-12-30T22:44:42,068+0200", "node.id": +"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"transport", "event.action": +"run_as_granted", "user.name":"elastic", "user.run_as.name":"user1", +"user.realm":"reserved", "user.run_as.realm":"default_native", +"user.roles":["superuser"], "origin.type":"rest", "origin.address": +"[::1]:52623", "request.id":"dGqPTdEQSX2TAPS3cvc1qA", "action": +"indices:data/read/search", "request.name":"SearchRequest", "indices":["alias1"]} +==== + +[[event-system-granted]] +`system_access_granted`:: +Logs <> events only for +<>, such as `_xpack`. If you include this setting +in addition to `access_granted`, then `access_granted` events are +logged for _all_ users. ++ +NOTE: This event type is disabled by default to avoid cluttering the logs. + +[[event-tampered-request]] +`tampered_request`:: +Logged when the {security-features} detect that the request has been tampered with. Typically relates to `search/scroll` requests when the scroll ID is believed to have been tampered with. -| `{"type":"audit", "timestamp":"2019-11-27T22:00:00,947+0200", "node.id": "0RMNyghkQYCc_gVd1G6tZQ", "event.type": "rest", "event.action": "tampered_request", "origin.address":"[::1]:50543", "url.path":"/twitter/_async_search", "url.query":"pretty", "request.method":"POST", "request.id":"TqA9OisyQ8WTl1ivJUV1AA"}` -|====== ++ +.Example +[%collapsible%open] +==== +[source,js] +{"type":"audit", "timestamp":"2019-11-27T22:00:00,947+0200", "node.id": +"0RMNyghkQYCc_gVd1G6tZQ", "event.type": "rest", "event.action": +"tampered_request", "origin.address":"[::1]:50543", "url.path": +"/twitter/_async_search", "url.query":"pretty", "request.method":"POST", +"request.id":"TqA9OisyQ8WTl1ivJUV1AA"} +==== [discrete] [[audit-event-attributes]]