You're viewing version 1.2 of the OpenSearch documentation. This version is no longer maintained. For the latest version, see the current documentation. For information about OpenSearch version maintenance, see Release Schedule and Maintenance Policy.
Audit log field reference
This page contains descriptions for all audit log fields.
Common attributes
The following attributes are logged for all event categories, independent of the layer.
Name | Description |
audit_format_version | The audit log message format version. |
audit_category | The audit log category. FAILED_LOGIN, MISSING_PRIVILEGES, BAD_HEADERS, SSL_EXCEPTION, OPENSEARCH_SECURITY_INDEX_ATTEMPT, AUTHENTICATED, or GRANTED_PRIVILEGES. |
audit_node_id | The ID of the node where the event was generated. |
audit_node_name | The name of the node where the event was generated. |
audit_node_host_address | The host address of the node where the event was generated. |
audit_node_host_name | The host name of the node where the event was generated. |
audit_request_layer | The layer on which the event has been generated, either TRANSPORT or REST. |
audit_request_origin | The layer from which the event originated, either TRANSPORT or REST. |
audit_request_effective_user_is_admin | True if the request was made with a TLS admin certificate, otherwise false. |
REST FAILED_LOGIN attributes
Name | Description |
audit_request_effective_user | The username that failed to authenticate. |
audit_rest_request_path | The REST endpoint URI. |
audit_rest_request_params | The HTTP request parameters, if any. |
audit_rest_request_headers | The HTTP headers, if any. |
audit_request_initiating_user | The user that initiated the request. Only logged if it differs from the effective user. |
audit_request_body | The HTTP request body, if any (and if request body logging is enabled). |
REST AUTHENTICATED attributes
Name | Description |
audit_request_effective_user | The username that failed to authenticate. |
audit_request_initiating_user | The user that initiated the request. Only logged if it differs from the effective user. |
audit_rest_request_path | The REST endpoint URI. |
audit_rest_request_params | The HTTP request parameters, if any. |
audit_rest_request_headers | The HTTP headers, if any. |
audit_request_body | The HTTP request body, if any (and if request body logging is enabled). |
REST SSL_EXCEPTION attributes
Name | Description |
audit_request_exception_stacktrace | The stack trace of the SSL exception. |
Name | Description |
audit_rest_request_path | The REST endpoint URI. |
audit_rest_request_params | The HTTP request parameters, if any. |
audit_rest_request_headers | The HTTP headers, if any. |
audit_request_body | The HTTP request body, if any (and if request body logging is enabled). |
Transport FAILED_LOGIN attributes
Name | Description |
audit_trace_task_id | The ID of the request. |
audit_transport_headers | The headers of the request, if any. |
audit_request_effective_user | The username that failed to authenticate. |
audit_request_initiating_user | The user that initiated the request. Only logged if it differs from the effective user. |
audit_transport_request_type | The type of request (e.g. IndexRequest ). |
audit_request_body | The HTTP request body, if any (and if request body logging is enabled). |
audit_trace_indices | The index name(s) included in the request. Can contain wildcards, date patterns, and aliases. Only logged if resolve_indices is true. |
audit_trace_resolved_indices | The resolved index name(s) affected by the request. Only logged if resolve_indices is true. |
audit_trace_doc_types | The document types affected by the request. Only logged if resolve_indices is true. |
Transport AUTHENTICATED attributes
Name | Description |
audit_trace_task_id | The ID of the request. |
audit_transport_headers | The headers of the request, if any. |
audit_request_effective_user | The username that failed to authenticate. |
audit_request_initiating_user | The user that initiated the request. Only logged if it differs from the effective user. |
audit_transport_request_type | The type of request (e.g. IndexRequest ). |
audit_request_body | The HTTP request body, if any (and if request body logging is enabled). |
audit_trace_indices | The index name(s) included in the request. Can contain wildcards, date patterns, and aliases. Only logged if resolve_indices is true. |
audit_trace_resolved_indices | The resolved index name(s) affected by the request. Only logged if resolve_indices is true. |
audit_trace_doc_types | The document types affected by the request. Only logged if resolve_indices is true. |
Transport MISSING_PRIVILEGES attributes
Name | Description |
audit_trace_task_id | The ID of the request. |
audit_trace_task_parent_id | The parent ID of this request, if any. |
audit_transport_headers | The headers of the request, if any. |
audit_request_effective_user | The username that failed to authenticate. |
audit_request_initiating_user | The user that initiated the request. Only logged if it differs from the effective user. |
audit_transport_request_type | The type of request (e.g. IndexRequest ). |
audit_request_privilege | The required privilege of the request (e.g. indices:data/read/search ). |
audit_request_body | The HTTP request body, if any (and if request body logging is enabled). |
audit_trace_indices | The index name(s) included in the request. Can contain wildcards, date patterns, and aliases. Only logged if resolve_indices is true. |
audit_trace_resolved_indices | The resolved index name(s) affected by the request. Only logged if resolve_indices is true. |
audit_trace_doc_types | The document types affected by the request. Only logged if resolve_indices is true. |
Transport GRANTED_PRIVILEGES attributes
Name | Description |
audit_trace_task_id | The ID of the request. |
audit_trace_task_parent_id | The parent ID of this request, if any. |
audit_transport_headers | The headers of the request, if any. |
audit_request_effective_user | The username that failed to authenticate. |
audit_request_initiating_user | The user that initiated the request. Only logged if it differs from the effective user. |
audit_transport_request_type | The type of request (e.g. IndexRequest ). |
audit_request_privilege | The required privilege of the request (e.g. indices:data/read/search ). |
audit_request_body | The HTTP request body, if any (and if request body logging is enabled). |
audit_trace_indices | The index name(s) included in the request. Can contain wildcards, date patterns, and aliases. Only logged if resolve_indices is true. |
audit_trace_resolved_indices | The resolved index name(s) affected by the request. Only logged if resolve_indices is true. |
audit_trace_doc_types | The document types affected by the request. Only logged if resolve_indices is true. |
Transport SSL_EXCEPTION attributes
Name | Description |
audit_request_exception_stacktrace | The stack trace of the SSL exception. |
Name | Description |
audit_trace_task_id | The ID of the request. |
audit_trace_task_parent_id | The parent ID of this request, if any. |
audit_transport_headers | The headers of the request, if any. |
audit_request_effective_user | The username that failed to authenticate. |
audit_request_initiating_user | The user that initiated the request. Only logged if it differs from the effective user. |
audit_transport_request_type | The type of request (e.g. IndexRequest ). |
audit_request_body | The HTTP request body, if any (and if request body logging is enabled). |
audit_trace_indices | The index name(s) included in the request. Can contain wildcards, date patterns, and aliases. Only logged if resolve_indices is true. |
audit_trace_resolved_indices | The resolved index name(s) affected by the request. Only logged if resolve_indices is true. |
audit_trace_doc_types | The document types affected by the request. Only logged if resolve_indices is true. |
Transport opensearch_SECURITY_INDEX_ATTEMPT attributes
Name | Description |
audit_trace_task_id | The ID of the request. |
audit_transport_headers | The headers of the request, if any. |
audit_request_effective_user | The username that failed to authenticate. |
audit_request_initiating_user | The user that initiated the request. Only logged if it differs from the effective user. |
audit_transport_request_type | The type of request (e.g. IndexRequest ). |
audit_request_body | The HTTP request body, if any (and if request body logging is enabled). |
audit_trace_indices | The index name(s) included in the request. Can contain wildcards, date patterns, and aliases. Only logged if resolve_indices is true. |
audit_trace_resolved_indices | The resolved index name(s) affected by the request. Only logged if resolve_indices is true. |
audit_trace_doc_types | The document types affected by the request. Only logged if resolve_indices is true. |