You're viewing version 2.17 of the OpenSearch documentation. This version is no longer maintained. For the latest version, see the current documentation. For information about OpenSearch version maintenance, see Release Schedule and Maintenance Policy.

Audit log field reference

This page contains descriptions for all audit log fields.

Common attributes

The following attributes are logged for all event categories, independent of the layer.

Name	Description
`audit_format_version`	The audit log message format version.
`audit_category`	The audit log category. FAILED_LOGIN, MISSING_PRIVILEGES, BAD_HEADERS, SSL_EXCEPTION, OPENSEARCH_SECURITY_INDEX_ATTEMPT, AUTHENTICATED, or GRANTED_PRIVILEGES.
`audit_node_id`	The ID of the node where the event was generated.
`audit_node_name`	The name of the node where the event was generated.
`audit_node_host_address`	The host address of the node where the event was generated.
`audit_node_host_name`	The host name of the node where the event was generated.
`audit_request_layer`	The layer on which the event has been generated, either TRANSPORT or REST.
`audit_request_origin`	The layer from which the event originated, either TRANSPORT or REST.
`audit_request_effective_user_is_admin`	True if the request was made with a TLS admin certificate, otherwise false.

REST FAILED_LOGIN attributes

Name	Description
`audit_request_effective_user`	The username that failed to authenticate.
`audit_rest_request_path`	The REST endpoint URI.
`audit_rest_request_params`	The HTTP request parameters, if any.
`audit_rest_request_headers`	The HTTP headers, if any.
`audit_request_initiating_user`	The user that initiated the request. Only logged if it differs from the effective user.
`audit_request_body`	The HTTP request body, if any (and if request body logging is enabled).
`audit_rest_request_method`	The HTTP request method.

REST AUTHENTICATED attributes

Name	Description
`audit_request_effective_user`	The username that failed to authenticate.
`audit_request_initiating_user`	The user that initiated the request. Only logged if it differs from the effective user.
`audit_rest_request_path`	The REST endpoint URI.
`audit_rest_request_params`	The HTTP request parameters, if any.
`audit_rest_request_headers`	The HTTP headers, if any.
`audit_request_body`	The HTTP request body, if any (and if request body logging is enabled).
`audit_rest_request_method`	The HTTP request method.

REST SSL_EXCEPTION attributes

Name	Description
`audit_request_exception_stacktrace`	The stack trace of the SSL exception.

REST BAD_HEADERS attributes

Name	Description
`audit_rest_request_path`	The REST endpoint URI.
`audit_rest_request_params`	The HTTP request parameters, if any.
`audit_rest_request_headers`	The HTTP headers, if any.
`audit_request_body`	The HTTP request body, if any (and if request body logging is enabled).

Transport FAILED_LOGIN attributes

Name	Description
`audit_trace_task_id`	The ID of the request.
`audit_transport_headers`	The headers of the request, if any.
`audit_request_effective_user`	The username that failed to authenticate.
`audit_request_initiating_user`	The user that initiated the request. Only logged if it differs from the effective user.
`audit_transport_request_type`	The type of request (e.g. `IndexRequest`).
`audit_request_body`	The HTTP request body, if any (and if request body logging is enabled).
`audit_trace_indices`	The index name(s) included in the request. Can contain wildcards, date patterns, and aliases. Only logged if `resolve_indices` is true.
`audit_trace_resolved_indices`	The resolved index name(s) affected by the request. Only logged if `resolve_indices` is true.
`audit_trace_doc_types`	The document types affected by the request. Only logged if `resolve_indices` is true.

Transport AUTHENTICATED attributes

Name	Description
`audit_trace_task_id`	The ID of the request.
`audit_transport_headers`	The headers of the request, if any.
`audit_request_effective_user`	The username that failed to authenticate.
`audit_request_initiating_user`	The user that initiated the request. Only logged if it differs from the effective user.
`audit_transport_request_type`	The type of request (e.g. `IndexRequest`).
`audit_request_body`	The HTTP request body, if any (and if request body logging is enabled).
`audit_trace_indices`	The index name(s) included in the request. Can contain wildcards, date patterns, and aliases. Only logged if `resolve_indices` is true.
`audit_trace_resolved_indices`	The resolved index name(s) affected by the request. Only logged if `resolve_indices` is true.
`audit_trace_doc_types`	The document types affected by the request. Only logged if `resolve_indices` is true.

Transport MISSING_PRIVILEGES attributes

Name	Description
`audit_trace_task_id`	The ID of the request.
`audit_trace_task_parent_id`	The parent ID of this request, if any.
`audit_transport_headers`	The headers of the request, if any.
`audit_request_effective_user`	The username that failed to authenticate.
`audit_request_initiating_user`	The user that initiated the request. Only logged if it differs from the effective user.
`audit_transport_request_type`	The type of request (e.g. `IndexRequest`).
`audit_request_privilege`	The required privilege of the request (for example, `indices:data/read/search`).
`audit_request_body`	The HTTP request body, if any (and if request body logging is enabled).
`audit_trace_indices`	The index name(s) included in the request. Can contain wildcards, date patterns, and aliases. Only logged if `resolve_indices` is true.
`audit_trace_resolved_indices`	The resolved index name(s) affected by the request. Only logged if `resolve_indices` is true.
`audit_trace_doc_types`	The document types affected by the request. Only logged if `resolve_indices` is true.

Transport GRANTED_PRIVILEGES attributes

Name	Description
`audit_trace_task_id`	The ID of the request.
`audit_trace_task_parent_id`	The parent ID of this request, if any.
`audit_transport_headers`	The headers of the request, if any.
`audit_request_effective_user`	The username that failed to authenticate.
`audit_request_initiating_user`	The user that initiated the request. Only logged if it differs from the effective user.
`audit_transport_request_type`	The type of request (for example, `IndexRequest`).
`audit_request_privilege`	The required privilege of the request (e.g. `indices:data/read/search`).
`audit_request_body`	The HTTP request body, if any (and if request body logging is enabled).
`audit_trace_indices`	The index name(s) included in the request. Can contain wildcards, date patterns, and aliases. Only logged if `resolve_indices` is true.
`audit_trace_resolved_indices`	The resolved index name(s) affected by the request. Only logged if `resolve_indices` is true.
`audit_trace_doc_types`	The document types affected by the request. Only logged if `resolve_indices` is true.

Transport SSL_EXCEPTION attributes

Name	Description
`audit_request_exception_stacktrace`	The stack trace of the SSL exception.

Transport BAD_HEADERS attributes

Name	Description
`audit_trace_task_id`	The ID of the request.
`audit_trace_task_parent_id`	The parent ID of this request, if any.
`audit_transport_headers`	The headers of the request, if any.
`audit_request_effective_user`	The username that failed to authenticate.
`audit_request_initiating_user`	The user that initiated the request. Only logged if it differs from the effective user.
`audit_transport_request_type`	The type of request (e.g. `IndexRequest`).
`audit_request_body`	The HTTP request body, if any (and if request body logging is enabled).
`audit_trace_indices`	The index name(s) included in the request. Can contain wildcards, date patterns, and aliases. Only logged if `resolve_indices` is true.
`audit_trace_resolved_indices`	The resolved index name(s) affected by the request. Only logged if `resolve_indices` is true.
`audit_trace_doc_types`	The document types affected by the request. Only logged if `resolve_indices` is true.

Transport opensearch_SECURITY_INDEX_ATTEMPT attributes

Name	Description
`audit_trace_task_id`	The ID of the request.
`audit_transport_headers`	The headers of the request, if any.
`audit_request_effective_user`	The username that failed to authenticate.
`audit_request_initiating_user`	The user that initiated the request. Only logged if it differs from the effective user.
`audit_transport_request_type`	The type of request (e.g. `IndexRequest`).
`audit_request_body`	The HTTP request body, if any (and if request body logging is enabled).
`audit_trace_indices`	The index name(s) included in the request. Can contain wildcards, date patterns, and aliases. Only logged if `resolve_indices` is true.
`audit_trace_resolved_indices`	The resolved index name(s) affected by the request. Only logged if `resolve_indices` is true.
`audit_trace_doc_types`	The document types affected by the request. Only logged if `resolve_indices` is true.

Common attributes
REST FAILED_LOGIN attributes
REST AUTHENTICATED attributes
REST SSL_EXCEPTION attributes
REST BAD_HEADERS attributes
Transport FAILED_LOGIN attributes
Transport AUTHENTICATED attributes
Transport MISSING_PRIVILEGES attributes
Transport GRANTED_PRIVILEGES attributes
Transport SSL_EXCEPTION attributes
Transport BAD_HEADERS attributes
Transport opensearch_SECURITY_INDEX_ATTEMPT attributes

WAS THIS PAGE HELPFUL?

✔ Yes ✖ No

Tell us why

350 characters left

Have a question? Ask us on the OpenSearch forum.

Want to contribute? Edit this page or create an issue.