Docs Self-Managed Manage Cluster Maintenance Audit Logging Sample Audit Log Messages This is documentation for Self-Managed v23.3. To view the latest available version of the docs, see v24.2. Sample Audit Log Messages Redpanda’s audit logs comply with version 1.0.0 of the Open Cybersecurity Schema Framework (OCSF). This provides a predictable and extensible solution that works seamlessly with industry standard tools. This page aggregates several sample log files covering a range of scenarios. Standard OCSF messages Redpanda produces the following standard OCSF class messages: Authentication (3002) for all authentication events Application Lifecycle (6002) for when the audit system is enabled or disabled or when Redpanda starts or stops (if auditing is enabled when Redpanda starts or stops) API Activity (6003) for any access to the Kafka API, Admin API, or Schema Registry Refer to the OCSF Schema Definition for the field definitions for each event class. Authentication events These messages illustrate various scenarios around successful and unsuccessful authentication events. Authentication successful This scenario shows the message resulting from an admin using rpk with successful authentication. This is an authentication type event. { "category_uid": 3, "class_uid": 3002, "metadata": { "product": { "name": "Redpanda", // This is the Node ID of the broker that produced this audit event "uid": "2", "vendor_name": "Redpanda Data, Inc.", "version": "v23.3.0-dev-2457-g76dc896f8c" }, "version": "1.0.0" }, "severity_id": 1, "time": 1700533469078, "type_uid": 300201, "activity_id": 1, "auth_protocol": "SASL-SCRAM", "auth_protocol_id": 99, // This is the IP address of the Kafka broker that received the authorization request "dst_endpoint": { "ip": "127.0.0.1", "port": 19092, // Name of the Redpanda kafka server "svc_name": "kafka rpc protocol" }, // Indicates that credentials were not encrypted using TLS "is_cleartext": true, "is_mfa": false, "service": { "name": "kafka rpc protocol" }, // This is the IP address of the client that generated the authorization request "src_endpoint": { "ip": "127.0.0.1", // This is the client ID of the kafka client "name": "rpk", "port": 42906 }, "status_id": 1, "user": { "name": "user", "type_id": 1 } } Authentication failed This scenario illustrates a common failure where a user entered the wrong credentials. This is an authentication type event. { "category_uid": 3, "class_uid": 3002, "metadata": { "product": { "name": "Redpanda", "uid": "1", "vendor_name": "Redpanda Data, Inc.", "version": "v23.3.0-dev-2457-g76dc896f8c" }, "version": "1.0.0" }, "severity_id": 1, "time": 1700534756350, "type_uid": 300201, "activity_id": 1, "auth_protocol": "SASL-SCRAM", "auth_protocol_id": 99, "dst_endpoint": { "ip": "127.0.0.1", "port": 19092, "svc_name": "kafka rpc protocol" }, "is_cleartext": true, "is_mfa": false, "service": { "name": "kafka rpc protocol" }, "src_endpoint": { "ip": "127.0.0.1", "name": "rpk", "port": 45236 }, "status_id": 2, "status_detail": "SASL authentication failed: security: Invalid credentials", "user": { "name": "admin", "type_id": 1 } } Kafka API events The Redpanda Kafka API offers a wide array of options for interacting with your Redpanda clusters. Following are examples of messages from common interactions with the API. Create ACL Entry This example illustrates an ACL update that also requires a superuser authentication. It lists the edited ACL and the updated permissions. This is a management type event. { "category_uid": 6, "class_uid": 6003, "metadata": { "product": { "name": "Redpanda", "vendor_name": "Redpanda Data, Inc.", "version": "v23.3.0-dev-2457-g76dc896f8c" }, "profiles": [ "cloud" ], "version": "1.0.0" }, "severity_id": 1, "time": 1700533393776, "type_uid": 600303, "activity_id": 3, "actor": { "authorizations": [ { "decision": "authorized", // This shows a superuser level authorization "policy": { "desc": "superuser", "name": "aclAuthorization" } } ], "user": { "name": "admin", "type_id": 2 } }, "api": { // The API operation performed "operation": "create_acls", "service": { "name": "kafka rpc protocol" } }, "cloud": { "provider": "" }, "dst_endpoint": { "ip": "127.0.0.1", "port": 19092, "svc_name": "kafka rpc protocol" }, // List of resources accessed "resources": [ // The created ACL { "name": "create acl", "type": "acl_binding", "data": { "resource_type": "topic", "resource_name": "*", "pattern_type": "literal", "acl_principal": "{type user name user}", "acl_host": "{{any_host}}", "acl_operation": "all", "acl_permission": "allow" } }, // Below indicates that the user had cluster level authorization { "name": "kafka-cluster", "type": "cluster" } ], "src_endpoint": { "ip": "127.0.0.1", "name": "rpk", "port": 50276 }, "status_id": 1, "unmapped": { // Provides a more parsable output of how the // authorization decision was made "authorization_metadata": { "acl_authorization": { "host": "", "op": "", "permission_type": "AUTHORIZED", "principal": "" }, "resource": { "name": "", "pattern": "", "type": "" } } } } Metadata Request (with counts) This shows a message for a scenario where a user requests a set of metadata using rpk. It provides detailed information on the type of request and the information sent to the user. This is a describe type event. { "category_uid": 6, "class_uid": 6003, // If present, indicates that >1 of the same authz check was performed // within the period of the audit log collecting entries // This provides start and end time (the time period these events were // observed) "count": 2, "end_time": 1700533480725, "metadata": { "product": { "name": "Redpanda", "uid": "0", "vendor_name": "Redpanda Data, Inc.", "version": "v23.3.0-dev-2457-g76dc896f8c" }, "profiles": [ "cloud" ], "version": "1.0.0" }, "severity_id": 1, "start_time": 1700533480724, "time": 1700533480724, "type_uid": 600303, "activity_id": 3, "actor": { "authorizations": [ { "decision": "authorized", // Represents a policy for a non-super user "policy": { "desc": "acl: {principal {type user name user} host {{any_host}} op all perm allow}, resource: type {topic} name {*} pattern {literal}", "name": "aclAuthorization" } } ], "user": { "name": "user", "type_id": 1 } }, "api": { "operation": "metadata", "service": { "name": "kafka rpc protocol" } }, "cloud": { "provider": "" }, "dst_endpoint": { "ip": "127.0.0.1", "port": 19092, "svc_name": "kafka rpc protocol" }, "resources": [ // The topics accessed { "name": "test", "type": "topic" } ], "src_endpoint": { "ip": "127.0.0.1", "name": "rpk", "port": 53602 }, "status_id": 1, "unmapped": { "authorization_metadata": { "acl_authorization": { "host": "{{any_host}}", "op": "all", "permission_type": "allow", "principal": "{type user name user}" }, "resource": { "name": "*", "pattern": "literal", "type": "topic" } } } } Admin API events The following examples show audit messages related to use of the Redpanda Admin API. Requesting cluster configurations as a superuser This example shows the log message when you use the Admin API to retrieve the cluster configurations in a zipped archive. Note that a user must authenticate with the superuser role to perform this action. { "category_uid": 6, "class_uid": 6003, "metadata": { "product": { "name": "Redpanda", "uid": "2", "vendor_name": "Redpanda Data, Inc.", "version": "v23.3.0-dev-2457-g76dc896f8c" }, "profiles": [ "cloud" ], "version": "1.0.0" }, "severity_id": 1, "time": 1700575714976, "type_uid": 600302, "activity_id": 2, "actor": { "authorizations": [ { "decision": "authorized", "policy": { "desc": "", "name": "Admin httpd authorizer" } } ], "user": { "name": "admin", "type_id": 2 } }, "api": { "operation": "GET", "service": { "name": "Redpanda Admin HTTP Server" } }, "cloud": { "provider": "" }, "dst_endpoint": { "ip": "127.0.0.1", "port": 9644, "svc_name": "Redpanda Admin HTTP Server" }, "http_request": { "http_headers": [ { "name": "Accept-Encoding", "value": "gzip" }, { "name": "Accept", "value": "application/json" }, { "name": "Content-Type", "value": "application/json" }, { "name": "User-Agent", "value": "Go-http-client/1.1" }, { "name": "Authorization", "value": "******" }, { "name": "Host", "value": "127.0.0.1:9644" } ], "http_method": "GET", "url": { "hostname": "127.0.0.1:9644", "path": "/v1/cluster_config?include_defaults=true", "port": 9644, "scheme": "http", "url_string": "http://127.0.0.1:9644/v1/cluster_config?include_defaults=true" }, "user_agent": "Go-http-client/1.1", "version": "1.1" }, "src_endpoint": { "ip": "127.0.0.1", "port": 44150 }, "status_id": 1, "unmapped": {} } Unauthorized user requesting cluster configurations Similar to the previous example, this example illustrates a user requesting cluster configurations as a zip archive. Unlike the previous example, however, the user in this case is not authorized to retrieve this information. { "category_uid": 6, "class_uid": 6003, "metadata": { "product": { "name": "Redpanda", "uid": "0", "vendor_name": "Redpanda Data, Inc.", "version": "v23.3.0-dev-2457-g76dc896f8c" }, "profiles": [ "cloud" ], "version": "1.0.0" }, "severity_id": 1, "time": 1700576203097, "type_uid": 600302, "activity_id": 2, "actor": { "authorizations": [ { "decision": "denied", "policy": { "desc": "Forbidden (superuser role required)", "name": "Admin httpd authorizer" } } ], "user": { "name": "user", "type_id": 1 } }, "api": { "operation": "GET", "service": { "name": "Redpanda Admin HTTP Server" } }, "cloud": { "provider": "" }, "dst_endpoint": { "ip": "127.0.0.1", "port": 9644, "svc_name": "Redpanda Admin HTTP Server" }, "http_request": { "http_headers": [ { "name": "Accept-Encoding", "value": "gzip" }, { "name": "Accept", "value": "application/json" }, { "name": "Content-Type", "value": "application/json" }, { "name": "User-Agent", "value": "Go-http-client/1.1" }, { "name": "Authorization", "value": "******" }, { "name": "Host", "value": "127.0.0.1:9644" } ], "http_method": "GET", "url": { "hostname": "127.0.0.1:9644", "path": "/v1/cluster_config?include_defaults=true", "port": 9644, "scheme": "http", "url_string": "http://127.0.0.1:9644/v1/cluster_config?include_defaults=true" }, "user_agent": "Go-http-client/1.1", "version": "1.1" }, "src_endpoint": { "ip": "127.0.0.1", "port": 53296 }, "status_id": 2, "unmapped": {} } Suggested labs Enable Plain Login Authentication for Redpanda ConsoleSearch all labs Back to top × Simple online edits For simple changes, such as fixing a typo, you can edit the content directly on GitHub. Edit on GitHub Or, open an issue to let us know about something that you want us to change. Open an issue Contribution guide For extensive content updates, or if you prefer to work locally, read our contribution guide . Was this helpful? thumb_up thumb_down group Ask in the community mail Share your feedback group_add Make a contribution Audit Logging Manage Disk Space