Sample Audit Log Messages

This feature requires an Enterprise license for self-managed deployments. To upgrade, contact Redpanda sales.

Redpanda’s audit logs comply with version 1.0.0 of the Open Cybersecurity Schema Framework (OCSF). This provides a predictable and extensible solution that works seamlessly with industry standard tools. This page aggregates several sample log files covering a range of scenarios.

Standard OCSF messages

Redpanda produces the following standard OCSF class messages:

  • Authentication (3002) for all authentication events

  • Application Lifecycle (6002) for when the audit system is enabled or disabled or when Redpanda starts or stops (if auditing is enabled when Redpanda starts or stops)

  • API Activity (6003) for any access to the Kafka API, Admin API, or Schema Registry

Refer to the OCSF Schema Definition for the field definitions for each event class.

Authentication events

These messages illustrate various scenarios around successful and unsuccessful authentication events.

Authentication successful

This scenario shows the message resulting from an admin using rpk with successful authentication. This is an authentication type event.

{
  "category_uid": 3,
  "class_uid": 3002,
  "metadata": {
    "product": {
      "name": "Redpanda",
      // This is the Node ID of the broker that produced this audit event
      "uid": "2",
      "vendor_name": "Redpanda Data, Inc.",
      "version": "v23.3.0-dev-2457-g76dc896f8c"
    },
    "version": "1.0.0"
  },
  "severity_id": 1,
  "time": 1700533469078,
  "type_uid": 300201,
  "activity_id": 1,
  "auth_protocol": "SASL-SCRAM",
  "auth_protocol_id": 99,
  // This is the IP address of the Kafka broker that received the authorization request
  "dst_endpoint": {
    "ip": "127.0.0.1",
    "port": 19092,
    // Name of the Redpanda kafka server
    "svc_name": "kafka rpc protocol"
  },
  // Indicates that credentials were not encrypted using TLS
  "is_cleartext": true,
  "is_mfa": false,
  "service": {
    "name": "kafka rpc protocol"
  },
  // This is the IP address of the client that generated the authorization request
  "src_endpoint": {
    "ip": "127.0.0.1",
    // This is the client ID of the kafka client
    "name": "rpk",
    "port": 42906
  },
  "status_id": 1,
  "user": {
    "name": "user",
    "type_id": 1
  }
}
Authentication failed

This scenario illustrates a common failure where a user entered the wrong credentials. This is an authentication type event.

{
  "category_uid": 3,
  "class_uid": 3002,
  "metadata": {
    "product": {
      "name": "Redpanda",
      "uid": "1",
      "vendor_name": "Redpanda Data, Inc.",
      "version": "v23.3.0-dev-2457-g76dc896f8c"
    },
    "version": "1.0.0"
  },
  "severity_id": 1,
  "time": 1700534756350,
  "type_uid": 300201,
  "activity_id": 1,
  "auth_protocol": "SASL-SCRAM",
  "auth_protocol_id": 99,
  "dst_endpoint": {
    "ip": "127.0.0.1",
    "port": 19092,
    "svc_name": "kafka rpc protocol"
  },
  "is_cleartext": true,
  "is_mfa": false,
  "service": {
    "name": "kafka rpc protocol"
  },
  "src_endpoint": {
    "ip": "127.0.0.1",
    "name": "rpk",
    "port": 45236
  },
  "status_id": 2,
  "status_detail": "SASL authentication failed: security: Invalid credentials",
  "user": {
    "name": "admin",
    "type_id": 1
  }
}

Kafka API events

The Redpanda Kafka API offers a wide array of options for interacting with your Redpanda clusters. Following are examples of messages from common interactions with the API.

Create ACL Entry

This example illustrates an ACL update that also requires a superuser authentication. It lists the edited ACL and the updated permissions. This is a management type event.

{
  "category_uid": 6,
  "class_uid": 6003,
  "metadata": {
    "product": {
      "name": "Redpanda",
      "vendor_name": "Redpanda Data, Inc.",
      "version": "v23.3.0-dev-2457-g76dc896f8c"
    },
    "profiles": [
      "cloud"
    ],
    "version": "1.0.0"
  },
  "severity_id": 1,
  "time": 1700533393776,
  "type_uid": 600303,
  "activity_id": 3,
  "actor": {
    "authorizations": [
      {
        "decision": "authorized",
        // This shows a superuser level authorization
        "policy": {
          "desc": "superuser",
          "name": "aclAuthorization"
        }
      }
    ],
    "user": {
      "name": "admin",
      "type_id": 2
    }
  },
  "api": {
    // The API operation performed
    "operation": "create_acls",
    "service": {
      "name": "kafka rpc protocol"
    }
  },
  "cloud": {
    "provider": ""
  },
  "dst_endpoint": {
    "ip": "127.0.0.1",
    "port": 19092,
    "svc_name": "kafka rpc protocol"
  },
  // List of resources accessed
  "resources": [
    // The created ACL
    {
      "name": "create acl",
      "type": "acl_binding",
      "data": {
        "resource_type": "topic",
        "resource_name": "*",
        "pattern_type": "literal",
        "acl_principal": "{type user name user}",
        "acl_host": "{{any_host}}",
        "acl_operation": "all",
        "acl_permission": "allow"
      }
    },
    // Below indicates that the user had cluster level authorization
    {
      "name": "kafka-cluster",
      "type": "cluster"
    }
  ],
  "src_endpoint": {
    "ip": "127.0.0.1",
    "name": "rpk",
    "port": 50276
  },
  "status_id": 1,
  "unmapped": {
    // Provides a more parsable output of how the
    // authorization decision was made
    "authorization_metadata": {
      "acl_authorization": {
        "host": "",
        "op": "",
        "permission_type": "AUTHORIZED",
        "principal": ""
      },
      "resource": {
        "name": "",
        "pattern": "",
        "type": ""
      }
    }
  }
}
Metadata Request (with counts)

This shows a message for a scenario where a user requests a set of metadata using rpk. It provides detailed information on the type of request and the information sent to the user. This is a describe type event.

{
  "category_uid": 6,
  "class_uid": 6003,
  // If present, indicates that >1 of the same authz check was performed
  // within the period of the audit log collecting entries
  // This provides start and end time (the time period these events were
  // observed)
  "count": 2,
  "end_time": 1700533480725,
  "metadata": {
    "product": {
      "name": "Redpanda",
      "uid": "0",
      "vendor_name": "Redpanda Data, Inc.",
      "version": "v23.3.0-dev-2457-g76dc896f8c"
    },
    "profiles": [
      "cloud"
    ],
    "version": "1.0.0"
  },
  "severity_id": 1,
  "start_time": 1700533480724,
  "time": 1700533480724,
  "type_uid": 600303,
  "activity_id": 3,
  "actor": {
    "authorizations": [
      {
        "decision": "authorized",
        // Represents a policy for a non-super user
        "policy": {
          "desc": "acl: {principal {type user name user} host {{any_host}} op all perm allow}, resource: type {topic} name {*} pattern {literal}",
          "name": "aclAuthorization"
        }
      }
    ],
    "user": {
      "name": "user",
      "type_id": 1
    }
  },
  "api": {
    "operation": "metadata",
    "service": {
      "name": "kafka rpc protocol"
    }
  },
  "cloud": {
    "provider": ""
  },
  "dst_endpoint": {
    "ip": "127.0.0.1",
    "port": 19092,
    "svc_name": "kafka rpc protocol"
  },
  "resources": [
    // The topics accessed
    {
      "name": "test",
      "type": "topic"
    }
  ],
  "src_endpoint": {
    "ip": "127.0.0.1",
    "name": "rpk",
    "port": 53602
  },
  "status_id": 1,
  "unmapped": {
    "authorization_metadata": {
      "acl_authorization": {
        "host": "{{any_host}}",
        "op": "all",
        "permission_type": "allow",
        "principal": "{type user name user}"
      },
      "resource": {
        "name": "*",
        "pattern": "literal",
        "type": "topic"
      }
    }
  }
}

Admin API events

The following examples show audit messages related to use of the Redpanda Admin API.

Requesting cluster configurations as a superuser

This example shows the log message when you use the Admin API to retrieve the cluster configurations in a zipped archive. Note that a user must authenticate with the superuser role to perform this action.

{
  "category_uid": 6,
  "class_uid": 6003,
  "metadata": {
    "product": {
      "name": "Redpanda",
      "uid": "2",
      "vendor_name": "Redpanda Data, Inc.",
      "version": "v23.3.0-dev-2457-g76dc896f8c"
    },
    "profiles": [
      "cloud"
    ],
    "version": "1.0.0"
  },
  "severity_id": 1,
  "time": 1700575714976,
  "type_uid": 600302,
  "activity_id": 2,
  "actor": {
    "authorizations": [
      {
        "decision": "authorized",
        "policy": {
          "desc": "",
          "name": "Admin httpd authorizer"
        }
      }
    ],
    "user": {
      "name": "admin",
      "type_id": 2
    }
  },
  "api": {
    "operation": "GET",
    "service": {
      "name": "Redpanda Admin HTTP Server"
    }
  },
  "cloud": {
    "provider": ""
  },
  "dst_endpoint": {
    "ip": "127.0.0.1",
    "port": 9644,
    "svc_name": "Redpanda Admin HTTP Server"
  },
  "http_request": {
    "http_headers": [
      {
        "name": "Accept-Encoding",
        "value": "gzip"
      },
      {
        "name": "Accept",
        "value": "application/json"
      },
      {
        "name": "Content-Type",
        "value": "application/json"
      },
      {
        "name": "User-Agent",
        "value": "Go-http-client/1.1"
      },
      {
        "name": "Authorization",
        "value": "******"
      },
      {
        "name": "Host",
        "value": "127.0.0.1:9644"
      }
    ],
    "http_method": "GET",
    "url": {
      "hostname": "127.0.0.1:9644",
      "path": "/v1/cluster_config?include_defaults=true",
      "port": 9644,
      "scheme": "http",
      "url_string": "http://127.0.0.1:9644/v1/cluster_config?include_defaults=true"
    },
    "user_agent": "Go-http-client/1.1",
    "version": "1.1"
  },
  "src_endpoint": {
    "ip": "127.0.0.1",
    "port": 44150
  },
  "status_id": 1,
  "unmapped": {}
}
Unauthorized user requesting cluster configurations

Similar to the previous example, this example illustrates a user requesting cluster configurations as a zip archive. Unlike the previous example, however, the user in this case is not authorized to retrieve this information.

{
  "category_uid": 6,
  "class_uid": 6003,
  "metadata": {
    "product": {
      "name": "Redpanda",
      "uid": "0",
      "vendor_name": "Redpanda Data, Inc.",
      "version": "v23.3.0-dev-2457-g76dc896f8c"
    },
    "profiles": [
      "cloud"
    ],
    "version": "1.0.0"
  },
  "severity_id": 1,
  "time": 1700576203097,
  "type_uid": 600302,
  "activity_id": 2,
  "actor": {
    "authorizations": [
      {
        "decision": "denied",
        "policy": {
          "desc": "Forbidden (superuser role required)",
          "name": "Admin httpd authorizer"
        }
      }
    ],
    "user": {
      "name": "user",
      "type_id": 1
    }
  },
  "api": {
    "operation": "GET",
    "service": {
      "name": "Redpanda Admin HTTP Server"
    }
  },
  "cloud": {
    "provider": ""
  },
  "dst_endpoint": {
    "ip": "127.0.0.1",
    "port": 9644,
    "svc_name": "Redpanda Admin HTTP Server"
  },
  "http_request": {
    "http_headers": [
      {
        "name": "Accept-Encoding",
        "value": "gzip"
      },
      {
        "name": "Accept",
        "value": "application/json"
      },
      {
        "name": "Content-Type",
        "value": "application/json"
      },
      {
        "name": "User-Agent",
        "value": "Go-http-client/1.1"
      },
      {
        "name": "Authorization",
        "value": "******"
      },
      {
        "name": "Host",
        "value": "127.0.0.1:9644"
      }
    ],
    "http_method": "GET",
    "url": {
      "hostname": "127.0.0.1:9644",
      "path": "/v1/cluster_config?include_defaults=true",
      "port": 9644,
      "scheme": "http",
      "url_string": "http://127.0.0.1:9644/v1/cluster_config?include_defaults=true"
    },
    "user_agent": "Go-http-client/1.1",
    "version": "1.1"
  },
  "src_endpoint": {
    "ip": "127.0.0.1",
    "port": 53296
  },
  "status_id": 2,
  "unmapped": {}
}