When you areauditing security events, a single client request might generate multiple audit events, across multiple cluster nodes. The commonrequest.id attribute can be used to correlate the associated events.

This document provides a reference for all types of audit events and their associatedattributes in Elasticsearch. Useaudit event settings options to control what gets logged.

For more information and options about tuning audit logs, refer toConfiguring audit logs.

access_denied

Logged when an authenticated user attempts to execute an action they do not have the necessaryprivilege to perform.

Example

{"type":"audit", "timestamp":"2020-12-30T22:30:06,949+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"transport", "event.action":"access_denied", "authentication.type":"REALM", "user.name":"user1","user.realm":"default_native", "user.roles":["test_role"], "origin.type":"rest", "origin.address":"[::1]:52434", "request.id":"yKOgWn2CRQCKYgZRz3phJw","action":"indices:admin/auto_create", "request.name":"CreateIndexRequest","indices":["<index-{now/d+1d}>"]}

access_granted

Logged when an authenticated user attempts to execute an action they have the necessary privilege to perform. These events will be logged only for non-system users.

If you want to includeaccess_granted events for all users (including internal users such as_xpack), addsystem_access_granted to the list of event types in addition toaccess_granted. Thesystem_access_granted privilege is not included by default to avoid cluttering the logs.

Example

{"type":"audit", "timestamp":"2020-12-30T22:30:06,947+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"transport", "event.action":"access_granted", "authentication.type":"REALM", "user.name":"user1", "userrealm":"default_native", "user.roles":["test_role"], "origin.type":"rest","origin.address":"[::1]:52434", "request.id":"yKOgWn2CRQCKYgZRz3phJw","action":"indices:data/write/bulk", "request.name":"BulkRequest"}

anonymous_access_denied

Logged when a request is denied due to missing authentication credentials.

Example

{"type":"audit", "timestamp":"2020-12-30T21:56:43,608+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"rest", "event.action":"anonymous_access_denied", "origin.type":"rest", "origin.address":"[::1]:50543", "url.path":"/twitter/_async_search", "url.query":"pretty","request.method":"POST", "request.id":"TqA9OisyQ8WTl1ivJUV1AA"}

authentication_failed

Logged when the authentication credentials cannot be matched to a known user.

Example

{"type":"audit", "timestamp":"2020-12-30T22:10:15,510+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"rest", "event.action":"authentication_failed", "user.name":"elastic", "origin.type":"rest","origin.address":"[::1]:51504", "url.path":"/_security/user/user1","url.query":"pretty", "request.method":"POST","request.id":"POv8p_qeTl2tb5xoFl0HIg"}

authentication_success

Logged when a user successfully authenticates.

Example

{"type":"audit", "timestamp":"2020-12-30T22:03:35,018+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"rest", "event.action":"authentication_success", "authentication.type":"REALM", "user.name":"elastic", "user.realm":"reserved", "origin.type":"rest", "origin.address":"[::1]:51014", "realm":"reserved", "url.path":"/twitter/_search","url.query":"pretty", "request.method":"POST","request.id":"nHV3UMOoSiu-TaSPWCfxGg"}

change_disable_user

Logged when theenable user API is invoked to disable a native or a built-in user.

You must include thesecurity_config_change event type to audit the related event action.

Example

{"type":"audit", "timestamp":"2020-12-30T23:17:28,308+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"change_disable_user", "request.id":"qvLIgw_eTvyK3cgV-GaLVg","change":{"disable":{"user":{"name":"user1"}}}}

change_enable_user

Logged when theenable user API is invoked to enable a native or a built-in user.

You must include thesecurity_config_change event type to audit the related event action.

Example

{"type":"audit", "timestamp":"2020-12-30T23:17:34,843+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"change_enable_user", "request.id":"BO3QU3qeTb-Ei0G0rUOalQ","change":{"enable":{"user":{"name":"user1"}}}}

change_password

Logged when thechange password API is invoked to change the password of a native or built-in user.

You must include thesecurity_config_change event type to audit the related event action.

Example

{"type":"audit", "timestamp":"2019-12-30T22:19:41,345+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"change_password", "request.id":"bz5a1Cc3RrebDMitMGGNCw","change":{"password":{"user":{"name":"user1"}}}}

create_service_token

Logged when thecreate service account token API is invoked to create a new index-based token for a service account.

You must include thesecurity_config_change event type to audit the related event action.

Example

{"type":"audit", "timestamp":"2021-04-30T23:17:42,952+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"create_service_token", "request.id":"az9a1Db5QrebDMacQ8yGKc","create":{"service_token":{"namespace":"elastic","service":"fleet-server","name":"token1"}}}`

connection_denied

Logged when an incoming TCP connection does not pass theIP filter for a specific profile.

Example

{"type":"audit", "timestamp":"2020-12-30T21:47:31,526+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"ip_filter", "event.action":"connection_denied", "origin.type":"rest", "origin.address":"10.10.0.20:52314","transport.profile":".http", "rule":"deny 10.10.0.0/16"}

connection_granted

Logged when an incoming TCP connection passes theIP filter for a specific profile.

Example

{"type":"audit", "timestamp":"2020-12-30T21:47:31,526+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"ip_filter", "event.action":"connection_granted", "origin.type":"rest", "origin.address":"[::1]:52314","transport.profile":".http", "rule":"allow ::1,127.0.0.1"}

create_apikey

Logged when thecreate API key or thegrant API key APIs are invoked to create a new API key.

You must include thesecurity_config_change event type to audit the related event action.

Example

{"type":"audit", "timestamp":"2020-12-31T00:33:52,521+0200", "node.id":"9clhpgjJRR-iKzOw20xBNQ", "event.type":"security_config_change", "event.action":"create_apikey", "request.id":"9FteCmovTzWHVI-9Gpa_vQ", "create":{"apikey":{"name":"test-api-key-1","expiration":"10d","role_descriptors":[{"cluster":["monitor","manage_ilm"],"indices":[{"names":["index-a*"],"privileges":["read","maintenance"]},{"names":["in*","alias*"],"privileges":["read"],"field_security":{"grant":["field1*","@timestamp"],"except":["field11"]}}],"applications":[],"run_as":[]},{"cluster":["all"],"indices":[{"names":["index-b*"],"privileges":["all"]}],"applications":[],"run_as":[]}],"metadata":{"application":"my-application","environment":{"level": 1,"tags":["dev","staging"]}}}}}

change_apikey

Logged when theupdate API key API is invoked to update the attributes of an existing API key.

You must include thesecurity_config_change event type to audit the related event action.

Example

{"type":"audit", "timestamp":"2020-12-31T00:33:52,521+0200", "node.id":"9clhpgjJRR-iKzOw20xBNQ", "event.type":"security_config_change", "event.action":"change_apikey", "request.id":"9FteCmovTzWHVI-9Gpa_vQ", "change":{"apikey":{"id":"zcwN3YEBBmnjw-K-hW5_","role_descriptors":[{"cluster":["monitor","manage_ilm"],"indices":[{"names":["index-a*"],"privileges":["read","maintenance"]},{"names":["in*","alias*"],"privileges":["read"],"field_security":{"grant":["field1*","@timestamp"],"except":["field11"]}}],"applications":[],"run_as":[]},{"cluster":["all"],"indices":[{"names":["index-b*"],"privileges":["all"]}],"applications":[],"run_as":[]}],"metadata":{"application":"my-application","environment":{"level": 1,"tags":["dev","staging"]}},"expiration":"10d"}}}

change_apikeys

Logged when thebulk update API keys API is invoked to update the attributes of multiple existing API keys.

You must include thesecurity_config_change event type to audit the related event action.

Example

{"type":"audit","timestamp":"2020-12-31T00:33:52,521+0200","node.id":"9clhpgjJRR-iKzOw20xBNQ","event.type":"security_config_change","event.action":"change_apikeys","request.id":"9FteCmovTzWHVI-9Gpa_vQ","change":{"apikeys":{"ids":["zcwN3YEBBmnjw-K-hW5_","j7c0WYIBqecB5CbVR6Oq"],"role_descriptors":[{"cluster":["monitor","manage_ilm"],"indices":[{"names":["index-a*"],"privileges":["read","maintenance"]},{"names":["in*","alias*"],"privileges":["read"],"field_security":{"grant":["field1*","@timestamp"],"except":["field11"]}}],"applications":[],"run_as":[]},{"cluster":["all"],"indices":[{"names":["index-b*"],"privileges":["all"]}],"applications":[],"run_as":[]}],"metadata":{"application":"my-application","environment":{"level":1,"tags":["dev","staging"]}},"expiration":"10d"}}}

delete_privileges

Logged when thedelete application privileges API is invoked to remove one or more application privileges.

You must include thesecurity_config_change event type to audit the related event action.

Example

{"type":"audit", "timestamp":"2020-12-31T00:39:30,246+0200", "node.id":"9clhpgjJRR-iKzOw20xBNQ", "event.type":"security_config_change", "event.action":"delete_privileges", "request.id":"7wRWVxxqTzCKEspeSP7J8g","delete":{"privileges":{"application":"myapp","privileges":["read"]}}}

delete_role

Logged when thedelete role API is invoked to delete a role.

You must include thesecurity_config_change event type to audit the related event action.

Example

{"type":"audit", "timestamp":"2020-12-31T00:08:11,678+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"delete_role", "request.id":"155IKq3zQdWq-12dgKZRnw","delete":{"role":{"name":"my_admin_role"}}}

delete_role_mapping

Logged when thedelete role mapping API is invoked to delete a role mapping.

You must include thesecurity_config_change event type to audit the related event action.

Example

{"type":"audit", "timestamp":"2020-12-31T00:12:09,349+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"delete_role_mapping", "request.id":"Stim-DuoSTCWom0S_xhf8g","delete":{"role_mapping":{"name":"mapping1"}}}

delete_service_token

Logged when thedelete service account token API is invoked to delete an index-based token for a service account.

You must include thesecurity_config_change event type to audit the related event action.

Example

{"type":"audit", "timestamp":"2021-04-30T23:17:42,952+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"delete_service_token", "request.id":"az9a1Db5QrebDMacQ8yGKc","delete":{"service_token":{"namespace":"elastic","service":"fleet-server","name":"token1"}}}

delete_user

Logged when thedelete user API is invoked to delete a specific native user.

You must include thesecurity_config_change event type to audit the related event action.

Example

{"type":"audit", "timestamp":"2020-12-30T22:19:41,345+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change","event.action":"delete_user", "request.id":"au5a1Cc3RrebDMitMGGNCw","delete":{"user":{"name":"jacknich"}}}

invalidate_apikeys

Logged when theinvalidate API key API is invoked to invalidate one or more API keys.

You must include thesecurity_config_change event type to audit the related event action.

Example

{"type":"audit", "timestamp":"2020-12-31T00:36:30,247+0200", "node.id":"9clhpgjJRR-iKzOw20xBNQ", "event.type":"security_config_change", "event.action":"invalidate_apikeys", "request.id":"7lyIQU9QTFqSrTxD0CqnTQ","invalidate":{"apikeys":{"owned_by_authenticated_user":false,"user":{"name":"myuser","realm":"native1"}}}}

put_privileges

Logged when thecreate or update privileges API is invoked to add or update one or more application privileges.

You must include thesecurity_config_change event type to audit the related event action.

Example

{"type":"audit", "timestamp":"2020-12-31T00:39:07,779+0200", "node.id":"9clhpgjJRR-iKzOw20xBNQ", "event.type":"security_config_change","event.action":"put_privileges", "request.id":"1X2VVtNgRYO7FmE0nR_BGA","put":{"privileges":[{"application":"myapp","name":"read","actions":["data:read/*","action:login"],"metadata":{"description":"Read access to myapp"}}]}}

put_role

Logged when thecreate or update role API is invoked to create or update a role.

You must include thesecurity_config_change event type to audit the related event action.

Example

{"type":"audit", "timestamp":"2020-12-30T22:27:01,978+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change","event.action":"put_role", "request.id":"tDYQhv5CRMWM4Sc5Zkk2cQ","put":{"role":{"name":"test_role","role_descriptor":{"cluster":["all"],"indices":[{"names":["apm*"],"privileges":["all"],"field_security":{"grant":["granted"]},"query":"{\"term\": {\"service.name\": \"bar\"}}"},{"names":["apm-all*"],"privileges":["all"],"query":"{\"term\":{\"service.name\": \"bar2\"}}"}],"applications":[],"run_as":[]}}}}

put_role_mapping

Logged when thecreate or update role mapping API is invoked to create or update a role mapping.

You must include thesecurity_config_change event type to audit the related event action.

Example

{"type":"audit", "timestamp":"2020-12-31T00:11:13,932+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":"put_role_mapping", "request.id":"kg4h1l_kTDegnLC-0A-XxA","put":{"role_mapping":{"name":"mapping1","roles":["user"],"rules":{"field":{"username":"*"}},"enabled":true,"metadata":{"version":1}}}}

put_user

Logged when thecreate or update user API is invoked to create or update a native user. Note that user updates can also change the user’s password.

You must include thesecurity_config_change event type to audit the related event action.

Example

{"type":"audit", "timestamp":"2020-12-30T22:10:09,749+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change","event.action":"put_user", "request.id":"VIiSvhp4Riim_tpkQCVSQA","put":{"user":{"name":"user1","enabled":false,"roles":["admin","other_role1"],"full_name":"Jack Sparrow","email":"jack@blackpearl.com","has_password":true,"metadata":{"cunning":10}}}}

realm_authentication_failed

Logged for every realm that fails to present a valid authentication token.

Example

{"type":"audit", "timestamp":"2020-12-30T22:10:15,510+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"rest", "event.action":"realm_authentication_failed", "user.name":"elastic", "origin.type":"rest","origin.address":"[::1]:51504", "realm":"myTestRealm1", "url.path":"/_security/user/user1", "url.query":"pretty", "request.method":"POST","request.id":"POv8p_qeTl2tb5xoFl0HIg"}

run_as_denied

Logged when an authenticated user attempts torun as another user that they do not have the necessaryprivileges to do so.

Example

{"type":"audit", "timestamp":"2020-12-30T22:49:34,859+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"transport", "event.action":"run_as_denied", "user.name":"user1", "user.run_as.name":"user1","user.realm":"default_native", "user.run_as.realm":"default_native","user.roles":["test_role"], "origin.type":"rest", "origin.address":"[::1]:52662", "request.id":"RcaSt872RG-R_WJBEGfYXA","action":"indices:data/read/search", "request.name":"SearchRequest", "indices":["alias1"]}

run_as_granted

Logged when an authenticated user attempts torun as another user that they have the necessary privileges to do so.

Example

{"type":"audit", "timestamp":"2020-12-30T22:44:42,068+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"transport", "event.action":"run_as_granted", "user.name":"elastic", "user.run_as.name":"user1","user.realm":"reserved", "user.run_as.realm":"default_native","user.roles":["superuser"], "origin.type":"rest", "origin.address":"[::1]:52623", "request.id":"dGqPTdEQSX2TAPS3cvc1qA", "action":"indices:data/read/search", "request.name":"SearchRequest", "indices":["alias1"]}

system_access_granted

Logsaccess_granted events only forinternal users, such as_xpack. If you include this setting in addition toaccess_granted, thenaccess_granted events are logged forall users.

Note

This event type is disabled by default to avoid cluttering the logs.

tampered_request

Logged when the security features detect that the request has been tampered with. Typically relates tosearch/scroll requests when the scroll ID is believed to have been tampered with.

Example

{"type":"audit", "timestamp":"2019-11-27T22:00:00,947+0200", "node.id":"0RMNyghkQYCc_gVd1G6tZQ", "event.type": "rest", "event.action":"tampered_request", "origin.address":"[::1]:50543", "url.path":"/twitter/_async_search", "url.query":"pretty", "request.method":"POST","request.id":"TqA9OisyQ8WTl1ivJUV1AA"}

The audit events are formatted as JSON documents, and each event is printed on a separate line in the audit log. The entries themselves do not contain an end-of-line delimiter. For more details, seeLog entry format.

The following list shows attributes that are common to all audit event types:

@timestamp

The time, in ISO9601 format, when the event occurred.

node.name

The name of the node. This can be changed in theelasticsearch.yml config file.

node.id

The node id. This is automatically generated and is persistent across full cluster restarts.

host.ip

The bound IP address of the node, with which the node can be communicated with.

host.name

The unresolved node’s hostname.

event.type

The internal processing layer that generated the event:rest,transport,ip_filter orsecurity_config_change. This is different fromorigin.type because a request originating from the REST API is translated to a number of transport messages, generating audit events withorigin.type: rest andevent.type: transport.

event.action

The type of event that occurred:anonymous_access_denied,authentication_failed,authentication_success,realm_authentication_failed,access_denied,access_granted,connection_denied,connection_granted,tampered_request,run_as_denied, orrun_as_granted.

In addition, ifevent.type equalssecurity_config_change, theevent.action attribute takes one of the following values:put_user,change_password,put_role,put_role_mapping,change_enable_user,change_disable_user,put_privileges,create_apikey,delete_user,delete_role,delete_role_mapping,invalidate_apikeys,delete_privileges,change_apikey, orchange_apikeys.

request.id

A synthetic identifier that can be used to correlate the events associated with a particular REST request.

In addition, all the events of typesrest,transport andip_filter (but notsecurity_config_change) have the following extra attributes, which show more details about the requesting client:

origin.address

The source IP address of the request associated with this event. This could be the address of the remote client, the address of another cluster node, or the local node’s bound address, if the request originated locally. Unless the remote client connects directly to the cluster, theclient address will actually be the address of the first OSI layer 3 proxy in front of the cluster.

origin.type

The origin type of the request associated with this event:rest (request originated from a REST API request),transport (request was received on the transport channel), orlocal_node (the local node issued the request).

opaque_id

The value of theX-Opaque-Id HTTP header (if present) of the request associated with this event. See more:X-Opaque-Id HTTP header - API conventions

trace_id

The identifier extracted from thetraceparent HTTP header (if present) of the request associated with this event. It allows to surface audit logs into the Trace Logs feature of Elastic APM.

x_forwarded_for

The verbatim value of theX-Forwarded-For HTTP request header (if present) of the request associated with the audit event. This header is commonly added by proxies when they forward requests and the value is the address of the proxied client. When a request crosses multiple proxies the header is a comma delimited list with the last value being the address of the second to last proxy server (the address of the last proxy server is designated by theorigin.address field).

The events withevent.type equal torest have one of the followingevent.action attribute values:authentication_success,anonymous_access_denied,authentication_failed,realm_authentication_failed,tampered_request orrun_as_denied. These events also have the following extra attributes (in addition to the common ones):

url.path

The path part of the URL (between the port and the query string) of the REST request associated with this event. This is URL encoded.

url.query

The query part of the URL (after "?", if present) of the REST request associated with this event. This is URL encoded.

request.method

The HTTP method of the REST request associated with this event. It is one of GET, POST, PUT, DELETE, OPTIONS, HEAD, PATCH, TRACE and CONNECT.

request.body

The full content of the REST request associated with this event, if enabled. This contains the HTTP request body. The body is escaped as a string value according to the JSON RFC 4627.

The events withevent.type equal totransport have one of the followingevent.action attribute values:authentication_success,anonymous_access_denied,authentication_failed,realm_authentication_failed,access_granted,access_denied,run_as_granted,run_as_denied, ortampered_request. These events also have the following extra attributes (in addition to the common ones):

action

The name of the transport action that was executed. This is like the URL for a REST request.

indices

The indices names array that the request associated with this event pertains to (when applicable).

request.name

The name of the request handler that was executed.

The events withevent.type equal toip_filter have one of the followingevent.action attribute values:connection_granted orconnection_denied. These events also have the following extra attributes (in addition to the common ones):

transport_profile

The transport profile the request targeted.

rule

TheIP filtering rule that denied the request.

The events with theevent.type attribute equal tosecurity_config_change have one of the followingevent.action attribute values:put_user,change_password,put_role,put_role_mapping,change_enable_user,change_disable_user,put_privileges,create_apikey,delete_user,delete_role,delete_role_mapping,invalidate_apikeys,delete_privileges,change_apikey, orchange_apikeys.

These events also haveone of the following extra attributes (in addition to the common ones), which is specific to theevent.type attribute. The attribute’s value is a nested JSON object:

put

The object representation of the security config that is being created, or the overwrite of an existing config. It contains the config for auser,role,role_mapping, or for applicationprivileges.

delete

The object representation of the security config that is being deleted. It can be the config for auser,role,role_mapping or for applicationprivileges.

change

The object representation of the security config that is being changed. It can be thepassword,enable ordisable, config object for native or built-in users. If an API key is updated, the config object will be anapikey.

create

The object representation of the new security config that is being created. This is currently only used for API keys auditing. If the API key is created using thecreate API key API it only contains anapikey config object. If the API key is created using thegrant API key API it also contains agrant config object.

invalidate

The object representation of the security configuration that is being invalidated. The only config that currently supports invalidation isapikeys, through theinvalidate API key API.

The schemas of the security config objects mentioned above are as follows. They are very similar to the request bodies of the corresponding security APIs.

user

An object like:

`{"name": <string>, "enabled": <boolean>, "roles": <string_list>,"full_name": <string>, "email": <string>, "has_password": <boolean>,"metadata": <object>}`.

Thefull_name,email andmetadata fields are omitted if empty.

role

An object like:

`{"name": <string>, "role_descriptor": {"cluster": <string_list>, "global":{"application":{"manage":{<string>:<string_list>}}}, "indices": [                             {"names": <string_list>, "privileges": <string_list>, "field_security":{"grant": <string_list>, "except": <string_list>}, "query": <string>,"allow_restricted_indices": <boolean>}], "applications":[{"application": <string>,"privileges": <string_list>, "resources": <string_list>}], "run_as": <string_list>,"metadata": <object>}}`.

Theglobal,field_security,except,query,allow_restricted_indices andmetadata fields are omitted if empty.

role_mapping

An object like:

`{"name": <string>, "roles": <string_list>, "role_templates": [{"template": <string>,"format": <string>}], "rules": <object>, "enabled": <boolean>, "metadata": <object>}`.

Theroles androle_templates fields are omitted if empty. Therules object has a recursively nested schema, identical to what is passed in theAPI request for mapping roles.

privileges

An array of objects like:

`{"application": <string>, "name": <string>, "actions": <string_list>,"metadata": <object>}`.

password

A simple object like:

`{"user":{"name": <string>}}`

enable

A simple object like:

`{"user":{"name": <string>}}`

disable

A simple object like:

`{"user":{"name": <string>}}`

apikey

An object like:

`{"id": <string>, "name": <string>, "expiration": <string>, "role_descriptors": [<object>],"metadata": [<object>]}`

Therole_descriptors objects have the same schema as therole_descriptor object that is part of the aboverole config object.

The object for an API key update will differ in that it will not include aname.

grant

An object like:

`{"type": <string>, "user": {"name": <string>, "has_password": <boolean>},"has_access_token": <boolean>}`

apikeys

An object like:

`{"ids": <string_list>, "name": <string>, "owned_by_authenticated_user":<boolean>, "user":{"name": <string>, "realm": <string>}}`

The object for a bulk API key update will differ in that it will not includename,owned_by_authenticated_user, oruser. Instead, it may includemetadata androle_descriptors, which have the same schemas as the fields in theapikey config object above.

service_token

An object like:

`{"namespace":<string>,"service":<string>,"name":<string>}`

There are a few events that have some more attributes in addition to those that have been previously described:

• authentication_success:

  realm

  The name of the realm that successfully authenticated the user. If authenticated using an API key, this is the special value of_es_api_key. This is a shorthand attribute for the same information that is described by theuser.realm,user.run_by.realm andauthentication.type attributes.

  user.name

  The name of theeffective user. This is usually the same as theauthenticated user, but if using therun as authorization functionality this instead denotes the name of theimpersonated user. If authenticated using an API key, this is the name of the API key owner. If authenticated using a service account token, this is the service account principal, i.e.namespace/service_name.

  user.realm

  Name of the realm to which theeffective user belongs. If authenticated using an API key, this is the name of the realm to which the API key owner belongs.

  user.run_by.name

  This attribute is present only if the request is using therun as authorization functionality and denotes the name of theauthenticated user, which is also known as theimpersonator.

  user.run_by.realm

  Name of the realm to which theauthenticated (impersonator) user belongs. This attribute is provided only if the request uses therun as authorization functionality.

  authentication.type

  Method used to authenticate the user. Possible values areREALM,API_KEY,TOKEN,ANONYMOUS orINTERNAL.

  apikey.id

  API key ID returned by thecreate API key request. This attribute is only provided for authentication using an API key.

  apikey.name

  API key name provided in thecreate API key request. This attribute is only provided for authentication using an API key.

  authentication.token.name

  Name of theservice account token. This attribute is only provided for authentication using a service account token.

  authentication.token.type

  Type of theservice account token. This attribute is only provided for authentication using a service account token.

• authentication_failed:

  user.name

  The name of the user that failed authentication. If the request authentication token is invalid or unparsable, this information might be missing.

  authentication.token.name

  Name of theservice account token. This attribute is only provided for authentication using a service account token. If the request authentication token is invalid or unparsable, this information might be missing.

  authentication.token.type

  Type of theservice account token. This attribute is only provided for authentication using a service account token. If the request authentication token is invalid or unparsable, this information might be missing.

• realm_authentication_failed:

  user.name

  The name of the user that failed authentication.

  realm

  The name of the realm that rejected this authentication.This event is generated for each consulted realm in the chain.

• run_as_denied andrun_as_granted:

  user.roles

  The role names as an array of theauthenticated user which is being granted or denied theimpersonation action. If authenticated as aservice account, this is always an empty array.

  user.name

  The name of theauthenticated user which is being granted or denied theimpersonation action.

  user.realm

  The realm name that theauthenticated user belongs to.

  user.run_as.name

  The name of the user as which theimpersonation action is granted or denied.

  user.run_as.realm

  The realm name of that theimpersonated user belongs to.

• access_granted andaccess_denied:

  user.roles

  The role names of the user as an array. If authenticated using an API key, this contains the role names of the API key owner. If authenticated as aservice account, this is always an empty array.

  user.name

  The name of theeffective user. This is usually the same as theauthenticated user, but if using therun as authorization functionality this instead denotes the name of theimpersonated user. If authenticated using an API key, this is the name of the API key owner.

  user.realm

  Name of the realm to which theeffective user belongs. If authenticated using an API key, this is the name of the realm to which the API key owner belongs.

  user.run_by.name

  This attribute is present only if the request is using therun as authorization functionality and denoted the name of theauthenticated user, which is also known as theimpersonator.

  user.run_by.realm

  This attribute is present only if the request is using therun as authorization functionality and denotes the name of the realm that theauthenticated (impersonator) user belongs to.

  authentication.type

  Method used to authenticate the user. Possible values areREALM,API_KEY,TOKEN,ANONYMOUS orINTERNAL.

  apikey.id

  API key ID returned by thecreate API key request. This attribute is only provided for authentication using an API key.

  apikey.name

  API key name provided in thecreate API key request. This attribute is only provided for authentication using an API key.

  authentication.token.name

  Name of theservice account token. This attribute is only provided for authentication using a service account token.

  authentication.token.type

  Type of theservice account token. This attribute is only provided for authentication using a service account token.