This version of the OpenSearch documentation is no longer maintained. For the latest version, see the current documentation. For information about OpenSearch version maintenance, see Release Schedule and Maintenance Policy.

Audit log field reference

This page contains descriptions for all audit log fields.

Common attributes

The following attributes are logged for all event categories, independent of the layer.

NameDescription
audit_format_versionThe audit log message format version.
audit_categoryThe audit log category. FAILED_LOGIN, MISSING_PRIVILEGES, BAD_HEADERS, SSL_EXCEPTION, OPENSEARCH_SECURITY_INDEX_ATTEMPT, AUTHENTICATED, or GRANTED_PRIVILEGES.
audit_node_idThe ID of the node where the event was generated.
audit_node_nameThe name of the node where the event was generated.
audit_node_host_addressThe host address of the node where the event was generated.
audit_node_host_nameThe host name of the node where the event was generated.
audit_request_layerThe layer on which the event has been generated, either TRANSPORT or REST.
audit_request_originThe layer from which the event originated, either TRANSPORT or REST.
audit_request_effective_user_is_adminTrue if the request was made with a TLS admin certificate, otherwise false.

REST FAILED_LOGIN attributes

NameDescription
audit_request_effective_userThe username that failed to authenticate.
audit_rest_request_pathThe REST endpoint URI.
audit_rest_request_paramsThe HTTP request parameters, if any.
audit_rest_request_headersThe HTTP headers, if any.
audit_request_initiating_userThe user that initiated the request. Only logged if it differs from the effective user.
audit_request_bodyThe HTTP request body, if any (and if request body logging is enabled).

REST AUTHENTICATED attributes

NameDescription
audit_request_effective_userThe username that failed to authenticate.
audit_request_initiating_userThe user that initiated the request. Only logged if it differs from the effective user.
audit_rest_request_pathThe REST endpoint URI.
audit_rest_request_paramsThe HTTP request parameters, if any.
audit_rest_request_headersThe HTTP headers, if any.
audit_request_bodyThe HTTP request body, if any (and if request body logging is enabled).

REST SSL_EXCEPTION attributes

NameDescription
audit_request_exception_stacktraceThe stack trace of the SSL exception.

REST BAD_HEADERS attributes

NameDescription
audit_rest_request_pathThe REST endpoint URI.
audit_rest_request_paramsThe HTTP request parameters, if any.
audit_rest_request_headersThe HTTP headers, if any.
audit_request_bodyThe HTTP request body, if any (and if request body logging is enabled).

Transport FAILED_LOGIN attributes

NameDescription
audit_trace_task_idThe ID of the request.
audit_transport_headersThe headers of the request, if any.
audit_request_effective_userThe username that failed to authenticate.
audit_request_initiating_userThe user that initiated the request. Only logged if it differs from the effective user.
audit_transport_request_typeThe type of request (e.g. IndexRequest).
audit_request_bodyThe HTTP request body, if any (and if request body logging is enabled).
audit_trace_indicesThe index name(s) included in the request. Can contain wildcards, date patterns, and aliases. Only logged if resolve_indices is true.
audit_trace_resolved_indicesThe resolved index name(s) affected by the request. Only logged if resolve_indices is true.
audit_trace_doc_typesThe document types affected by the request. Only logged if resolve_indices is true.

Transport AUTHENTICATED attributes

NameDescription
audit_trace_task_idThe ID of the request.
audit_transport_headersThe headers of the request, if any.
audit_request_effective_userThe username that failed to authenticate.
audit_request_initiating_userThe user that initiated the request. Only logged if it differs from the effective user.
audit_transport_request_typeThe type of request (e.g. IndexRequest).
audit_request_bodyThe HTTP request body, if any (and if request body logging is enabled).
audit_trace_indicesThe index name(s) included in the request. Can contain wildcards, date patterns, and aliases. Only logged if resolve_indices is true.
audit_trace_resolved_indicesThe resolved index name(s) affected by the request. Only logged if resolve_indices is true.
audit_trace_doc_typesThe document types affected by the request. Only logged if resolve_indices is true.

Transport MISSING_PRIVILEGES attributes

NameDescription
audit_trace_task_idThe ID of the request.
audit_trace_task_parent_idThe parent ID of this request, if any.
audit_transport_headersThe headers of the request, if any.
audit_request_effective_userThe username that failed to authenticate.
audit_request_initiating_userThe user that initiated the request. Only logged if it differs from the effective user.
audit_transport_request_typeThe type of request (e.g. IndexRequest).
audit_request_privilegeThe required privilege of the request (for example, indices:data/read/search).
audit_request_bodyThe HTTP request body, if any (and if request body logging is enabled).
audit_trace_indicesThe index name(s) included in the request. Can contain wildcards, date patterns, and aliases. Only logged if resolve_indices is true.
audit_trace_resolved_indicesThe resolved index name(s) affected by the request. Only logged if resolve_indices is true.
audit_trace_doc_typesThe document types affected by the request. Only logged if resolve_indices is true.

Transport GRANTED_PRIVILEGES attributes

NameDescription
audit_trace_task_idThe ID of the request.
audit_trace_task_parent_idThe parent ID of this request, if any.
audit_transport_headersThe headers of the request, if any.
audit_request_effective_userThe username that failed to authenticate.
audit_request_initiating_userThe user that initiated the request. Only logged if it differs from the effective user.
audit_transport_request_typeThe type of request (for example, IndexRequest).
audit_request_privilegeThe required privilege of the request (e.g. indices:data/read/search).
audit_request_bodyThe HTTP request body, if any (and if request body logging is enabled).
audit_trace_indicesThe index name(s) included in the request. Can contain wildcards, date patterns, and aliases. Only logged if resolve_indices is true.
audit_trace_resolved_indicesThe resolved index name(s) affected by the request. Only logged if resolve_indices is true.
audit_trace_doc_typesThe document types affected by the request. Only logged if resolve_indices is true.

Transport SSL_EXCEPTION attributes

NameDescription
audit_request_exception_stacktraceThe stack trace of the SSL exception.

Transport BAD_HEADERS attributes

NameDescription
audit_trace_task_idThe ID of the request.
audit_trace_task_parent_idThe parent ID of this request, if any.
audit_transport_headersThe headers of the request, if any.
audit_request_effective_userThe username that failed to authenticate.
audit_request_initiating_userThe user that initiated the request. Only logged if it differs from the effective user.
audit_transport_request_typeThe type of request (e.g. IndexRequest).
audit_request_bodyThe HTTP request body, if any (and if request body logging is enabled).
audit_trace_indicesThe index name(s) included in the request. Can contain wildcards, date patterns, and aliases. Only logged if resolve_indices is true.
audit_trace_resolved_indicesThe resolved index name(s) affected by the request. Only logged if resolve_indices is true.
audit_trace_doc_typesThe document types affected by the request. Only logged if resolve_indices is true.

Transport opensearch_SECURITY_INDEX_ATTEMPT attributes

NameDescription
audit_trace_task_idThe ID of the request.
audit_transport_headersThe headers of the request, if any.
audit_request_effective_userThe username that failed to authenticate.
audit_request_initiating_userThe user that initiated the request. Only logged if it differs from the effective user.
audit_transport_request_typeThe type of request (e.g. IndexRequest).
audit_request_bodyThe HTTP request body, if any (and if request body logging is enabled).
audit_trace_indicesThe index name(s) included in the request. Can contain wildcards, date patterns, and aliases. Only logged if resolve_indices is true.
audit_trace_resolved_indicesThe resolved index name(s) affected by the request. Only logged if resolve_indices is true.
audit_trace_doc_typesThe document types affected by the request. Only logged if resolve_indices is true.