diff --git a/deploy-manage/monitor/logging-configuration/auditing-search-queries.md b/deploy-manage/monitor/logging-configuration/auditing-search-queries.md
index f91abe8fb4..6c609be5b3 100644
--- a/deploy-manage/monitor/logging-configuration/auditing-search-queries.md
+++ b/deploy-manage/monitor/logging-configuration/auditing-search-queries.md
@@ -6,28 +6,39 @@ applies:
ece: all
eck: all
stack: all
+ serverless: unavailable
---
-# Auditing search queries [auditing-search-queries]
+# Audit Elasticsearch search queries [auditing-search-queries]
-There is no [audit event type](elasticsearch-audit-events.md) specifically dedicated to search queries. Search queries are analyzed and then processed; the processing triggers authorization actions that are audited. However, the original raw query, as submitted by the client, is not accessible downstream when authorization auditing occurs.
+There is no [audit event type]() (asciidocalypse://elasticsearch/docs/reference/elasticsearch/elasticsearch-audit-events) specifically dedicated to search queries. Search queries are analyzed and then processed; the processing triggers authorization actions that are audited. However, the original raw query, as submitted by the client, is not accessible downstream when authorization auditing occurs.
Search queries are contained inside HTTP request bodies, however, and some audit events that are generated by the REST layer, on the coordinating node, can be toggled to output the request body to the audit log. Therefore, one must audit request bodies in order to audit search queries.
-To make certain audit events include the request body, edit the following setting in the `elasticsearch.yml` file:
+To make certain audit events include the request body, configure the following setting in {{es}}:
```yaml
xpack.security.audit.logfile.events.emit_request_body: true
```
+You can apply this setting through [cluster update settings API](https://www.elastic.co/guide/en/elasticsearch/reference/current/cluster-update-settings.html), as described in [](./configuring-audit-logs.md). Alternatively, you can modify `elasticsearch.yml` in all nodes and restart for the changes to take effect.
+
::::{important}
No filtering is performed when auditing, so sensitive data might be audited in plain text when audit events include the request body. Also, the request body can contain malicious content that can break a parser consuming the audit logs.
::::
-
The request body is printed as an escaped JSON string value (RFC 4627) to the `request.body` event attribute.
-Not all events contain the `request.body` attribute, even when the above setting is toggled. The ones that do are: `authentication_success`, `authentication_failed`, `realm_authentication_failed`, `tampered_request`, `run_as_denied`, and `anonymous_access_denied`. The `request.body` attribute is printed on the coordinating node only (the node that handles the REST request). Most of these event types are [not included by default](https://www.elastic.co/guide/en/elasticsearch/reference/current/auditing-settings.html#xpack-sa-lf-events-include).
+Not all events contain the `request.body` attribute, even when the above setting is toggled. The ones that do are:
+
+* `authentication_success`
+* `authentication_failed`
+* `realm_authentication_failed`
+* `tampered_request`
+* `run_as_denied`
+* `anonymous_access_denied`
+
+The `request.body` attribute is printed on the coordinating node only (the node that handles the REST request). Most of these event types are [not included by default](https://www.elastic.co/guide/en/elasticsearch/reference/current/auditing-settings.html#xpack-sa-lf-events-include).
A good practical piece of advice is to add `authentication_success` to the event types that are audited (add it to the list in the `xpack.security.audit.logfile.events.include`), as this event type is not audited by default.
diff --git a/deploy-manage/monitor/logging-configuration/configuring-audit-logs.md b/deploy-manage/monitor/logging-configuration/configuring-audit-logs.md
new file mode 100644
index 0000000000..03f84ee07b
--- /dev/null
+++ b/deploy-manage/monitor/logging-configuration/configuring-audit-logs.md
@@ -0,0 +1,53 @@
+---
+applies:
+ hosted: all
+ ece: all
+ eck: all
+ stack: all
+ serverless: unavailable
+---
+
+# Configure audit logging [audit-logging-configuration]
+
+When auditing security events, a single client request might generate multiple audit events across multiple cluster nodes, potentially leading to a high volume of log data and I/O operations. To maintain clarity and ensure logs remain actionable, {{es}} and {{kib}} provide configuration mechanisms to control what events are logged and which can be ignored.
+
+### Elasticsearch auditing configuration
+
+{{es}} configuration options include:
+
+ * [{{es}} audited events settings](https://www.elastic.co/guide/en/elasticsearch/reference/current/auditing-settings.html#event-audit-settings): Use include and exclude filters to control the types of events that get logged.
+ * [{{es}} node information settings](https://www.elastic.co/guide/en/elasticsearch/reference/current/auditing-settings.html#node-audit-settings): Control whether to add or hide node information such as hostname or IP address in the audited events.
+ * [{{es}} ignore policies settings](https://www.elastic.co/guide/en/elasticsearch/reference/current/auditing-settings.html#audit-event-ignore-policies): Use ignore policies for fine-grained control over which audit events are printed to the log file.
+
+ ::::{tip}
+ In {{es}}, all auditing settings except `xpack.security.audit.enabled` are dynamic. This means you can configure them using the [cluster update settings API](https://www.elastic.co/guide/en/elasticsearch/reference/current/cluster-update-settings.html), allowing changes to take effect immediately without requiring a restart. This approach is faster and more convenient than modifying `elasticsearch.yml`.
+ ::::
+
+For a complete description of event details and format, refer to the following resources:
+ * [{{es}} audit events details and schema]() asciidocalypse://elasticsearch/docs/reference/elasticsearch/elasticsearch-audit-events
+ * [{{es}} log entry output format](/deploy-manage/monitor/logging-configuration/logfile-audit-output.md#audit-log-entry-format)
+
+### Kibana auditing configuration
+
+To control the logs that are outputted by Kibana, you can use [{{kib}} ignore filters](https://www.elastic.co/guide/en/kibana/current/security-settings-kb.html#audit-logging-ignore-filters). These are a list of filters that determine which events should be excluded from the audit log.
+
+In self-managed systems, you can optionally configure audit logs location, and file/rolling file using [{{kib}} audit logging settings](https://www.elastic.co/guide/en/kibana/current/security-settings-kb.html#audit-logging-settings).
+
+
+::::{tip}
+To configure {{kib}} settings, follow the same [procedure](./enabling-audit-logs.md#enable-audit-logging-procedure) as when enabling {{kib}} audit logs, but apply the relevant settings instead.
+::::
+
+For a complete description of auditing event details, such as `category`, `type`, or `action`, refer to [{{kib}} audit events](https://www.elastic.co/guide/en/kibana/current/xpack-security-audit-logging.html#xpack-security-ecs-audit-logging).
+
+### General recommendations
+
+* Consider starting with {{es}} [`xpack.security.audit.logfile.events.include`](https://www.elastic.co/guide/en/elasticsearch/reference/current/auditing-settings.html#xpack-sa-lf-events-include) and [{{kib}} ignore filters](https://www.elastic.co/guide/en/kibana/current/security-settings-kb.html#audit-logging-ignore-filters) settings to specify the type of events you want to include or exclude in the auditing output.
+
+* If you need a more granular control, refer to [{{es}} audit events ignore policies](./logfile-audit-events-ignore-policies.md) for a better understanding how ignore policies work and when they are beneficial.
+
+* Refer to [auditing search queries](./auditing-search-queries.md) for details on logging request bodies in the {{es}} audit logs.
+
+ ::::{important}
+ Sensitive data may be audited in plain text when including the request body in audit events, even though all the security APIs, such as those that change the user’s password, have the credentials filtered out when audited.
+ ::::
diff --git a/deploy-manage/monitor/logging-configuration/correlating-kibana-elasticsearch-audit-logs.md b/deploy-manage/monitor/logging-configuration/correlating-kibana-elasticsearch-audit-logs.md
index fe36e8038d..25c0e2ca6d 100644
--- a/deploy-manage/monitor/logging-configuration/correlating-kibana-elasticsearch-audit-logs.md
+++ b/deploy-manage/monitor/logging-configuration/correlating-kibana-elasticsearch-audit-logs.md
@@ -1,4 +1,5 @@
---
+navigation_title: Correlate audit events
mapped_pages:
- https://www.elastic.co/guide/en/kibana/current/xpack-security-audit-logging.html
applies:
@@ -6,372 +7,41 @@ applies:
ece: all
eck: all
stack: all
+ serverless: unavailable
---
-# Correlating Kibana and Elasticsearch audit logs [xpack-security-audit-logging]
+# Correlating audit events [xpack-security-ecs-audit-correlation]
-Audit logging is a [subscription feature](https://www.elastic.co/subscriptions) that you can enable to keep track of security-related events, such as authorization success and failures. Logging these events enables you to monitor {{kib}} for suspicious activity and provides evidence in the event of an attack.
+When audit logs are enabled, a single request to {{kib}} or {{es}} generates multiple audit events in the logs.
-Use the {{kib}} audit logs in conjunction with [{{es}} audit logging](enabling-elasticsearch-audit-logs.md) to get a holistic view of all security related events. {{kib}} defers to the {{es}} security model for authentication, data index authorization, and features that are driven by cluster-wide privileges. For more information on enabling audit logging in {{es}}, refer to [Auditing security events](https://www.elastic.co/guide/en/elasticsearch/reference/current/enable-audit-logging.html).
+Audit events from {{kib}} can also be correlated with backend calls that produce {{es}} audit events, allowing for a more comprehensive view of user actions.
-::::{note}
-Audit logs are **disabled** by default. To enable this functionality, you must set `xpack.security.audit.enabled` to `true` in `kibana.yml`.
-
-You can optionally configure audit logs location, file/rolling file appenders and ignore filters using [Audit logging settings](https://www.elastic.co/guide/en/kibana/current/security-settings-kb.html#audit-logging-settings).
-
-::::
-
-
-## Audit events [xpack-security-ecs-audit-logging]
-
-Refer to the table of events that can be logged for auditing purposes.
+This section explains the key fields that help correlate these events, with examples to illustrate their relationships.
-Each event is broken down into [category](enabling-kibana-audit-logs.md#field-event-category), [type](enabling-kibana-audit-logs.md#field-event-type), [action](enabling-kibana-audit-logs.md#field-event-action) and [outcome](enabling-kibana-audit-logs.md#field-event-outcome) fields to make it easy to filter, query and aggregate the resulting logs. The [trace.id](enabling-kibana-audit-logs.md#field-trace-id) field can be used to correlate multiple events that originate from the same request.
+## `request.id` attribute in {{es}} audit events
-Refer to [Audit schema](enabling-kibana-audit-logs.md#xpack-security-ecs-audit-schema) for a table of fields that get logged with audit event.
-
-::::{note}
-To ensure that a record of every operation is persisted even in case of an unexpected error, asynchronous write operations are logged immediately after all authorization checks have passed, but before the response from {{es}} is received. Refer to the corresponding {{es}} logs for potential write errors.
-
-::::
+When an {{es}} request generates multiple audit events across multiple nodes, you can use the `request.id` attribute to correlate the associated events.
+This identifier allows you to trace the flow of a request across the {{es}} cluster and reconstruct the full context of an operation.
-| |
-| --- |
-| #### Category: authentication [_category_authentication]
|
-| **Action** | **Outcome** | **Description** |
-| `user_login` | `success` | User has logged in successfully. |
-| `failure` | Failed login attempt (e.g. due to invalid credentials). |
-| `user_logout` | `unknown` | User is logging out. |
-| `session_cleanup` | `unknown` | Removing invalid or expired session. |
-| `access_agreement_acknowledged` | n/a | User has acknowledged the access agreement. |
-| #### Category: database [_category_database]
##### Type: creation [_type_creation]
|
-| **Action** | **Outcome** | **Description** |
-| `saved_object_create` | `unknown` | User is creating a saved object. |
-| `failure` | User is not authorized to create a saved object. |
-| `saved_object_open_point_in_time` | `unknown` | User is creating a Point In Time to use when querying saved objects. |
-| `failure` | User is not authorized to create a Point In Time for the provided saved object types. |
-| `connector_create` | `unknown` | User is creating a connector. |
-| `failure` | User is not authorized to create a connector. |
-| `rule_create` | `unknown` | User is creating a rule. |
-| `failure` | User is not authorized to create a rule. |
-| `ad_hoc_run_create` | `unknown` | User is creating an ad hoc run. |
-| `failure` | User is not authorized to create an ad hoc run. |
-| `space_create` | `unknown` | User is creating a space. |
-| `failure` | User is not authorized to create a space. |
-| `case_create` | `unknown` | User is creating a case. |
-| `failure` | User is not authorized to create a case. |
-| `case_configuration_create` | `unknown` | User is creating a case configuration. |
-| `failure` | User is not authorized to create a case configuration. |
-| `case_comment_create` | `unknown` | User is creating a case comment. |
-| `failure` | User is not authorized to create a case comment. |
-| `case_comment_bulk_create` | `unknown` | User is creating multiple case comments. |
-| `failure` | User is not authorized to create multiple case comments. |
-| `case_user_action_create_comment` | `success` | User has created a case comment. |
-| `case_user_action_create_case` | `success` | User has created a case. |
-| `ml_put_ad_job` | `success` | Creating anomaly detection job. |
-| `failure` | Failed to create anomaly detection job. |
-| `ml_put_ad_datafeed` | `success` | Creating anomaly detection datafeed. |
-| `failure` | Failed to create anomaly detection datafeed. |
-| `ml_put_calendar` | `success` | Creating calendar. |
-| `failure` | Failed to create calendar. |
-| `ml_post_calendar_events` | `success` | Adding events to calendar. |
-| `failure` | Failed to add events to calendar. |
-| `ml_forecast` | `success` | Creating anomaly detection forecast. |
-| `failure` | Failed to create anomaly detection forecast. |
-| `ml_put_filter` | `success` | Creating filter. |
-| `failure` | Failed to create filter. |
-| `ml_put_dfa_job` | `success` | Creating data frame analytics job. |
-| `failure` | Failed to create data frame analytics job. |
-| `ml_put_trained_model` | `success` | Creating trained model. |
-| `failure` | Failed to create trained model. |
-| `product_documentation_create` | `unknown` | User requested to install the product documentation for use in AI Assistants. |
-| `knowledge_base_entry_create` | `success` | User has created knowledge base entry [id=x] |
-| `failure` | Failed attempt to create a knowledge base entry |
-| `knowledge_base_entry_update` | `success` | User has updated knowledge base entry [id=x] |
-| `failure` | Failed attempt to update a knowledge base entry |
-| `knowledge_base_entry_delete` | `success` | User has deleted knowledge base entry [id=x] |
-| `failure` | Failed attempt to delete a knowledge base entry |
-| ##### Type: change [_type_change]
|
-| **Action** | **Outcome** | **Description** |
-| `saved_object_update` | `unknown` | User is updating a saved object. |
-| `failure` | User is not authorized to update a saved object. |
-| `saved_object_update_objects_spaces` | `unknown` | User is adding and/or removing a saved object to/from other spaces. |
-| `failure` | User is not authorized to add or remove a saved object to or from other spaces. |
-| `saved_object_remove_references` | `unknown` | User is removing references to a saved object. |
-| `failure` | User is not authorized to remove references to a saved object. |
-| `saved_object_collect_multinamespace_references` | `success` | User has accessed references to a multi-space saved object. |
-| `failure` | User is not authorized to access references to a multi-space saved object. |
-| `connector_update` | `unknown` | User is updating a connector. |
-| `failure` | User is not authorized to update a connector. |
-| `rule_update` | `unknown` | User is updating a rule. |
-| `failure` | User is not authorized to update a rule. |
-| `rule_update_api_key` | `unknown` | User is updating the API key of a rule. |
-| `failure` | User is not authorized to update the API key of a rule. |
-| `rule_enable` | `unknown` | User is enabling a rule. |
-| `failure` | User is not authorized to enable a rule. |
-| `rule_disable` | `unknown` | User is disabling a rule. |
-| `failure` | User is not authorized to disable a rule. |
-| `rule_mute` | `unknown` | User is muting a rule. |
-| `failure` | User is not authorized to mute a rule. |
-| `rule_unmute` | `unknown` | User is unmuting a rule. |
-| `failure` | User is not authorized to unmute a rule. |
-| `rule_alert_mute` | `unknown` | User is muting an alert. |
-| `failure` | User is not authorized to mute an alert. |
-| `rule_alert_unmute` | `unknown` | User is unmuting an alert. |
-| `failure` | User is not authorized to unmute an alert. |
-| `space_update` | `unknown` | User is updating a space. |
-| `failure` | User is not authorized to update a space. |
-| `alert_update` | `unknown` | User is updating an alert. |
-| `failure` | User is not authorized to update an alert. |
-| `rule_snooze` | `unknown` | User is snoozing a rule. |
-| `failure` | User is not authorized to snooze a rule. |
-| `rule_unsnooze` | `unknown` | User is unsnoozing a rule. |
-| `failure` | User is not authorized to unsnooze a rule. |
-| `case_update` | `unknown` | User is updating a case. |
-| `failure` | User is not authorized to update a case. |
-| `case_push` | `unknown` | User is pushing a case to an external service. |
-| `failure` | User is not authorized to push a case to an external service. |
-| `case_configuration_update` | `unknown` | User is updating a case configuration. |
-| `failure` | User is not authorized to update a case configuration. |
-| `case_comment_update` | `unknown` | User is updating a case comment. |
-| `failure` | User is not authorized to update a case comment. |
-| `case_user_action_add_case_assignees` | `success` | User has added a case assignee. |
-| `case_user_action_update_case_connector` | `success` | User has updated a case connector. |
-| `case_user_action_update_case_description` | `success` | User has updated a case description. |
-| `case_user_action_update_case_settings` | `success` | User has updated the case settings. |
-| `case_user_action_update_case_severity` | `success` | User has updated the case severity. |
-| `case_user_action_update_case_status` | `success` | User has updated the case status. |
-| `case_user_action_pushed_case` | `success` | User has pushed a case to an external service. |
-| `case_user_action_add_case_tags` | `success` | User has added tags to a case. |
-| `case_user_action_update_case_title` | `success` | User has updated the case title. |
-| `ml_open_ad_job` | `success` | Opening anomaly detection job. |
-| `failure` | Failed to open anomaly detection job. |
-| `ml_close_ad_job` | `success` | Closing anomaly detection job. |
-| `failure` | Failed to close anomaly detection job. |
-| `ml_start_ad_datafeed` | `success` | Starting anomaly detection datafeed. |
-| `failure` | Failed to start anomaly detection datafeed. |
-| `ml_stop_ad_datafeed` | `success` | Stopping anomaly detection datafeed. |
-| `failure` | Failed to stop anomaly detection datafeed. |
-| `ml_update_ad_job` | `success` | Updating anomaly detection job. |
-| `failure` | Failed to update anomaly detection job. |
-| `ml_reset_ad_job` | `success` | Resetting anomaly detection job. |
-| `failure` | Failed to reset anomaly detection job. |
-| `ml_revert_ad_snapshot` | `success` | Reverting anomaly detection snapshot. |
-| `failure` | Failed to revert anomaly detection snapshot. |
-| `ml_update_ad_datafeed` | `success` | Updating anomaly detection datafeed. |
-| `failure` | Failed to update anomaly detection datafeed. |
-| `ml_put_calendar_job` | `success` | Adding job to calendar. |
-| `failure` | Failed to add job to calendar. |
-| `ml_delete_calendar_job` | `success` | Removing job from calendar. |
-| `failure` | Failed to remove job from calendar. |
-| `ml_update_filter` | `success` | Updating filter. |
-| `failure` | Failed to update filter. |
-| `ml_start_dfa_job` | `success` | Starting data frame analytics job. |
-| `failure` | Failed to start data frame analytics job. |
-| `ml_stop_dfa_job` | `success` | Stopping data frame analytics job. |
-| `failure` | Failed to stop data frame analytics job. |
-| `ml_update_dfa_job` | `success` | Updating data frame analytics job. |
-| `failure` | Failed to update data frame analytics job. |
-| `ml_start_trained_model_deployment` | `success` | Starting trained model deployment. |
-| `failure` | Failed to start trained model deployment. |
-| `ml_stop_trained_model_deployment` | `success` | Stopping trained model deployment. |
-| `failure` | Failed to stop trained model deployment. |
-| `ml_update_trained_model_deployment` | `success` | Updating trained model deployment. |
-| `failure` | Failed to update trained model deployment. |
-| `product_documentation_update` | `unknown` | User requested to update the product documentation for use in AI Assistants. |
-| ##### Type: deletion [_type_deletion]
|
-| **Action** | **Outcome** | **Description** |
-| `saved_object_delete` | `unknown` | User is deleting a saved object. |
-| `failure` | User is not authorized to delete a saved object. |
-| `saved_object_close_point_in_time` | `unknown` | User is deleting a Point In Time that was used to query saved objects. |
-| `failure` | User is not authorized to delete a Point In Time. |
-| `connector_delete` | `unknown` | User is deleting a connector. |
-| `failure` | User is not authorized to delete a connector. |
-| `rule_delete` | `unknown` | User is deleting a rule. |
-| `failure` | User is not authorized to delete a rule. |
-| `ad_hoc_run_delete` | `unknown` | User is deleting an ad hoc run. |
-| `failure` | User is not authorized to delete an ad hoc run. |
-| `space_delete` | `unknown` | User is deleting a space. |
-| `failure` | User is not authorized to delete a space. |
-| `case_delete` | `unknown` | User is deleting a case. |
-| `failure` | User is not authorized to delete a case. |
-| `case_comment_delete_all` | `unknown` | User is deleting all comments associated with a case. |
-| `failure` | User is not authorized to delete all comments associated with a case. |
-| `case_comment_delete` | `unknown` | User is deleting a case comment. |
-| `failure` | User is not authorized to delete a case comment. |
-| `case_user_action_delete_case_assignees` | `success` | User has removed a case assignee. |
-| `case_user_action_delete_comment` | `success` | User has deleted a case comment. |
-| `case_user_action_delete_case` | `success` | User has deleted a case. |
-| `case_user_action_delete_case_tags` | `success` | User has removed tags from a case. |
-| `ml_delete_ad_job` | `success` | Deleting anomaly detection job. |
-| `failure` | Failed to delete anomaly detection job. |
-| `ml_delete_model_snapshot` | `success` | Deleting model snapshot. |
-| `failure` | Failed to delete model snapshot. |
-| `ml_delete_ad_datafeed` | `success` | Deleting anomaly detection datafeed. |
-| `failure` | Failed to delete anomaly detection datafeed. |
-| `ml_delete_calendar` | `success` | Deleting calendar. |
-| `failure` | Failed to delete calendar. |
-| `ml_delete_calendar_event` | `success` | Deleting calendar event. |
-| `failure` | Failed to delete calendar event. |
-| `ml_delete_filter` | `success` | Deleting filter. |
-| `failure` | Failed to delete filter. |
-| `ml_delete_forecast` | `success` | Deleting forecast. |
-| `failure` | Failed to delete forecast. |
-| `ml_delete_dfa_job` | `success` | Deleting data frame analytics job. |
-| `failure` | Failed to delete data frame analytics job. |
-| `ml_delete_trained_model` | `success` | Deleting trained model. |
-| `failure` | Failed to delete trained model. |
-| `product_documentation_delete` | `unknown` | User requested to delete the product documentation for use in AI Assistants. |
-| ##### Type: access [_type_access]
|
-| **Action** | **Outcome** | **Description** |
-| `saved_object_get` | `success` | User has accessed a saved object. |
-| `failure` | User is not authorized to access a saved object. |
-| `saved_object_resolve` | `success` | User has accessed a saved object. |
-| `failure` | User is not authorized to access a saved object. |
-| `saved_object_find` | `success` | User has accessed a saved object as part of a search operation. |
-| `failure` | User is not authorized to search for saved objects. |
-| `connector_get` | `success` | User has accessed a connector. |
-| `failure` | User is not authorized to access a connector. |
-| `connector_find` | `success` | User has accessed a connector as part of a search operation. |
-| `failure` | User is not authorized to search for connectors. |
-| `rule_get` | `success` | User has accessed a rule. |
-| `failure` | User is not authorized to access a rule. |
-| `rule_get_execution_log` | `success` | User has accessed execution log for a rule. |
-| `failure` | User is not authorized to access execution log for a rule. |
-| `rule_find` | `success` | User has accessed a rule as part of a search operation. |
-| `failure` | User is not authorized to search for rules. |
-| `rule_schedule_backfill` | `success` | User has accessed a rule as part of a backfill schedule operation. |
-| `failure` | User is not authorized to access rule for backfill scheduling. |
-| `ad_hoc_run_get` | `success` | User has accessed an ad hoc run. |
-| `failure` | User is not authorized to access ad hoc run. |
-| `ad_hoc_run_find` | `success` | User has accessed an ad hoc run as part of a search operation. |
-| `failure` | User is not authorized to search for ad hoc runs. |
-| `space_get` | `success` | User has accessed a space. |
-| `failure` | User is not authorized to access a space. |
-| `space_find` | `success` | User has accessed a space as part of a search operation. |
-| `failure` | User is not authorized to search for spaces. |
-| `alert_get` | `success` | User has accessed an alert. |
-| `failure` | User is not authorized to access an alert. |
-| `alert_find` | `success` | User has accessed an alert as part of a search operation. |
-| `failure` | User is not authorized to access alerts. |
-| `case_get` | `success` | User has accessed a case. |
-| `failure` | User is not authorized to access a case. |
-| `case_bulk_get` | `success` | User has accessed multiple cases. |
-| `failure` | User is not authorized to access multiple cases. |
-| `case_resolve` | `success` | User has accessed a case. |
-| `failure` | User is not authorized to access a case. |
-| `case_find` | `success` | User has accessed a case as part of a search operation. |
-| `failure` | User is not authorized to search for cases. |
-| `case_ids_by_alert_id_get` | `success` | User has accessed cases. |
-| `failure` | User is not authorized to access cases. |
-| `case_get_metrics` | `success` | User has accessed metrics for a case. |
-| `failure` | User is not authorized to access metrics for a case. |
-| `cases_get_metrics` | `success` | User has accessed metrics for cases. |
-| `failure` | User is not authorized to access metrics for cases. |
-| `case_configuration_find` | `success` | User has accessed a case configuration as part of a search operation. |
-| `failure` | User is not authorized to search for case configurations. |
-| `case_comment_get_metrics` | `success` | User has accessed metrics for case comments. |
-| `failure` | User is not authorized to access metrics for case comments. |
-| `case_comment_alerts_attach_to_case` | `success` | User has accessed case alerts. |
-| `failure` | User is not authorized to access case alerts. |
-| `case_comment_get` | `success` | User has accessed a case comment. |
-| `failure` | User is not authorized to access a case comment. |
-| `case_comment_bulk_get` | `success` | User has accessed multiple case comments. |
-| `failure` | User is not authorized to access multiple case comments. |
-| `case_comment_get_all` | `success` | User has accessed case comments. |
-| `failure` | User is not authorized to access case comments. |
-| `case_comment_find` | `success` | User has accessed a case comment as part of a search operation. |
-| `failure` | User is not authorized to search for case comments. |
-| `case_categories_get` | `success` | User has accessed a case. |
-| `failure` | User is not authorized to access a case. |
-| `case_tags_get` | `success` | User has accessed a case. |
-| `failure` | User is not authorized to access a case. |
-| `case_reporters_get` | `success` | User has accessed a case. |
-| `failure` | User is not authorized to access a case. |
-| `case_find_statuses` | `success` | User has accessed a case as part of a search operation. |
-| `failure` | User is not authorized to search for cases. |
-| `case_user_actions_get` | `success` | User has accessed the user activity of a case. |
-| `failure` | User is not authorized to access the user activity of a case. |
-| `case_user_actions_find` | `success` | User has accessed the user activity of a case as part of a search operation. |
-| `failure` | User is not authorized to access the user activity of a case. |
-| `case_user_action_get_metrics` | `success` | User has accessed metrics for the user activity of a case. |
-| `failure` | User is not authorized to access metrics for the user activity of a case. |
-| `case_user_action_get_users` | `success` | User has accessed the users associated with a case. |
-| `failure` | User is not authorized to access the users associated with a case. |
-| `case_connectors_get` | `success` | User has accessed the connectors of a case. |
-| `failure` | User is not authorized to access the connectors of a case. |
-| `ml_infer_trained_model` | `success` | Inferring using trained model. |
-| `failure` | Failed to infer using trained model. |
-| #### Category: web [_category_web]
|
-| **Action** | **Outcome** | **Description** |
-| `http_request` | `unknown` | User is making an HTTP request. |
+Refer to [linkTBD]() asciidocalypse://elasticsearch/docs/reference/elasticsearch/elasticsearch-audit-events for a complete reference of event types and attributes.
+## `trace.id` field in {{kib}} audit events
-## Audit schema [xpack-security-ecs-audit-schema]
+In {{kib}}, the [trace.id](https://www.elastic.co/guide/en/kibana/current/xpack-security-audit-logging.html#field-trace-id) field allows to correlate multiple events that originate from the same request.
-Audit logs are written in JSON using [Elastic Common Schema (ECS)](https://www.elastic.co/guide/en/ecs/1.6/index.html) specification.
+Additionally, this field helps correlate events from one request with the backend calls that create {{es}} audit events. When {{kib}} sends requests to {{es}}, the `trace.id` value is propagated and stored in the `opaque_id` attribute of {{es}} audit logs, allowing cross-component correlation.
-| |
-| --- |
-| #### Base Fields [_base_fields]
|
-| **Field** | **Description** |
-| `@timestamp` | Time when the event was generated. Example: `2016-05-23T08:05:34.853Z` |
-| `message` | Human readable description of the event. |
-| #### Event Fields [_event_fields]
|
-| **Field** | **Description** |
-| $$$field-event-action$$$ `event.action` | The action captured by the event. Refer to [Audit events](enabling-kibana-audit-logs.md#xpack-security-ecs-audit-logging) for a table of possible actions. |
-| $$$field-event-category$$$ `event.category` | High level category associated with the event. This field is closely related to `event.type`, which is used as a subcategory. Possible values:`database`,`web`,`authentication` |
-| $$$field-event-type$$$ `event.type` | Subcategory associated with the event. This field can be used along with the `event.category` field to enable filtering events down to a level appropriate for single visualization. Possible values:`creation`,`access`,`change`,`deletion` |
-| $$$field-event-outcome$$$ `event.outcome` | Denotes whether the event represents a success or failure:
* Any actions that the user is not authorized to perform are logged with outcome: `failure` * Authorized read operations are only logged after successfully fetching the data from {{es}} with outcome: `success` * Authorized create, update, or delete operations are logged before attempting the operation in {{es}} with outcome: `unknown`
Possible values: `success`, `failure`, `unknown` |
-| #### User Fields [_user_fields]
|
-| **Field** | **Description** |
-| `user.id` | Unique identifier of the user across sessions (See [user profiles](../../users-roles/cluster-or-deployment-auth/user-profiles.md)). |
-| `user.name` | Login name of the user. Example: `jdoe` |
-| `user.roles[]` | Set of user roles at the time of the event. Example: `[kibana_admin, reporting_user]` |
-| #### Kibana Fields [_kibana_fields]
|
-| **Field** | **Description** |
-| `kibana.space_id` | ID of the space associated with the event. Example: `default` |
-| `kibana.session_id` | ID of the user session associated with the event. Each login attempt results in a unique session id. |
-| `kibana.saved_object.type` | Type of saved object associated with the event. Example: `dashboard` |
-| `kibana.saved_object.id` | ID of the saved object associated with the event. |
-| `kibana.authentication_provider` | Name of the authentication provider associated with the event. Example: `my-saml-provider` |
-| `kibana.authentication_type` | Type of the authentication provider associated with the event. Example: `saml` |
-| `kibana.authentication_realm` | Name of the Elasticsearch realm that has authenticated the user. Example: `native` |
-| `kibana.lookup_realm` | Name of the Elasticsearch realm where the user details were retrieved from. Example: `native` |
-| `kibana.add_to_spaces[]` | Set of space IDs that a saved object is being shared to as part of the event. Example: `[default, marketing]` |
-| `kibana.delete_from_spaces[]` | Set of space IDs that a saved object is being removed from as part of the event. Example: `[marketing]` |
-| #### Error Fields [_error_fields]
|
-| **Field** | **Description** |
-| `client.ip` | Client IP address. |
-| `http.request.method` | HTTP request method. Example: `get`, `post`, `put`, `delete` |
-| `http.request.headers.x-forwarded-for` | `X-Forwarded-For` request header used to identify the originating client IP address when connecting through proxy servers. Example: `161.66.20.177, 236.198.214.101` |
-| `url.domain` | Domain of the URL. Example: `www.elastic.co` |
-| `url.path` | Path of the request. Example: `/search` |
-| `url.port` | Port of the request. Example: `443` |
-| `url.query` | The query field describes the query string of the request. Example: `q=elasticsearch` |
-| `url.scheme` | Scheme of the request. Example: `https` |
-| #### Tracing Fields [_tracing_fields]
|
-| **Field** | **Description** |
-| $$$field-trace-id$$$ `trace.id` | Unique identifier allowing events of the same transaction from {{kib}} and {{es}} to be correlated. |
+Refer to [{{kib}} audit events](https://www.elastic.co/guide/en/kibana/current/xpack-security-audit-logging.html#xpack-security-ecs-audit-logging) for a complete description of {{kib}} auditing events.
+## Examples
-## Correlating audit events [xpack-security-ecs-audit-correlation]
-
-Audit events can be correlated in two ways:
-
-1. Multiple {{kib}} audit events that resulted from the same request can be correlated together.
-2. If [{{es}} audit logging](enabling-elasticsearch-audit-logs.md) is enabled, {{kib}} audit events from one request can be correlated with backend calls that create {{es}} audit events.
+This section shows practical examples of correlating audit logs.
::::{note}
-The examples below are simplified, many fields have been omitted and values have been shortened for clarity.
+The examples below are simplified. Many fields have been omitted and values have been shortened for clarity.
::::
-
### Example 1: correlating multiple {{kib}} audit events [_example_1_correlating_multiple_kib_audit_events]
When "thom" creates a new alerting rule, five audit events are written:
diff --git a/deploy-manage/monitor/logging-configuration/elasticsearch-audit-events.md b/deploy-manage/monitor/logging-configuration/elasticsearch-audit-events.md
deleted file mode 100644
index a209e7406f..0000000000
--- a/deploy-manage/monitor/logging-configuration/elasticsearch-audit-events.md
+++ /dev/null
@@ -1,898 +0,0 @@
----
-mapped_pages:
- - https://www.elastic.co/guide/en/elasticsearch/reference/current/audit-event-types.html
-applies:
- hosted: all
- ece: all
- eck: all
- stack: all
----
-
-# Elasticsearch audit events [audit-event-types]
-
-When you are [auditing security events](enabling-elasticsearch-audit-logs.md), a single client request might generate multiple audit events, across multiple cluster nodes. The common `request.id` attribute can be used to correlate the associated events.
-
-Use the [`xpack.security.audit.logfile.events.include`](https://www.elastic.co/guide/en/elasticsearch/reference/current/auditing-settings.html#xpack-sa-lf-events-include) setting in `elasticsearch.yml` to specify the kind of events you want to include in the auditing output.
-
-::::{note}
-Certain audit events require the `security_config_change` event type to audit the related event action. The description of impacted audit events indicate whether that event type is required.
-::::
-
-
-$$$event-access-denied$$$
-
-`access_denied`
-: Logged when an authenticated user attempts to execute an action they do not have the necessary [privilege](../../users-roles/cluster-or-deployment-auth/elasticsearch-privileges.md) to perform.
-
- ::::{dropdown} Example
- ```js
- {"type":"audit", "timestamp":"2020-12-30T22:30:06,949+0200", "node.id":
- "0RMNyghkQYCc_gVd1G6tZQ", "event.type":"transport", "event.action":
- "access_denied", "authentication.type":"REALM", "user.name":"user1",
- "user.realm":"default_native", "user.roles":["test_role"], "origin.type":
- "rest", "origin.address":"[::1]:52434", "request.id":"yKOgWn2CRQCKYgZRz3phJw",
- "action":"indices:admin/auto_create", "request.name":"CreateIndexRequest",
- "indices":[""]}
- ```
-
- ::::
-
-
-$$$event-access-granted$$$
-
-`access_granted`
-: Logged when an authenticated user attempts to execute an action they have the necessary privilege to perform. These events will be logged only for non-system users.
-
- If you want to include `access_granted` events for all users (including internal users such as `_xpack`), add [`system_access_granted`](#event-system-granted) to the list of event types in addition to `access_granted`. The `system_access_granted` privilege is not included by default to avoid cluttering the logs.
-
- ::::{dropdown} Example
- ```js
- {"type":"audit", "timestamp":"2020-12-30T22:30:06,947+0200", "node.id":
- "0RMNyghkQYCc_gVd1G6tZQ", "event.type":"transport", "event.action":
- "access_granted", "authentication.type":"REALM", "user.name":"user1", "user
- realm":"default_native", "user.roles":["test_role"], "origin.type":"rest",
- "origin.address":"[::1]:52434", "request.id":"yKOgWn2CRQCKYgZRz3phJw",
- "action":"indices:data/write/bulk", "request.name":"BulkRequest"}
- ```
-
- ::::
-
-
-$$$event-anonymous-access-denied$$$
-
-`anonymous_access_denied`
-: Logged when a request is denied due to missing authentication credentials.
-
- ::::{dropdown} Example
- ```js
- {"type":"audit", "timestamp":"2020-12-30T21:56:43,608+0200", "node.id":
- "0RMNyghkQYCc_gVd1G6tZQ", "event.type":"rest", "event.action":
- "anonymous_access_denied", "origin.type":"rest", "origin.address":
- "[::1]:50543", "url.path":"/twitter/_async_search", "url.query":"pretty",
- "request.method":"POST", "request.id":"TqA9OisyQ8WTl1ivJUV1AA"}
- ```
-
- ::::
-
-
-$$$event-authentication-failed$$$
-
-`authentication_failed`
-: Logged when the authentication credentials cannot be matched to a known user.
-
- ::::{dropdown} Example
- ```js
- {"type":"audit", "timestamp":"2020-12-30T22:10:15,510+0200", "node.id":
- "0RMNyghkQYCc_gVd1G6tZQ", "event.type":"rest", "event.action":
- "authentication_failed", "user.name":"elastic", "origin.type":"rest",
- "origin.address":"[::1]:51504", "url.path":"/_security/user/user1",
- "url.query":"pretty", "request.method":"POST",
- "request.id":"POv8p_qeTl2tb5xoFl0HIg"}
- ```
-
- ::::
-
-
-$$$event-authentication-success$$$
-
-`authentication_success`
-: Logged when a user successfully authenticates.
-
- ::::{dropdown} Example
- ```js
- {"type":"audit", "timestamp":"2020-12-30T22:03:35,018+0200", "node.id":
- "0RMNyghkQYCc_gVd1G6tZQ", "event.type":"rest", "event.action":
- "authentication_success", "authentication.type":"REALM", "user.name":
- "elastic", "user.realm":"reserved", "origin.type":"rest", "origin.address":
- "[::1]:51014", "realm":"reserved", "url.path":"/twitter/_search",
- "url.query":"pretty", "request.method":"POST",
- "request.id":"nHV3UMOoSiu-TaSPWCfxGg"}
- ```
-
- ::::
-
-
-$$$event-change-disable-user$$$
-
-`change_disable_user`
-: Logged when the [enable user API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-enable-user) is invoked to disable a native or a built-in user.
-
- You must include the `security_config_change` event type to audit the related event action.
-
- ::::{dropdown} Example
- ```js
- {"type":"audit", "timestamp":"2020-12-30T23:17:28,308+0200", "node.id":
- "0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.
- action":"change_disable_user", "request.id":"qvLIgw_eTvyK3cgV-GaLVg",
- "change":{"disable":{"user":{"name":"user1"}}}}
- ```
-
- ::::
-
-
-$$$event-change-enable-user$$$
-
-`change_enable_user`
-: Logged when the [enable user API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-enable-user) is invoked to enable a native or a built-in user.
-
- You must include the `security_config_change` event type to audit the related event action.
-
- ::::{dropdown} Example
- ```js
- {"type":"audit", "timestamp":"2020-12-30T23:17:34,843+0200", "node.id":
- "0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.
- action":"change_enable_user", "request.id":"BO3QU3qeTb-Ei0G0rUOalQ",
- "change":{"enable":{"user":{"name":"user1"}}}}
- ```
-
- ::::
-
-
-$$$event-change-password$$$
-
-`change_password`
-: Logged when the [change password API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-change-password) is invoked to change the password of a native or built-in user.
-
- You must include the `security_config_change` event type to audit the related event action.
-
- ::::{dropdown} Example
- ```js
- {"type":"audit", "timestamp":"2019-12-30T22:19:41,345+0200", "node.id":
- "0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.
- action":"change_password", "request.id":"bz5a1Cc3RrebDMitMGGNCw",
- "change":{"password":{"user":{"name":"user1"}}}}
- ```
-
- ::::
-
-
-$$$event-create-service-token$$$
-
-`create_service_token`
-: Logged when the [create service account token API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-service-token) is invoked to create a new index-based token for a service account.
-
- You must include the `security_config_change` event type to audit the related event action.
-
- ::::{dropdown} Example
- ```js
- {"type":"audit", "timestamp":"2021-04-30T23:17:42,952+0200", "node.id":
- "0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.
- action":"create_service_token", "request.id":"az9a1Db5QrebDMacQ8yGKc",
- "create":{"service_token":{"namespace":"elastic","service":"fleet-server","name":"token1"}}}`
- ```
-
- ::::
-
-
-$$$event-connection-denied$$$
-
-`connection_denied`
-: Logged when an incoming TCP connection does not pass the [IP filter](../../security/ip-traffic-filtering.md) for a specific profile.
-
- ::::{dropdown} Example
- ```js
- {"type":"audit", "timestamp":"2020-12-30T21:47:31,526+0200", "node.id":
- "0RMNyghkQYCc_gVd1G6tZQ", "event.type":"ip_filter", "event.action":
- "connection_denied", "origin.type":"rest", "origin.address":"10.10.0.20:52314",
- "transport.profile":".http", "rule":"deny 10.10.0.0/16"}
- ```
-
- ::::
-
-
-$$$event-connection-granted$$$
-
-`connection_granted`
-: Logged when an incoming TCP connection passes the [IP filter](../../security/ip-traffic-filtering.md) for a specific profile.
-
- ::::{dropdown} Example
- ```js
- {"type":"audit", "timestamp":"2020-12-30T21:47:31,526+0200", "node.id":
- "0RMNyghkQYCc_gVd1G6tZQ", "event.type":"ip_filter", "event.action":
- "connection_granted", "origin.type":"rest", "origin.address":"[::1]:52314",
- "transport.profile":".http", "rule":"allow ::1,127.0.0.1"}
- ```
-
- ::::
-
-
-$$$event-create-apikey$$$
-
-`create_apikey`
-: Logged when the [create API key](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-api-key) or the [grant API key](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-grant-api-key) APIs are invoked to create a new API key.
-
- You must include the `security_config_change` event type to audit the related event action.
-
- ::::{dropdown} Example
- ```js
- {"type":"audit", "timestamp":"2020-12-31T00:33:52,521+0200", "node.id":
- "9clhpgjJRR-iKzOw20xBNQ", "event.type":"security_config_change", "event.action":
- "create_apikey", "request.id":"9FteCmovTzWHVI-9Gpa_vQ", "create":{"apikey":
- {"name":"test-api-key-1","expiration":"10d","role_descriptors":[{"cluster":
- ["monitor","manage_ilm"],"indices":[{"names":["index-a*"],"privileges":
- ["read","maintenance"]},{"names":["in*","alias*"],"privileges":["read"],
- "field_security":{"grant":["field1*","@timestamp"],"except":["field11"]}}],
- "applications":[],"run_as":[]},{"cluster":["all"],"indices":[{"names":
- ["index-b*"],"privileges":["all"]}],"applications":[],"run_as":[]}],
- "metadata":{"application":"my-application","environment":{"level": 1,
- "tags":["dev","staging"]}}}}}
- ```
-
- ::::
-
-
-$$$event-change-apikey$$$
-
-`change_apikey`
-: Logged when the [update API key](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-update-api-key) API is invoked to update the attributes of an existing API key.
-
- You must include the `security_config_change` event type to audit the related event action.
-
- ::::{dropdown} Example
- ```js
- {"type":"audit", "timestamp":"2020-12-31T00:33:52,521+0200", "node.id":
- "9clhpgjJRR-iKzOw20xBNQ", "event.type":"security_config_change", "event.action":
- "change_apikey", "request.id":"9FteCmovTzWHVI-9Gpa_vQ", "change":{"apikey":
- {"id":"zcwN3YEBBmnjw-K-hW5_","role_descriptors":[{"cluster":
- ["monitor","manage_ilm"],"indices":[{"names":["index-a*"],"privileges":
- ["read","maintenance"]},{"names":["in*","alias*"],"privileges":["read"],
- "field_security":{"grant":["field1*","@timestamp"],"except":["field11"]}}],
- "applications":[],"run_as":[]},{"cluster":["all"],"indices":[{"names":
- ["index-b*"],"privileges":["all"]}],"applications":[],"run_as":[]}],
- "metadata":{"application":"my-application","environment":{"level": 1,
- "tags":["dev","staging"]}},"expiration":"10d"}}}
- ```
-
- ::::
-
-
-$$$event-change-apikeys$$$
-
-`change_apikeys`
-: Logged when the [bulk update API keys](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-bulk-update-api-keys) API is invoked to update the attributes of multiple existing API keys.
-
- You must include the `security_config_change` event type to audit the related event action.
-
- ::::{dropdown} Example
- ```js
- {"type":"audit","timestamp":"2020-12-31T00:33:52,521+0200","node.id":
- "9clhpgjJRR-iKzOw20xBNQ","event.type":"security_config_change",
- "event.action":"change_apikeys","request.id":"9FteCmovTzWHVI-9Gpa_vQ",
- "change":{"apikeys":
- {"ids":["zcwN3YEBBmnjw-K-hW5_","j7c0WYIBqecB5CbVR6Oq"],"role_descriptors":
- [{"cluster":["monitor","manage_ilm"],"indices":[{"names":["index-a*"],"privileges":
- ["read","maintenance"]},{"names":["in*","alias*"],"privileges":["read"],
- "field_security":{"grant":["field1*","@timestamp"],"except":["field11"]}}],
- "applications":[],"run_as":[]},{"cluster":["all"],"indices":[{"names":
- ["index-b*"],"privileges":["all"]}],"applications":[],"run_as":[]}],
- "metadata":{"application":"my-application","environment":{"level":1,
- "tags":["dev","staging"]}},"expiration":"10d"}}}
- ```
-
- ::::
-
-
-$$$event-delete-privileges$$$
-
-`delete_privileges`
-: Logged when the [delete application privileges API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-delete-privileges) is invoked to remove one or more application privileges.
-
- You must include the `security_config_change` event type to audit the related event action.
-
- ::::{dropdown} Example
- ```js
- {"type":"audit", "timestamp":"2020-12-31T00:39:30,246+0200", "node.id":
- "9clhpgjJRR-iKzOw20xBNQ", "event.type":"security_config_change", "event.
- action":"delete_privileges", "request.id":"7wRWVxxqTzCKEspeSP7J8g",
- "delete":{"privileges":{"application":"myapp","privileges":["read"]}}}
- ```
-
- ::::
-
-
-$$$event-delete-role$$$
-
-`delete_role`
-: Logged when the [delete role API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-delete-role) is invoked to delete a role.
-
- You must include the `security_config_change` event type to audit the related event action.
-
- ::::{dropdown} Example
- ```js
- {"type":"audit", "timestamp":"2020-12-31T00:08:11,678+0200", "node.id":
- "0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.action":
- "delete_role", "request.id":"155IKq3zQdWq-12dgKZRnw",
- "delete":{"role":{"name":"my_admin_role"}}}
- ```
-
- ::::
-
-
-$$$event-delete-role-mapping$$$
-
-`delete_role_mapping`
-: Logged when the [delete role mapping API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-delete-role-mapping) is invoked to delete a role mapping.
-
- You must include the `security_config_change` event type to audit the related event action.
-
- ::::{dropdown} Example
- ```js
- {"type":"audit", "timestamp":"2020-12-31T00:12:09,349+0200", "node.id":
- "0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.
- action":"delete_role_mapping", "request.id":"Stim-DuoSTCWom0S_xhf8g",
- "delete":{"role_mapping":{"name":"mapping1"}}}
- ```
-
- ::::
-
-
-$$$event-delete-service-token$$$
-
-`delete_service_token`
-: Logged when the [delete service account token API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-delete-service-token) is invoked to delete an index-based token for a service account.
-
- You must include the `security_config_change` event type to audit the related event action.
-
- ::::{dropdown} Example
- ```js
- {"type":"audit", "timestamp":"2021-04-30T23:17:42,952+0200", "node.id":
- "0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.
- action":"delete_service_token", "request.id":"az9a1Db5QrebDMacQ8yGKc",
- "delete":{"service_token":{"namespace":"elastic","service":"fleet-server","name":"token1"}}}
- ```
-
- ::::
-
-
-$$$event-delete-user$$$
-
-`delete_user`
-: Logged when the [delete user API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-delete-user) is invoked to delete a specific native user.
-
- You must include the `security_config_change` event type to audit the related event action.
-
- ::::{dropdown} Example
- ```js
- {"type":"audit", "timestamp":"2020-12-30T22:19:41,345+0200", "node.id":
- "0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change",
- "event.action":"delete_user", "request.id":"au5a1Cc3RrebDMitMGGNCw",
- "delete":{"user":{"name":"jacknich"}}}
- ```
-
- ::::
-
-
-$$$event-invalidate-apikeys$$$
-
-`invalidate_apikeys`
-: Logged when the [invalidate API key API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-invalidate-api-key) is invoked to invalidate one or more API keys.
-
- You must include the `security_config_change` event type to audit the related event action.
-
- ::::{dropdown} Example
- ```js
- {"type":"audit", "timestamp":"2020-12-31T00:36:30,247+0200", "node.id":
- "9clhpgjJRR-iKzOw20xBNQ", "event.type":"security_config_change", "event.
- action":"invalidate_apikeys", "request.id":"7lyIQU9QTFqSrTxD0CqnTQ",
- "invalidate":{"apikeys":{"owned_by_authenticated_user":false,
- "user":{"name":"myuser","realm":"native1"}}}}
- ```
-
- ::::
-
-
-$$$event-put-privileges$$$
-
-`put_privileges`
-: Logged when the [create or update privileges API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-put-privileges) is invoked to add or update one or more application privileges.
-
- You must include the `security_config_change` event type to audit the related event action.
-
- ::::{dropdown} Example
- ```js
- {"type":"audit", "timestamp":"2020-12-31T00:39:07,779+0200", "node.id":
- "9clhpgjJRR-iKzOw20xBNQ", "event.type":"security_config_change",
- "event.action":"put_privileges", "request.id":"1X2VVtNgRYO7FmE0nR_BGA",
- "put":{"privileges":[{"application":"myapp","name":"read","actions":
- ["data:read/*","action:login"],"metadata":{"description":"Read access to myapp"}}]}}
- ```
-
- ::::
-
-
-$$$event-put-role$$$
-
-`put_role`
-: Logged when the [create or update role API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-put-role) is invoked to create or update a role.
-
- You must include the `security_config_change` event type to audit the related event action.
-
- ::::{dropdown} Example
- ```js
- {"type":"audit", "timestamp":"2020-12-30T22:27:01,978+0200", "node.id":
- "0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change",
- "event.action":"put_role", "request.id":"tDYQhv5CRMWM4Sc5Zkk2cQ",
- "put":{"role":{"name":"test_role","role_descriptor":{"cluster":["all"],
- "indices":[{"names":["apm*"],"privileges":["all"],"field_security":
- {"grant":["granted"]},"query":"{\"term\": {\"service.name\": \"bar\"}}"},
- {"names":["apm-all*"],"privileges":["all"],"query":"{\"term\":
- {\"service.name\": \"bar2\"}}"}],"applications":[],"run_as":[]}}}}
- ```
-
- ::::
-
-
-$$$event-put-role-mapping$$$
-
-`put_role_mapping`
-: Logged when the [create or update role mapping API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-put-role-mapping) is invoked to create or update a role mapping.
-
- You must include the `security_config_change` event type to audit the related event action.
-
- ::::{dropdown} Example
- ```js
- {"type":"audit", "timestamp":"2020-12-31T00:11:13,932+0200", "node.id":
- "0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change", "event.
- action":"put_role_mapping", "request.id":"kg4h1l_kTDegnLC-0A-XxA",
- "put":{"role_mapping":{"name":"mapping1","roles":["user"],"rules":
- {"field":{"username":"*"}},"enabled":true,"metadata":{"version":1}}}}
- ```
-
- ::::
-
-
-$$$event-put-user$$$
-
-`put_user`
-: Logged when the [create or update user API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-put-user) is invoked to create or update a native user. Note that user updates can also change the user’s password.
-
- You must include the `security_config_change` event type to audit the related event action.
-
- ::::{dropdown} Example
- ```js
- {"type":"audit", "timestamp":"2020-12-30T22:10:09,749+0200", "node.id":
- "0RMNyghkQYCc_gVd1G6tZQ", "event.type":"security_config_change",
- "event.action":"put_user", "request.id":"VIiSvhp4Riim_tpkQCVSQA",
- "put":{"user":{"name":"user1","enabled":false,"roles":["admin","other_role1"],
- "full_name":"Jack Sparrow","email":"jack@blackpearl.com",
- "has_password":true,"metadata":{"cunning":10}}}}
- ```
-
- ::::
-
-
-$$$event-realm-auth-failed$$$
-
-`realm_authentication_failed`
-: Logged for every realm that fails to present a valid authentication token.
-
- ::::{dropdown} Example
- ```js
- {"type":"audit", "timestamp":"2020-12-30T22:10:15,510+0200", "node.id":
- "0RMNyghkQYCc_gVd1G6tZQ", "event.type":"rest", "event.action":
- "realm_authentication_failed", "user.name":"elastic", "origin.type":"rest",
- "origin.address":"[::1]:51504", "realm":"myTestRealm1", "url.path":
- "/_security/user/user1", "url.query":"pretty", "request.method":"POST",
- "request.id":"POv8p_qeTl2tb5xoFl0HIg"}
- ```
-
- ::::
-
-
-$$$event-runas-denied$$$
-
-`run_as_denied`
-: Logged when an authenticated user attempts to [run as](../../users-roles/cluster-or-deployment-auth/submitting-requests-on-behalf-of-other-users.md) another user that they do not have the necessary [privileges](../../users-roles/cluster-or-deployment-auth/elasticsearch-privileges.md) to do so.
-
- ::::{dropdown} Example
- ```js
- {"type":"audit", "timestamp":"2020-12-30T22:49:34,859+0200", "node.id":
- "0RMNyghkQYCc_gVd1G6tZQ", "event.type":"transport", "event.action":
- "run_as_denied", "user.name":"user1", "user.run_as.name":"user1",
- "user.realm":"default_native", "user.run_as.realm":"default_native",
- "user.roles":["test_role"], "origin.type":"rest", "origin.address":
- "[::1]:52662", "request.id":"RcaSt872RG-R_WJBEGfYXA",
- "action":"indices:data/read/search", "request.name":"SearchRequest", "indices":["alias1"]}
- ```
-
- ::::
-
-
-$$$event-runas-granted$$$
-
-`run_as_granted`
-: Logged when an authenticated user attempts to [run as](../../users-roles/cluster-or-deployment-auth/submitting-requests-on-behalf-of-other-users.md) another user that they have the necessary privileges to do so.
-
- ::::{dropdown} Example
- ```js
- {"type":"audit", "timestamp":"2020-12-30T22:44:42,068+0200", "node.id":
- "0RMNyghkQYCc_gVd1G6tZQ", "event.type":"transport", "event.action":
- "run_as_granted", "user.name":"elastic", "user.run_as.name":"user1",
- "user.realm":"reserved", "user.run_as.realm":"default_native",
- "user.roles":["superuser"], "origin.type":"rest", "origin.address":
- "[::1]:52623", "request.id":"dGqPTdEQSX2TAPS3cvc1qA", "action":
- "indices:data/read/search", "request.name":"SearchRequest", "indices":["alias1"]}
- ```
-
- ::::
-
-
-$$$event-system-granted$$$
-
-`system_access_granted`
-: Logs [`access_granted`](#event-access-granted) events only for [internal users](../../users-roles/cluster-or-deployment-auth/internal-users.md), such as `_xpack`. If you include this setting in addition to `access_granted`, then `access_granted` events are logged for *all* users.
-
- ::::{note}
- This event type is disabled by default to avoid cluttering the logs.
- ::::
-
-
-$$$event-tampered-request$$$
-
-`tampered_request`
-: Logged when the {{security-features}} detect that the request has been tampered with. Typically relates to `search/scroll` requests when the scroll ID is believed to have been tampered with.
-
- ::::{dropdown} Example
- ```js
- {"type":"audit", "timestamp":"2019-11-27T22:00:00,947+0200", "node.id":
- "0RMNyghkQYCc_gVd1G6tZQ", "event.type": "rest", "event.action":
- "tampered_request", "origin.address":"[::1]:50543", "url.path":
- "/twitter/_async_search", "url.query":"pretty", "request.method":"POST",
- "request.id":"TqA9OisyQ8WTl1ivJUV1AA"}
- ```
-
- ::::
-
-
-
-## Audit event attributes [audit-event-attributes]
-
-The audit events are formatted as JSON documents, and each event is printed on a separate line in the audit log. The entries themselves do not contain an end-of-line delimiter. For more details, see [Log entry format](logfile-audit-output.md#audit-log-entry-format).
-
-The following list shows attributes that are common to all audit event types:
-
-`@timestamp`
-: The time, in ISO9601 format, when the event occurred.
-
-`node.name`
-: The name of the node. This can be changed in the `elasticsearch.yml` config file.
-
-`node.id`
-: The node id. This is automatically generated and is persistent across full cluster restarts.
-
-`host.ip`
-: The bound IP address of the node, with which the node can be communicated with.
-
-`host.name`
-: The unresolved node’s hostname.
-
-`event.type`
-: The internal processing layer that generated the event: `rest`, `transport`, `ip_filter` or `security_config_change`. This is different from `origin.type` because a request originating from the REST API is translated to a number of transport messages, generating audit events with `origin.type: rest` and `event.type: transport`.
-
-`event.action`
-: The type of event that occurred: `anonymous_access_denied`, `authentication_failed`, `authentication_success`, `realm_authentication_failed`, `access_denied`, `access_granted`, `connection_denied`, `connection_granted`, `tampered_request`, `run_as_denied`, or `run_as_granted`.
-
- In addition, if `event.type` equals [`security_config_change`](#security-config-change), the `event.action` attribute takes one of the following values: `put_user`, `change_password`, `put_role`, `put_role_mapping`, `change_enable_user`, `change_disable_user`, `put_privileges`, `create_apikey`, `delete_user`, `delete_role`, `delete_role_mapping`, `invalidate_apikeys`, `delete_privileges`, `change_apikey`, or `change_apikeys`.
-
-
-`request.id`
-: A synthetic identifier that can be used to correlate the events associated with a particular REST request.
-
-In addition, all the events of types `rest`, `transport` and `ip_filter` (but not `security_config_change`) have the following extra attributes, which show more details about the requesting client:
-
-`origin.address`
-: The source IP address of the request associated with this event. This could be the address of the remote client, the address of another cluster node, or the local node’s bound address, if the request originated locally. Unless the remote client connects directly to the cluster, the *client address* will actually be the address of the first OSI layer 3 proxy in front of the cluster.
-
-`origin.type`
-: The origin type of the request associated with this event: `rest` (request originated from a REST API request), `transport` (request was received on the transport channel), or `local_node` (the local node issued the request).
-
-`opaque_id`
-: The value of the `X-Opaque-Id` HTTP header (if present) of the request associated with this event. See more: [`X-Opaque-Id` HTTP header - API conventions](https://www.elastic.co/guide/en/elasticsearch/reference/current/api-conventions.html#x-opaque-id)
-
-`trace_id`
-: The identifier extracted from the `traceparent` HTTP header (if present) of the request associated with this event. It allows to surface audit logs into the Trace Logs feature of Elastic APM.
-
-`x_forwarded_for`
-: The verbatim value of the `X-Forwarded-For` HTTP request header (if present) of the request associated with the audit event. This header is commonly added by proxies when they forward requests and the value is the address of the proxied client. When a request crosses multiple proxies the header is a comma delimited list with the last value being the address of the second to last proxy server (the address of the last proxy server is designated by the `origin.address` field).
-
-## Audit event attributes of the `rest` event type [_audit_event_attributes_of_the_rest_event_type]
-
-The events with `event.type` equal to `rest` have one of the following `event.action` attribute values: `authentication_success`, `anonymous_access_denied`, `authentication_failed`, `realm_authentication_failed`, `tampered_request` or `run_as_denied`. These events also have the following extra attributes (in addition to the common ones):
-
-`url.path`
-: The path part of the URL (between the port and the query string) of the REST request associated with this event. This is URL encoded.
-
-`url.query`
-: The query part of the URL (after "?", if present) of the REST request associated with this event. This is URL encoded.
-
-`request.method`
-: The HTTP method of the REST request associated with this event. It is one of GET, POST, PUT, DELETE, OPTIONS, HEAD, PATCH, TRACE and CONNECT.
-
-`request.body`
-: The full content of the REST request associated with this event, if enabled. This contains the HTTP request body. The body is escaped as a string value according to the JSON RFC 4627.
-
-
-## Audit event attributes of the `transport` event type [_audit_event_attributes_of_the_transport_event_type]
-
-The events with `event.type` equal to `transport` have one of the following `event.action` attribute values: `authentication_success`, `anonymous_access_denied`, `authentication_failed`, `realm_authentication_failed`, `access_granted`, `access_denied`, `run_as_granted`, `run_as_denied`, or `tampered_request`. These events also have the following extra attributes (in addition to the common ones):
-
-`action`
-: The name of the transport action that was executed. This is like the URL for a REST request.
-
-`indices`
-: The indices names array that the request associated with this event pertains to (when applicable).
-
-`request.name`
-: The name of the request handler that was executed.
-
-
-## Audit event attributes of the `ip_filter` event type [_audit_event_attributes_of_the_ip_filter_event_type]
-
-The events with `event.type` equal to `ip_filter` have one of the following `event.action` attribute values: `connection_granted` or `connection_denied`. These events also have the following extra attributes (in addition to the common ones):
-
-`transport_profile`
-: The transport profile the request targeted.
-
-`rule`
-: The [IP filtering](../../security/ip-traffic-filtering.md) rule that denied the request.
-
-
-## Audit event attributes of the `security_config_change` event type [security-config-change]
-
-The events with the `event.type` attribute equal to `security_config_change` have one of the following `event.action` attribute values: `put_user`, `change_password`, `put_role`, `put_role_mapping`, `change_enable_user`, `change_disable_user`, `put_privileges`, `create_apikey`, `delete_user`, `delete_role`, `delete_role_mapping`, `invalidate_apikeys`, `delete_privileges`, `change_apikey`, or `change_apikeys`.
-
-These events also have **one** of the following extra attributes (in addition to the common ones), which is specific to the `event.type` attribute. The attribute’s value is a nested JSON object:
-
-`put`
-: The object representation of the security config that is being created, or the overwrite of an existing config. It contains the config for a `user`, `role`, `role_mapping`, or for application `privileges`.
-
-`delete`
-: The object representation of the security config that is being deleted. It can be the config for a `user`, `role`, `role_mapping` or for application `privileges`.
-
-`change`
-: The object representation of the security config that is being changed. It can be the `password`, `enable` or `disable`, config object for native or built-in users. If an API key is updated, the config object will be an `apikey`.
-
-`create`
-: The object representation of the new security config that is being created. This is currently only used for API keys auditing. If the API key is created using the [create API key API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-api-key) it only contains an `apikey` config object. If the API key is created using the [grant API key API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-grant-api-key) it also contains a `grant` config object.
-
-`invalidate`
-: The object representation of the security configuration that is being invalidated. The only config that currently supports invalidation is `apikeys`, through the [invalidate API key API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-invalidate-api-key).
-
-The schemas of the security config objects mentioned above are as follows. They are very similar to the request bodies of the corresponding security APIs.
-
-`user`
-: An object like:
-
- ```js
- `{"name": , "enabled": , "roles": ,
- "full_name": , "email": , "has_password": ,
- "metadata":