Confluent Cloud Audit Log Concepts¶
Audit logs provide a way to capture, protect, and preserve Kafka authentication and authorization activity into topics in Kafka clusters on Confluent Cloud. Specifically, audit logs record the runtime decisions of the permission checks that occur as users and service accounts connect to clusters and attempt to take actions that are protected by ACLs or RBAC.
Each auditable event includes information about who tried to do what, when they tried, and whether or not the system gave permission to proceed.
The primary value of audit logs is that they provide data you can use to assess security risks in your Confluent Cloud clusters. They contain all of the information necessary to follow a user’s interaction with your Confluent Cloud clusters, and provide a way to:
- Track user and application access
- Identify abnormal behavior and anomalies
- Proactively monitor and resolve security risks
You can use Splunk, S3, and other sink connectors to move your audit log data to a target platform for analysis. Note that you cannot consume audit logs directly from a managed connector. Rather, you must either use a self-managed connector to consume audit logs, or mirror the audit logs into a managed Kafka cluster using Replicator or Cluster Linking on Confluent Cloud.
Within Confluent Cloud, all audit log messages from your clusters are retained for seven days on an independent cluster. Users cannot modify, delete, nor produce messages directly to the audit log topic, and to consume the messages, users must have an API key specific to the audit log cluster.
Audit logs are emitted at the time of event occurrence; however, short delays or gaps during operational maintenance are possible, although rare.
Auditable events¶
Confluent Cloud audit logs include two kinds of events: authentication events that are sent when a client connects to a Kafka cluster, and authorization events that are sent when the Kafka cluster checks to verify whether or not a client is allowed to take an action.
Note
Users may attempt to authorize a task solely to find out if they can perform the task, but not follow through with it. In these instances, the authorization is still captured in the audit log.
Confluent Cloud audit logs capture the following events:
| Event name | Description |
|---|---|
| mds.Authorize | An RBAC authorization is being checked. |
| kafka.AlterConfigs | A Kafka configuration is being altered/updated. |
| kafka.AlterMirrors | The properties of a mirror topic that exists on a Cluster Link to this cluster are being altered. |
| kafka.Authentication | A client has connected to the Kafka cluster using an API key or token. |
| kafka.CreateAcls | A Kafka broker ACL is being created. |
| kafka.CreateClusterLinks | A cluster link is being created between this cluster and another cluster. |
| kafka.CreatePartitions | Partitions are being added to a topic. |
| kafka.CreateTopics | A topic is being created. |
| kafka.DeleteAcls | A Kafka broker ACL is being deleted. |
| kafka.DeleteClusterLinks | A cluster link is being deleted. |
| kafka.DeleteGroups | A Kafka group is being deleted. |
| kafka.DeleteRecords | A Kafka record is being deleted. Commonly seen on ksqlDB internal topics for repartitioning. |
| kafka.DeleteTopics | A Kafka topic is being deleted. |
| kafka.IncrementalAlterConfigs | A dynamic configuration of a Kafka broker is being altered. |
| kafka.OffsetDelete | A committed offset for a partition in a consumer group is being deleted. |
All Confluent Cloud audit log messages are captured in the audit log topic,
confluent-audit-log-events.
The following example shows an authentication event that was sent when service
account 306343 used the API key MAIDSRFG53RXYTKR to connect to the
Kafka cluster lkc-6k8r8q:
{
"id": "29ca0e51-fdcd-44bd-a393-43193432b614",
"source": "crn://confluent.cloud/kafka=lkc-6k8r8q",
"specversion": "1.0",
"type": "io.confluent.kafka.server/authentication",
"datacontenttype": "application/json",
"subject": "crn://confluent.cloud/kafka=lkc-6k8r8q",
"time": "2020-12-28T22:41:43.395Z",
"data": {
"serviceName": "crn://confluent.cloud/kafka=lkc-6k8r8q",
"methodName": "kafka.Authentication",
"resourceName": "crn://confluent.cloud/kafka=lkc-6k8r8q",
"authenticationInfo": {
"principal": "User:306343",
"metadata": {
"mechanism": "SASL_SSL/PLAIN",
"identifier": "MAIDSRFG53RXYTKR"
}
},
"result": {
"status": "SUCCESS",
"message": ""
}
}
}
See also: Audit Log Event Schema.
Audit log content¶
The following example shows the contents of an audit log message that is returned from a cluster when a user creates a new topic:
{
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"specversion": "1.0",
"type": "io.confluent.kafka.server/authorization",
"datacontenttype": "application/json",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"time": "2021-01-01T12:34:56.789Z",
"data": {
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"methodName": "kafka.CreateTopics",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/topic=departures",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": true,
"operation": "DescribeConfigs",
"resourceType": "Topic",
"resourceName": "departures",
"patternType": "LITERAL",
"superUserAuthorization": true
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
}
}
}
Note
For more examples, see Audit Log Schema Examples.
The first section of the audit log displays information about the log message itself. Think of it as the envelope in which the message is delivered; it contains the following audit log implementation details:
| Audit log entry | Description |
|---|---|
| id | A randomly-generated UUID that ensures uniqueness across all sources. |
| source | Identifies the source location where the decision about whether or not the authorization was allowed. For events that occur on Kafka clusters, this will be a Confluent Resource Name (CRN) that identifies the cluster. For cluster management events, this will be a top-level CRN for Confluent Cloud. |
| specversion | The version of CloudEvents in use (CloudEvents is a vendor-neutral specification that defines the format of event data). |
| type | The type of event that occurred. The value in this property corresponds with the presence or absence of certain other event properties. The two types available are:
For additional details, read the audit log event schema. |
| datacontenttype | Identifies the CloudEvent format that the audit data is presented in (JSON). |
| subject | Identifies the resource on which access has been allowed or denied. |
| time | The time at which the event occurred. |
The next section of the audit log displays data (data) you can use to assess
security risks.
| Audit log entry | Description |
|---|---|
| serviceName | The system that determined whether or not
the authorization was allowed. This will be
either the CRN
of a Kafka cluster or a general CRN like crn://confluent.cloud/. |
| methodName | The type of request that was made. For example,
the methodName above shows that the user
attempted to create a Kafka topic. This entry
will include one of the event names listed
above, and display either mds (if it’s an
authorize event) or kafka (if any other
event) before it. For example:
mds.Authorize, and kafka.CreateTopics. |
| resourceName | The Confluent resource name (CRN) of the target
of the request, such as a Kafka cluster, topic,
or consumer group. In the example above, the
For additional details, refer to CRN. |
| authenticationInfo | Identifies the user or service account attempting the request. |
| authorizationInfo | Includes details about the decision that was made to authorize the request. The example above shows that the authorization request to create a topic in a Kafka cluster was granted. If RBAC is used, the resource and role (if any) are included. If ACLs are used, the ACL information is also included. |
| request | Includes details about request-related identifiers, including the following:
|
Audit Log Content Examples¶
The following example shows what an audit log message looks like when RBAC is configured:
{
"id": "f07bdde7-c633-41c9-abab-5ff3539e9967",
"source": "crn://confluent.cloud/",
"specversion": "1.0",
"type": "io.confluent.kafka.server/authorization",
"datacontenttype": "application/json",
"subject": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/environment=env-1ab2c",
"time": "2021-06-07T18:49:40.331Z",
"data": {
"serviceName": "crn://confluent.cloud/",
"methodName": "mds.Authorize",
"resourceName": "crn://confluent.cloud/organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d/environment=env-1ab2c",
"authenticationInfo": {
"principal": "User:u-1abc2d"
},
"authorizationInfo": {
"granted": true,
"operation": "CreateCloudCluster",
"resourceType": "Environment",
"resourceName": "environment",
"patternType": "LITERAL",
"rbacAuthorization": {
"role": "OrganizationAdmin",
"scope": {
"outerScope": [
"organization=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d"
],
"clusters": {}
}
}
}
}
The following example shows what an audit log message looks like when you are allowed to alter topic configurations based on an ACL:
{
"id": "fc0f727d-899a-4a22-ad8b-a866871a9d37",
"source": "crn://confluent.cloud/kafka=lkc-a1b2c",
"specversion": "1.0",
"type": "io.confluent.kafka.server/authorization",
"datacontenttype": "application/json",
"subject": "crn://confluent.cloud/kafka=lkc-a2b2c",
"time": "2021-01-01T12:34:56.789Z",
"data": {
"serviceName": "crn://confluent.cloud/kafka=lkc-a1b2c",
"methodName": "kafka.IncrementalAlterConfigs",
"resourceName": "crn://confluent.cloud/kafka=lkc-a1b2c/topic=departures",
"authenticationInfo": {
"principal": "User:123456"
},
"authorizationInfo": {
"granted": true,
"operation": "AlterConfigs",
"resourceType": "Topic",
"resourceName": "departures",
"patternType": "LITERAL",
"superUserAuthorization": false,
"aclAuthorization": {
"permissionType": "ALLOW",
"host": "*"
}
},
"request": {
"correlationId": "123",
"clientId": "adminclient-42"
}
}
}
Confluent Resource Names (CRNs)¶
Confluent Resource Names (CRNs) provide a uniform way to uniquely identify resources such as a Kafka cluster, topic, or consumer group, and are used in audit logs.
Each CRN is a uniform resource identifier (URI) that uniquely identifies
the associated Confluent resource and is prefixed with crn://.
In the CRN:
crn://confluent.cloud/organization=fc5ba16d-661d-474c-85df-c2a1ed26032c/environment=env-pqr45/cloud-cluster=lkc-a1b2c/kafka=lkc-a1b2c
Interpret the content as follows:
- An authorization event occurred in Kafka cluster
kafka=lkc-a1b2c - The Kafka cluster is in the environment
environment=env-pqr45 - The environment is in the organization
organization=fc5ba16d-661d-474c-85df-c2a1ed26032c
The following CRNs identify some of the most commonly-used Confluent Cloud resources.
- Cluster Resource CRN
This CRN identifies the Kafka cluster.
Example:
crn://confluent.cloud/organization=fc5ba16d-661d-474c-85df-c2a1ed26032c/environment=env-pqr45/cloud-cluster=lkc-a1b2c/kafka=lkc-a1b2c crn://confluent.cloud/kafka=lkc-a1b2c
- Topic CRN
This CRN identifies Confluent Cloud topics.
Example:
crn://confluent.cloud/kafka=lkc-a1b2c/topic=my-topic
- Service Account CRN
This CRN identifies Confluent Cloud service accounts.
Examples:
crn://confluent.cloud/organization=fc5ba16d-661d-474c-85df-c2a1ed26032c/service-account=123456 crn://confluent.cloud/organization=fc5ba16d-661d-474c-85df-c2a1ed26032c/service-account=sa-x8y9z0 crn://confluent.cloud/organization=fc5ba16d-661d-474c-85df-c2a1ed26032c/service-account=%2A
- Schema Registry CRN
This CRN identifies a Confluent Cloud Schema Registry.
Example:
crn://confluent.cloud/organization=fc5ba16d-661d-474c-85df-c2a1ed26032c/environment=env-pqr45/schema-registry=lsrc-m1n2o
For additional details about CRNs, refer to Confluent Resource Names.