Audit log reference
Konnect captures three types of events:
- Authentication: Triggered when a user attempts to log into the Konnect web application or use the Konnect API via a personal access token. Also triggered when a system account access token is used.
- Authorization: Triggered when a permission check is made for a user or system account against a resource.
- Access logs: Triggered when a request is made to the Konnect API.
Data Retention Period
Konnect retains audit logs for 7 days.
Log formats
Konnect delivers log events in ArcSight CEF Format or JSON. You may specify which format to use in the audit log webhook endpoint.
Webhook calls include a batch of events. Each event is formatted in either CEF or JSON and separated by a newline. The Content-Type
is text/plain
.
To minimize payload size, the message body is compressed. The Content-Encoding
is application/gzip
.
All log entries include the following attributes:
Property | Description |
---|---|
Timestamp | Time and date of the event in UTC. |
rt |
Milliseconds since Unix epoch. |
src |
The IP address of the request originator. |
org_id |
The originating organization ID. |
principal_id |
The user ID of the user that performed the action. |
kong_initiated |
Whether the action was performed by Kong |
trace_id |
The correlation ID of the request. Use this value to find all log entries for a given request. |
user_agent |
The user agent of the request: application, operating system, vendor, and version. |
sig |
An ED25519 signature. |
Authentication logs
Authentication attempts and their outcomes are logged whenever a user logs in to the Konnect application or uses the Konnect API.
Example log entry:
In addition to the defaults, each authentication log entry also contains the following attributes:
Property | Description |
---|---|
AUTHENTICATION_TYPE |
Can be one of the following: - AUTHENTICATION_TYPE_BASIC : basic email and password authentication - AUTHENTICATION_TYPE_SSO : authentication with single sign-on (SSO) - AUTHENTICATION_TYPE_PAT : authentication with a personal access token |
AUTHENTICATION_OUTCOME |
Can be one of the following: - AUTHENTICATION_OUTCOME_SUCCESS : authentication is successful- AUTHENTICATION_OUTCOME_NOT_FOUND : user was not found- AUTHENTICATION_OUTCOME_INVALID_PASSWORD : invalid password specified - AUTHENTICATION_OUTCOME_LOCKED : user account is locked- AUTHENTICATION_OUTCOME_DISABLED : user account has been disabled |
success |
true or false , depending on whether authentication was successful or not. |
Authorization logs
Authorization log entries are created for every permission check in Konnect.
Example log entry:
In addition to the defaults, each authorization log entry also contains the following attributes:
Property | Description |
---|---|
action |
The type of action the user performed on the resource. For example, retrieve , list , or edit . |
granted |
Boolean indicating whether the authorization was granted or not. |
Note: As of Sept 15, 2023, the authorization logs have been renamed. This change has no effects on the traceability of the resources by id. These renames include:
- From
Authz.runtimegroups
toAuthz.control-planes
- From
Authz.services
toAuthz.api-products
Access logs
Access logs include information about create, update, and delete requests to the Konnect API.
Example log entry:
In addition to the defaults, each access log entry also contains the following attributes:
Property | Description |
---|---|
request |
The endpoint that was called. |
query |
The request query parameters, if any. |
act |
The HTTP request method; for example, POST , PATCH , PUT , or DELETE . |
status |
The HTTP response code; for example, 200 or 403 . |