Audit log reference
Konnect captures three types of events:
Event type | Org audit logs | Dev Portal audit logs |
---|---|---|
Authentication | This is triggered when a user attempts to log into the Konnect web application or use the Konnect API via a personal access token. Also triggered when a system account access token is used. | Triggered when a user logs in to the Dev Portal. |
Authorization | Triggered when a permission check is made for a user or system account against a resource. | Not currently supported |
Access logs | Triggered when a request is made to the Konnect API. | Not currently supported |
Konnect retains audit logs for 7 days.
Audit log webhook status
You can view the webhook status in the UI or via the API for the Konnect org audit logs and Dev Portal audit logs.
The following table describes the webhook statuses:
Attribute | Description |
---|---|
last_attempt at |
The last time Konnect tried to send data to your webhook |
last_response_code |
The last response code from your webhook |
webhook_enabled |
The desired status of the webhook (from audit-log-webhook.enabled ) |
webhook_status |
The actual status Konnect of the webhook |
A combination of webhook_enabled
and webhook_status
give a full picture of webhook status.
webhook_enabled |
webhook_status |
Description |
---|---|---|
true | active |
Konnect is ready to send data to the webhook. Either no attempts have been made yet (last_attempt_at is not set), or the last attempt was successful. |
true | inactive |
Last attempt to send data failed, but the webhook is still enabled. This usually means that there was an error in the endpoint or the SIEM provider went down that caused the logs to stop streaming. |
false | active |
Webhook config is saved. Konnect is not shipping data to it per webhook configuration. |
false | inactive |
Last attempt to send data failed, and customer has turned off the webhook. |
false | unconfigured |
The webhook for this region has not been configured yet. |
Log formats
Konnect delivers log events in ArcSight CEF Format or JSON. You may specify which format to use in the audit log webhook endpoint.
Webhook calls include a batch of events. Each event is formatted in either CEF or JSON and separated by a newline. The Content-Type
is text/plain
.
To minimize payload size, the message body is compressed. The Content-Encoding
is application/gzip
.
All log entries include the following attributes:
Property | Description |
---|---|
Timestamp | Time and date of the event in UTC. |
rt |
Milliseconds since Unix epoch. |
src |
The IP address of the request originator. |
org_id |
The originating organization ID. |
principal_id |
The user ID of the user that performed the action. |
kong_initiated |
Whether the action was performed by Kong |
trace_id |
The correlation ID of the request. Use this value to find all log entries for a given request. |
user_agent |
The user agent of the request: application, operating system, vendor, and version. |
sig |
An ED25519 signature. |
Authentication logs
Authentication attempts and their outcomes are logged whenever a user logs in to the Konnect application or the Dev Portal either through the UI or the Konnect API.
In addition to the defaults, each authentication log entry also contains the following attributes:
Property | Description |
---|---|
AUTHENTICATION_TYPE |
Can be one of the following: - AUTHENTICATION_TYPE_BASIC : basic email and password authentication - AUTHENTICATION_TYPE_SSO : authentication with single sign-on (SSO) - AUTHENTICATION_TYPE_PAT : authentication with a personal access token |
AUTHENTICATION_OUTCOME |
Can be one of the following: - AUTHENTICATION_OUTCOME_SUCCESS : authentication is successful- AUTHENTICATION_OUTCOME_NOT_FOUND : user was not found- AUTHENTICATION_OUTCOME_INVALID_PASSWORD : invalid password specified - AUTHENTICATION_OUTCOME_LOCKED : user account is locked- AUTHENTICATION_OUTCOME_DISABLED : user account has been disabled |
success |
true or false , depending on whether authentication was successful or not. |
Authorization logs
Authorization log entries are created for every permission check in Konnect.
Note: This is not currently supported for Dev Portal audit logs.
Example log entry:
In addition to the defaults, each authorization log entry also contains the following attributes:
Property | Description |
---|---|
action |
The type of action the user performed on the resource. For example, retrieve , list , or edit . |
granted |
Boolean indicating whether the authorization was granted or not. |
Note: As of Sept 15, 2023, the authorization logs have been renamed. This change has no effects on the traceability of the resources by id. These renames include:
- From
Authz.runtimegroups
toAuthz.control-planes
- From
Authz.services
toAuthz.api-products
Access logs
Access logs include information about create, update, and delete requests to the Konnect API.
Note: This is not currently supported for Dev Portal audit logs.
Example log entry:
In addition to the defaults, each access log entry also contains the following attributes:
Property | Description |
---|---|
request |
The endpoint that was called. |
query |
The request query parameters, if any. |
act |
The HTTP request method; for example, POST , PATCH , PUT , or DELETE . |
status |
The HTTP response code; for example, 200 or 403 . |
See also
Dev Portal audit logs:
- Audit logging in Dev Portal
- Set up an portal audit log webhook
- Set up an portal audit log replay job
Konnect audit logs: