> ## Documentation Index
> Fetch the complete documentation index at: https://docs.conduktor.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Kafka audit logging — track all actions

> Configure Kafka audit logs in Conduktor Console to track every user action and resource event.

As you and your team interact with Conduktor, audit events are captured that give a detailed log of actions, providing a centralized visibility of user-related and resource-related events.

<Tabs>
  <Tab title="Console">
    ## Console overview

    The Console audit log events can be **browsed, filtered and searched** directly via the UI or **exported from a Kafka topic** for further use (such as maintaining your own audit trail in other systems).

    <img src="https://mintcdn.com/conduktor/Qoq7DGlJAnopJIka/images/admin-audit.png?fit=max&auto=format&n=Qoq7DGlJAnopJIka&q=85&s=5e4a3f8dfa199940bc00f5214146bdf2" alt="Admin Audit" width="2404" height="1374" data-path="images/admin-audit.png" />

    Click on an event in the audit log to expose event-specific metadata. Here's an example of an audit event for a new connector which can include metadata such as custom tags, the cluster, connector name and its ID.

    <img src="https://mintcdn.com/conduktor/QbWqOoz71x3C-Q82/images/audit-log-inspect.png?fit=max&auto=format&n=QbWqOoz71x3C-Q82&q=85&s=712e8d71f56d2bac0e69d9d5d14eb7dc" alt="Admin Audit Event" width="2492" height="1768" data-path="images/audit-log-inspect.png" />

    Once configured with the correct [environment variables](/guide/conduktor-in-production/deploy-artifacts/deploy-console/environment-variables#audit-log-export-properties), audit log events are also exported to a Kafka topic, allowing you to leverage the benefits of Conduktor when finding a message.

    <img src="https://mintcdn.com/conduktor/QbWqOoz71x3C-Q82/images/audit-log-kafka-message.png?fit=max&auto=format&n=QbWqOoz71x3C-Q82&q=85&s=2b0503654a9bb52aa99961d3725f5bae" alt="kafka message audit log" width="1565" height="988" data-path="images/audit-log-kafka-message.png" />

    ## View and export audit logs

    <Tabs>
      <Tab title="CloudEvents">
        #### Export audit log events

        You can export audit log events from a Kafka topic using the Console UI. The exportable events have more detail than the legacy events, providing additional information about the event that has taken place.

        Learn how to configure audit events for export via [configuration properties](/guide/conduktor-in-production/deploy-artifacts/deploy-console/environment-variables#audit-log-export-properties).

        The events conform to the [CloudEvents specification](https://github.com/cloudevents/spec/blob/main/cloudevents/spec.md) <Icon icon="up-right-from-square" />, a vendor-neutral format that follows the following structure:

        ```json theme={null}
        {
            "specversion" : "1.0",
            "type" : "com.github.pull_request.opened",
            "source" : "https://github.com/cloudevents/spec/pull",
            "subject" : "123",
            "id" : "A234-1234-1234",
            "time" : "2018-04-05T17:31:00Z",
            "comexampleextension1" : "value",
            "comexampleothervalue" : 5,
            "datacontenttype" : "text/xml",
            "data" : "<much wow=\"xml\"/>"
        }
        ```

        Here's an example of a Conduktor event:

        ```json theme={null}
        {
          "source": "//kafka/kafkacluster/production/topic/website-orders",
          "data": {
            "eventType": "Kafka.Topic.Create",
            // Additional event specific data...
            "metadata": {
              "name": "website-orders",
              "cluster": "production"
            }
            // Additional event specific metadata...
          },
          "datacontenttype": "application/json",
          "id": "ad85122c-0041-421e-b04b-6bc2ec901e08",
          "time": "2024-10-10T07:52:07.483140Z",
          "type": "AuditLogEventType(Kafka,Topic,Create)",
          "specversion": "1.0"
        }
        ```

        Here's a list of currently available audit log event types.

        ##### Kafka related events

        | **Event type**                          | **Description**                                            |
        | --------------------------------------- | ---------------------------------------------------------- |
        | **Kafka.Subject.Create**                | Kafka subject is created.                                  |
        | **Kafka.Subject.Update**                | Kafka subject is updated.                                  |
        | **Kafka.Subject.Delete**                | Kafka subject is deleted.                                  |
        | **Kafka.Subject.ChangeCompatibility**   | Kafka subject compatibility is changed                     |
        | **Kafka.Topic.Create**                  | Kafka topic is created.                                    |
        | **Kafka.Topic.Update**                  | Kafka topic is updated.                                    |
        | **Kafka.Topic.Delete**                  | Kafka topic is deleted.                                    |
        | **Kafka.Topic.Empty**                   | Kafka topic is emptied.                                    |
        | **Kafka.Topic.Browse**                  | Kafka topic is browsed.                                    |
        | **Kafka.Topic.ProduceRecord**           | Kafka topic record is produced.                            |
        | **Kafka.Topic.SqlQuery**                | Kafka topic is requested through Console SQL.              |
        | **Kafka.Connector.Create**              | Kafka connector is created.                                |
        | **Kafka.Connector.Update**              | Kafka connector is updated.                                |
        | **Kafka.Connector.Delete**              | Kafka connector is deleted.                                |
        | **Kafka.Connector.Restart**             | Kafka connector is restarted.                              |
        | **Kafka.Connector.TaskRestart**         | Kafka connector task is restarted.                         |
        | **Kafka.Connector.Pause**               | Kafka connector is paused.                                 |
        | **Kafka.Connector.Resume**              | Kafka connector is resumed.                                |
        | **Kafka.Connector.AutoRestartActivate** | Kafka connector auto-restart is activated.                 |
        | **Kafka.Connector.AutoRestartStop**     | Kafka connector auto-restart is stopped.                   |
        | **Kafka.ConsumerGroup.Duplicate**       | Kafka consumer group is duplicated.                        |
        | **Kafka.ConsumerGroup.Update**          | Kafka consumer group is updated, when the offset is reset. |
        | **Kafka.ConsumerGroup.Delete**          | Kafka consumer group is deleted.                           |

        ##### IAM related events

        | **Event type**       | **Description**       |
        | -------------------- | --------------------- |
        | **Iam.User.Create**  | IAM user is created.  |
        | **Iam.User.Update**  | IAM user is updated.  |
        | **Iam.User.Delete**  | IAM user is deleted.  |
        | **Iam.User.Login**   | IAM user logs in.     |
        | **Iam.User.Logout**  | IAM user logs out.    |
        | **Iam.Group.Create** | IAM group is created. |
        | **Iam.Group.Update** | IAM group is updated. |
        | **Iam.Group.Delete** | IAM group is deleted. |

        ##### Self-service related events

        | **Event type**                                       | **Description**                                       |
        | ---------------------------------------------------- | ----------------------------------------------------- |
        | **SelfService.Application.Create**                   | Self-service application is created.                  |
        | **SelfService.Application.Update**                   | Self-service application is updated.                  |
        | **SelfService.Application.Upsert**                   | Self-service application is created or updated.       |
        | **SelfService.Application.Delete**                   | Self-service application is deleted.                  |
        | **SelfService.ApplicationInstance.Create**           | Self-service application instance is created.         |
        | **SelfService.ApplicationInstance.Update**           | Self-service application instance is updated.         |
        | **SelfService.ApplicationInstance.Delete**           | Self-service application instance is deleted.         |
        | **SelfService.ApplicationInstanceApiKey.Create**     | Self-service application instance API key is created. |
        | **SelfService.ApplicationInstanceApiKey.Delete**     | Self-service application instance API key is deleted. |
        | **SelfService.ApplicationGroup.Create**              | Self-service application group is created.            |
        | **SelfService.ApplicationGroup.Update**              | Self-service application group is updated.            |
        | **SelfService.ApplicationGroup.Delete**              | Self-service application group is deleted.            |
        | **SelfService.ApplicationPolicy.Create**             | Self-service application policy is created.           |
        | **SelfService.ApplicationPolicy.Update**             | Self-service application policy is updated.           |
        | **SelfService.ApplicationPolicy.Delete**             | Self-service application policy is deleted.           |
        | **SelfService.ApplicationInstancePermission.Create** | Permissions are created for an app instance.          |
        | **SelfService.ApplicationInstancePermission.Delete** | Permissions are deleted for an app instance.          |
        | **SelfService.ServiceAccount.Create**                | Service account is created.                           |
        | **SelfService.ServiceAccount.Update**                | Service account is updated.                           |
        | **SelfService.ServiceAccount.Delete**                | Service account is deleted.                           |

        ##### Admin related events

        | **Event type**                               | **Description**                                              |
        | -------------------------------------------- | ------------------------------------------------------------ |
        | **Admin.KafkaConnect.Create**                | A Kafka Connect instance is created.                         |
        | **Admin.KafkaConnect.Update**                | A Kafka Connect instance is updated                          |
        | **Admin.KafkaConnect.Delete**                | A Kafka Connect instance is deleted.                         |
        | **Admin.KsqlDB.Create**                      | A ksqlDB instance is created.                                |
        | **Admin.KsqlDB.Update**                      | A ksqlDB instance is updated.                                |
        | **Admin.KsqlDB.Delete**                      | A ksqlDB instance is deleted.                                |
        | **Admin.KafkaCluster.Create**                | A Kafka cluster is created.                                  |
        | **Admin.KafkaCluster.Update**                | A Kafka cluster is updated.                                  |
        | **Admin.KafkaCluster.Delete**                | A Kafka cluster is deleted.                                  |
        | **Admin.SchemaRegistry.ChangeCompatibility** | The global compatibility of the schema registry is updated.  |
        | **Admin.Integration.Update**                 | The alert integration (Slack, MS Teams, Webhook) is updated. |
        | **Admin.AdminApiKey.Create**                 | A new admin API key is created.                              |
        | **Admin.AdminApiKey.Delete**                 | An admin API key is deleted.                                 |
        | **Admin.DataMaskingPolicy.Create**           | A data masking policy is created.                            |
        | **Admin.DataMaskingPolicy.Update**           | A data masking policy is updated.                            |
        | **Admin.DataMaskingPolicy.Delete**           | A data masking policy is deleted.                            |
        | **Admin.Certificate.Create**                 | A certificate is created.                                    |
        | **Admin.Certificate.Delete**                 | A certificate is deleted.                                    |

        ##### Alert related events

        | **Event type**          | **Description**        |
        | ----------------------- | ---------------------- |
        | **Kafka.Alert.Create**  | An alert is created.   |
        | **Kafka.Alert.Update**  | An alert is updated.   |
        | **Kafka.Alert.Delete**  | An alert is deleted.   |
        | **Kafka.Alert.Trigger** | An alert is triggered. |

        ##### Partner Zone related events

        | **Event type**                    | **Description**                                  |
        | --------------------------------- | ------------------------------------------------ |
        | **Admin.PartnerZone.Create**      | A Partner Zone is created.                       |
        | **Admin.PartnerZone.Update**      | A Partner Zone is updated.                       |
        | **Admin.PartnerZone.Delete**      | A Partner Zone is deleted.                       |
        | **Admin.PartnerZone.TokenCreate** | A token is created for accessing a Partner Zone. |
      </Tab>

      <Tab title="Legacy events">
        #### Legacy audit events

        Here's a list of legacy audit events tracked by Conduktor:

        * [Console](#console)
        * [Data masking](#data-masking)
        * [Self-service](#self-service)
        * [Admin](#admin)

        ### Console

        ##### ResourceType: `Topic`

        CRN: `kafka:/cluster/<uuid>/topic/<topic-name>`

        * topic.ProducedRecord
        * topic.Browsed
        * topic.Deleted
        * topic.Created
        * topic.Updated
        * topic.Emptied
        * topic.Tagged
        * topic.Untagged

        ##### ResourceType: `Subject`

        CRN `kafka:/cluster/<uuid>/subject/<subject-name>`

        * subject.Created
        * subject.Updated
        * subject.ChangedCompat
        * subject.Deleted
        * subject.DeletedVersions
        * subject.DeletedVersion

        ##### ResourceType: `SchemaRegistry`

        CRN `kafka:/cluster/<uuid>`

        * registry.ChangedGlobalCompat

        ##### ResourceType: `ConsumerGroup`

        CRN `kafka:/cluster/<uuid>/group/<group-name>`

        * consumergroup.Created
        * consumergroup.Updated (ResetOffsets)
        * consumergroup.Deleted

        ##### ResourceType: `Connector`

        CRN `kafka:/cluster/<uuid>/connect/<connect-cluster-id>/<connector-name>`

        * connector.Created
        * connector.Updated
        * connector.Deleted
        * connector.Restarted
        * connector.RestartedTask
        * connector.Paused
        * connector.Resumed

        #### Data masking

        ##### ResourceType: `DatamaskingPolicy`

        CRN `platform:/datamasking/<uuid>`

        * policy.Upserted
        * policy.Deleted

        #### Self-service

        ##### ResourceType: `Application`

        CRN `platform:/application/<app-slug>`

        * application.Created
        * application.Deleted
        * application.Updated
        * application.access-request.Approved
          from / to
        * application.access-request.Rejected

        #### Admin

        ##### ResourceType: `Cluster`

        CRN `kafka:/cluster/<uuid>`

        * cluster.Created
        * cluster.Updated
        * cluster.Deleted

        ##### ResourceType: `Group`

        CRN `platform:/group/<uuid>`

        * group.Created
        * group.member.Added
        * group.member.Deleted
        * group.permission.Added
        * group.permission.Deleted

        ##### ResourceType: `User`

        CRN `platform:/user/<email>`

        * user.Login
        * user.permission.Added
        * user.permission.Deleted
        * user.platform\_role.Updated
      </Tab>
    </Tabs>
  </Tab>

  <Tab title="Gateway">
    ## Gateway overview

    The Gateway audit log events are stored in an internal topic. The topic name is configured using `GATEWAY_AUDIT_LOG_TOPIC` and the feature can be enabled/disabled using `GATEWAY_FEATURE_FLAGS_AUDIT`. The audit events can be **browsed, filtered and searched** via Console UI or used to create custom alerts and notifications.

    Here's an example of a Gateway audit log event in JSON format, showing a successful authentication attempt to Gateway:

    ```json theme={null}
    {
      "id": "a3b7355b-dbe6-4db4-90a8-f41e0111710e",
      "source": null,
      "type": "AUTHENTICATION",
      "authenticationPrincipal": "<principal>",
      "userName": "<username>",
      "connection": {
        "localAddress": "/<gateway-ip>:<port>",
        "remoteAddress": "/<client-ip>:<port>"
      },
      "specVersion": "0.1.0",
      "time": "2025-07-18T16:07:06.570723674Z",
      "eventData": "SUCCESS"
    }
    ```

    ### Field details

    **Key fields and their values:**

    * `authenticationPrincipal`: The tenant name, or `null` on some authentication failures.
    * `userName`: The attempted user name, or `null` on some authentication failures.
    * `source`: Event source, always `null` for authentication events.
    * `eventData`: Contains success/failure messages and error details.

    ## Gateway audit event types

    Gateway supports the following audit event types:

    ### Connection event

    The connection event tracks client connections to Gateway. It captures client information like remote address, which helps with monitoring connections.

    ### Authentication event

    The authentication event records the authentication attempts made by clients to Gateway. It records both successful and failed attempts, providing insights into who accessed Gateway.

    The `eventData` field contains different messages, depending on the Gateway security mode, Gateway security protocol and the authentication outcome. Here are some common examples:

    | **Security mode** | **SASL mechanism** | **Outcome** | **Event data**                                                                                                                                                             |
    | :---------------- | :----------------- | :---------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
    | Gateway managed   | PLAIN              | Success     | `"SUCCESS"`                                                                                                                                                                |
    | Gateway managed   | PLAIN              | Failure     | `"Authentication failed: credentials for user could not be verified. Cause: Invalid username or password"`                                                                 |
    | Gateway managed   | PLAIN              | Failure     | `"Authentication failed: credentials for user could not be verified. Cause: Password token is valid but username <username> is invalid"`                                   |
    | Gateway managed   | PLAIN              | Failure     | `"Authentication failed: credentials for user could not be verified. Cause: Token has expired. Claims: {username=<username>, vcluster=<vcluster>, exp=<timestamp>}"`       |
    | Gateway managed   | PLAIN              | Failure     | `"Authentication failed: username not specified"` or `"Authentication failed: password not specified"`                                                                     |
    | Gateway managed   | PLAIN              | Failure     | `"Authentication failed: credentials for user could not be verified. Cause: Password token is valid for username, but username <username> is not an existing local user."` |
    | Gateway managed   | OAUTHBEARER        | Failure     | `"{\"status\":\"invalid_token\"}"`                                                                                                                                         |
    | Kafka managed     | Any                | Failure     | `"SASL Authentication failed."`                                                                                                                                            |
    | Kafka managed     | Any                | Failure     | `"Gateway can't detect principal from your authorization exchange. Please contact your administrator"`                                                                     |

    <Note>
      For the Gateway managed with OAUTHBEARER, authentication may also fail if the Kafka client is unable to fetch the token from the configured OAUTH provider. This occurs before reaching Gateway, so audit log event would not be created.
    </Note>

    ### Safeguard event

    The safeguard event captures policy enforcement actions by safeguard Interceptors such as data quality producer policy and Traffic Control Policies.

    ### API keys request event

    The [Kafka protocol](https://kafka.apache.org/0101/protocol.html#protocol_api_keys) describes `API keys` that represent different kinds of requests that can be made to the broker.

    On Gateway, you can configure an [audit Interceptor](/guide/reference/data-security#audit-interceptor) to track specific Kafka operations (such as `PRODUCE`, `FETCH`, `CREATE_TOPICS`, `DELETE_TOPICS` and `ALTER_CONFIGS`) to elevate audit logging on certain topics as needed.

    ### REST API event

    The REST API event logs calls made to the Gateway's REST endpoints.

    ### Interceptor event

    The Interceptor event records encryption/decryption error messages from cryptography Interceptors.

    ### ACL admin event

    The ACL admin event tracks Access Control List operations done via Kafka Admin API, such as `CREATE_ACLS` and `DELETE_ACLS` requests.

    ACL operations done via REST API (for Virtual Cluster) are recorded as REST API events.

    ### Authorization failure event

    The authorization failure event records failed attempts to access a resource when ACL permissions deny the operation.

    ACL permissions are determined by [Kafka authorization primitives](https://kafka.apache.org/documentation/#security_authz_primitives) <Icon icon="up-right-from-square" /> (i.e. Operation and Resource), resource name, user name, tenant (i.e. Virtual Cluster) name and host.

    The value of `eventData` in the authorization failure audit log event depends on the value of `SECURITY_MODE` configuration.

    | **Security mode** | **Information in event data**  | **Example event data value**                                                                                                                               |
    | :---------------- | :----------------------------- | :--------------------------------------------------------------------------------------------------------------------------------------------------------- |
    | Gateway managed   | Kafka authorization primitives | `"DENY Operation.WRITE on Resource(name=test-topic, resourceType=TOPIC, patternType=LITERAL) for [Tenant: passthrough, User: test-user, Host: 127.0.0.1]"` |
    | Kafka managed     | Authorization failure type     | `"Kafka error 'Topic authorization failed.' when processing 'PRODUCE' request."`                                                                           |
  </Tab>
</Tabs>

## Related resources

* [Configure audit log topics](/guide/tutorials/configure-audit-log-topic)
* [Customize logs](/guide/tutorials/custom-logging)
* [Gateway audit Interceptor](/guide/reference/data-security#audit-interceptor)
* [Give us feedback/request a feature](https://conduktor.io/roadmap) <Icon icon="up-right-from-square" />
