7.4.5.2.2. Reporting attributes

In Elasticsearch, all structured log documents use the "airlock-iam" index template / mapping which specifies all fields.

Key
Description
Example
action_group
action_group combines different actions into categories.
  • authn
  • factor
action
IAM reporting uses action to document the outcome of requests being processed.
  • login
  • logout
authentee_id
unique identifier of the authenticated user or tech-client.
authentee_id reports the primary key of the user or tech-client.
john.doe
authentee_provided_id
username provided by the user during authentication.
authentee_id and authentee_provided_id may differ if IAM is configured to allow aliases.
johndoe@gmail.com
authentee_type
Indicates which data source was used to authenticate the user or technical client.
  • user
  • admin
  • tech-client
channel
Indicates which channel was used to authenticate.
This attribute is useful to differentiate between scenarios where every single request is authenticated and scenarios where one single authentication is sufficient for an entire session.
  • basic-auth
  • client-certificate
  • default
  • one-shot
  • rest-protected
  • sso
  • oauth2-resource
engine
Indicates if IAM processed the action in the "classic" engine or if the request was handled by the REST engine (flows).
  • classic
  • rest
factor
Groups different authentication factors into categories.
  • certificate (X.509 certificates)
  • cram (challenge response authentication mechanism)
  • otp (one time password)
  • password
  • token (token or ticket based authentication)
factor_detail
see below 

 
status
Status documents success or failure of an action.
  • success
  • failure