Reporting attributes

In Elasticsearch, all structured log documents use the "airlock-iam" index template / mapping which specifies all fields.

Key

Description

Example

action_group

action_group combines different actions into categories.

  • authn
  • factor

action

IAM reporting uses action to document the outcome of requests being processed.

For more details see Reporting log attribute: action_group and action

  • login
  • logout

authentee_id

unique identifier of the authenticated user or tech-client.

authentee_id reports the primary key of the user or tech-client.

john.doe

authentee_provided_id

username provided by the user during authentication.

authentee_id and authentee_provided_id may differ if IAM is configured to allow aliases.

johndoe@gmail.com

authentee_type

Indicates which data source was used to authenticate the user or technical client.

  • user
  • admin
  • tech-client

channel

Indicates which channel was used to authenticate.

This attribute is useful to differentiate between scenarios where every single request is authenticated and scenarios where one single authentication is sufficient for an entire session.

  • basic-auth
  • client-certificate
  • default
  • one-shot
  • rest-protected
  • sso
  • oauth2-resource

engine

Indicates if IAM processed the action in the "classic" engine or if the request was handled by the REST engine (flows).

  • classic
  • rest

factor

Groups different authentication factors into categories.

  • certificate (X.509 certificates)
  • cram (challenge response authentication mechanism)
  • otp (one time password)
  • password
  • token (token or ticket based authentication)

factor_detail

see below 


 

status

Status documents success or failure of an action.

  • success
  • failure