In Elasticsearch, all structured log documents use the "airlock-iam" index template / mapping which specifies all fields.
Key | Description | Example |
---|---|---|
action_group | action_group combines different actions into categories. |
|
action | IAM reporting uses action to document the outcome of requests being processed. For more details see Reporting log attribute: action_group and action |
|
authentee_id | unique identifier of the authenticated user or tech-client. authentee_id reports the primary key of the user or tech-client. | john.doe |
authentee_provided_id | username provided by the user during authentication. authentee_id and authentee_provided_id may differ if IAM is configured to allow aliases. | johndoe@gmail.com |
authentee_type | Indicates which data source was used to authenticate the user or technical client. |
|
channel | Indicates which channel was used to authenticate. This attribute is useful to differentiate between scenarios where every single request is authenticated and scenarios where one single authentication is sufficient for an entire session. |
|
engine | Indicates if IAM processed the action in the "classic" engine or if the request was handled by the REST engine (flows). |
|
factor | Groups different authentication factors into categories. |
|
factor_detail | see below |
|
status | Status documents success or failure of an action. |
|