Audit Log Event Categories on Confluent Cloud¶
Confluent Cloud audit logs capture event records from auditable event methods for the following event categories. For details on the auditable event methods, click the event category name.
For conceptual information about audit logs, see Audit Log Concepts on Confluent Cloud.
Note
Resource types indicate the scope at which the audited event occurs (for example, topic-level, cluster-level, and organization-level).
Event type reference¶
For quick reference, here are all the event types used in Confluent Cloud audit logs:
| Event type | Service | Description |
|---|---|---|
io.confluent.kafka.server/authentication |
Kafka | User or service account sign-in attempts to Kafka clusters |
io.confluent.kafka.server/authorization |
Kafka | Permission checks for Kafka operations (produce, consume, admin) |
io.confluent.kafka.server/request |
Kafka | Administrative operations on Kafka clusters (topics, ACLs, cluster linking) |
io.confluent.sg.server/authentication |
Schema Registry | User or service account sign-in attempts to Schema Registry clusters |
io.confluent.sg.server/authorization |
Schema Registry | Permission checks for Schema Registry operations |
io.confluent.sg.server/request |
Schema Registry | Schema management operations (create, update, delete schemas) |
io.confluent.ksql.server/authentication |
ksqlDB | User or service account sign-in attempts to ksqlDB clusters |
io.confluent.ksql.server/authorization |
ksqlDB | Permission checks for ksqlDB stream processing operations |
io.confluent.flink.server/authentication |
Flink | User or service account sign-in attempts to Flink regions and clusters |
io.confluent.flink.server/authorization |
Flink | Permission checks for Flink SQL statements and workspace access |
io.confluent.cloud/request |
Flink, Tableflow, Organization | Organization and resource management operations |
io.confluent.cloud/authorization |
Organization | Organization-level authorization checks (for example, IP filters) |
io.confluent.cloud/access-transparency |
Access Transparency | Confluent personnel access to customer resources for support, maintenance, or operational purposes |
Kafka cluster event categories¶
Kafka cluster event categories capture authentication, authorization, and management operations performed on Kafka clusters. These events track user and service account access, permission checks, and administrative operations like topic creation and ACL management.
| Event category | Event type | Resource type | Description |
|---|---|---|---|
| Authentication | io.confluent.kafka.server/authentication |
n/a | User and service account authentication to Kafka clusters |
| Authorization | io.confluent.kafka.server/authorization |
Topic, Cluster, Group |
Authorization checks for Kafka operations (produce, consume, admin) |
| Management and operations | io.confluent.kafka.server/request |
Topic, Cluster, Group, ClusterLink |
Administrative operations like creating topics, managing ACLs, cluster linking |
| RBAC | io.confluent.kafka.server/authorization |
Environment, CloudApiKey, SecurityMetadata, Billing |
Role-based access control authorization for cluster resources |
Note
Kafka authentication events show “n/a” for resource type because authentication
occurs at the cluster connection level, before any resource-specific operations.
Once authenticated, subsequent operations (authorization, management) operate on
specific resource types like Topic, Cluster, or Group.
Schema Registry cluster event categories¶
Schema Registry cluster event categories capture authentication, authorization, and management operations performed on Schema Registry clusters. These events track access to schema operations and schema lifecycle management activities.
| Event category | Event type | Resource type | Description |
|---|---|---|---|
| Authentication | io.confluent.sg.server/authentication |
SCHEMA_REGISTRY |
Authentication to Schema Registry clusters |
| Authorization | io.confluent.sg.server/authorization |
SCHEMA_REGISTRY |
Authorization checks for schema operations |
| Management and operations | io.confluent.sg.server/request |
SCHEMA_REGISTRY |
Schema management operations (create, update, delete schemas) |
ksqlDB cluster event categories¶
ksqlDB cluster event categories capture authentication and authorization operations performed on ksqlDB clusters. These events track access to stream processing operations and SQL statement execution.
| Event category | Event type | Resource type | Description |
|---|---|---|---|
| Authentication | io.confluent.ksql.server/authentication |
KSQL |
Authentication to ksqlDB clusters |
| Authorization | io.confluent.ksql.server/authorization |
KSQL |
Authorization checks for stream processing operations |
Flink cluster event categories¶
Flink cluster event categories capture authentication, authorization, and management operations performed on Flink regions and clusters. These events track access to Flink SQL statements, workspace operations, and resource management.
| Event category | Event type | Resource type | Description |
|---|---|---|---|
| Authentication | io.confluent.flink.server/authentication |
FLINK_REGION |
Authentication to Flink regions and clusters |
| Authorization | io.confluent.flink.server/authorization |
STATEMENT, WORKSPACE |
Authorization checks for Flink SQL statements and workspace access |
| Management and operations | io.confluent.cloud/request |
FLINK_REGION, COMPUTE_POOL, FLINK_WORKSPACE, STATEMENT |
Management of Flink resources (regions, compute pools, workspaces, statements) |
Tableflow event categories¶
Tableflow event categories capture various operations related to data lake management and table operations. These events track catalog integration, topic management, data plane operations, and OAuth authentication for Tableflow services.
| Event category | Event type | Resource type | Description |
|---|---|---|---|
| Catalog integration | io.confluent.cloud/request |
TABLEFLOW_CATALOG, PROVIDER_INTEGRATION |
Integration with external catalog systems (for example, AWS Glue) |
| Control plane operations | io.confluent.cloud/request |
TOPIC |
Creating, updating, and managing Tableflow topics |
| Data plane catalog | io.confluent.cloud/request |
ICEBERG_NAMESPACE, ICEBERG_TABLE, ENVIRONMENT |
Data plane catalog operations for Iceberg tables and namespaces |
| OAuth | io.confluent.cloud/request |
ORGANIZATION |
OAuth authentication and authorization for Tableflow |
| Signer | io.confluent.cloud/request |
ICEBERG_SIGNER |
Data plane signing operations for secure access |
| Topic operations | io.confluent.cloud/request |
TOPIC |
Tableflow topic enablement, configuration, and lifecycle management |
Access Transparency event categories¶
Access Transparency event categories capture when Confluent personnel access customer resources for support, maintenance, or operational purposes. These events provide visibility into privileged access for compliance and transparency requirements.
For an overview of Access Transparency, see Access Transparency on Confluent Cloud.
| Event category | Event type | Resource type | Description |
|---|---|---|---|
| Privileged access | io.confluent.cloud/access-transparency |
KAFKA_CLUSTER, ENVIRONMENT, ORGANIZATION |
Confluent personnel access to customer resources for support, maintenance, or operational purposes |
Organization event categories¶
Organization events are split into separate sections due to the large number of management operations.
Note
Users may attempt to authorize a task solely to find out if they can perform the task, and not follow through with it. In these instances, the authorization is still captured in the audit log.
Organization authorization¶
| Event category | Event type | Resource type | Description |
|---|---|---|---|
| IP filter | io.confluent.cloud/authorization |
ORGANIZATION |
Authorization checks for IP-based access filtering |
Organization management and operations¶
The following subcategories represent different resource types and their associated operations (create, read, update, delete):
Access Management
| Event subcategory | Event type | Resource type | Description |
|---|---|---|---|
| API key | io.confluent.cloud/request |
API_KEY |
API key management operations |
| Identity pool (OAuth/OIDC) | io.confluent.cloud/request |
IDENTITY_POOL |
Identity pool management operations |
| Identity provider (OAuth/OIDC) | io.confluent.cloud/request |
IDENTITY_PROVIDER |
Identity provider management operations |
| Role-based access control (RBAC) | io.confluent.cloud/request |
CLOUD_CLUSTER |
RBAC management operations |
| Service account | io.confluent.cloud/request |
ORGANIZATION |
Service account management operations |
| Single Sign-on (SSO) connection | io.confluent.cloud/request |
SSO_CONNECTION |
SSO connection management operations |
| User account | io.confluent.cloud/request |
USER |
User account management operations |
| User Invitation | io.confluent.cloud/request |
USER_INVITATION |
User invitation management operations |
Infrastructure and Resources
| Event subcategory | Event type | Resource type | Description |
|---|---|---|---|
| Connector | io.confluent.cloud/request |
CONNECTOR |
Connector management operations |
| Custom connector plugin | io.confluent.cloud/request |
CUSTOM_CONNECTOR_PLUGIN |
Custom connector plugin management operations |
| Environment | io.confluent.cloud/request |
ENVIRONMENT |
Environment management operations |
| Kafka cluster | io.confluent.cloud/request |
KAFKA_CLUSTER |
Kafka cluster management operations |
| ksqlDB cluster | io.confluent.cloud/request |
KSQL_CLUSTER |
ksqlDB cluster management operations |
| Schema Registry cluster | io.confluent.cloud/request |
SCHEMA_REGISTRY |
Schema Registry cluster management operations |
Networking
| Event subcategory | Event type | Resource type | Description |
|---|---|---|---|
| DNS forwarder | io.confluent.cloud/request |
DNS_FORWARDER |
DNS forwarder management operations |
| Network | io.confluent.cloud/request |
NETWORK |
Network management operations |
| Peering connection | io.confluent.cloud/request |
PEERING |
Peering connection management operations |
| Private link access | io.confluent.cloud/request |
PRIVATE_LINK_ACCESS |
Private link access management operations |
| Private link attachment | io.confluent.cloud/request |
PRIVATE_LINK_ATTACHMENT |
Private link attachment management operations |
| Private link attachment connection | io.confluent.cloud/request |
PRIVATE_LINK_ATTACHMENT_CONNECTION |
Private link attachment connection management operations |
| Transit gateway attachment | io.confluent.cloud/request |
ENVIRONMENT |
Transit gateway attachment management operations |
Services and Integrations
| Event subcategory | Event type | Resource type | Description |
|---|---|---|---|
| Billing | io.confluent.cloud/request |
ORGANIZATION |
Billing management operations |
| MarketPlace Entitlement | io.confluent.cloud/request |
MARKETPLACE_ENTITLEMENT |
Marketplace entitlement management operations |
| Notification integration | io.confluent.cloud/request |
NS_INTEGRATION |
Notification integration management operations |
| Notification subscription | io.confluent.cloud/request |
NS_SUBSCRIPTION |
Notification subscription management operations |
| Notification type | io.confluent.cloud/request |
NS_NOTIFICATION_TYPE |
Notification type management operations |
| Sign-in attempt | io.confluent.cloud/request |
ORGANIZATION |
Sign-in attempt tracking operations |