Audit Log Event Categories on Confluent Cloud¶
Confluent Cloud audit logs capture event records from auditable event methods for the following event categories. For details on the auditable event methods, click the event category name.
For conceptual information about audit logs, see Audit Log Concepts on Confluent Cloud.
Note
Resource types indicate the scope at which the audited event occurs (topic-level, cluster-level, organization-level, etc.).
Kafka cluster event categories¶
| Event category | Event type | Resource type | Description |
|---|---|---|---|
| Authentication | io.confluent.kafka.server/authentication |
n/a | User and service account authentication to Kafka clusters |
| Authorization | io.confluent.kafka.server/authorization |
Topic, Cluster, Group |
Authorization checks for Kafka operations (produce, consume, admin) |
| Management and operations | io.confluent.kafka.server/request |
Topic, Cluster, Group, ClusterLink |
Administrative operations like creating topics, managing ACLs, cluster linking |
| RBAC | io.confluent.kafka.server/authorization |
Environment, CloudApiKey, SecurityMetadata, Billing |
Role-based access control authorization for cluster resources |
Note
Kafka authentication events show “n/a” for resource type because authentication
occurs at the cluster connection level, before any resource-specific operations.
Once authenticated, subsequent operations (authorization, management) operate on
specific resource types like Topic, Cluster, or Group.
Schema Registry cluster event categories¶
| Event category | Event type | Resource type | Description |
|---|---|---|---|
| Authentication | io.confluent.sg.server/authentication |
SCHEMA_REGISTRY |
Authentication to Schema Registry clusters |
| Authorization | io.confluent.sg.server/authorization |
SCHEMA_REGISTRY |
Authorization checks for schema operations |
| Management and operations | io.confluent.sg.server/request |
SCHEMA_REGISTRY |
Schema management operations (create, update, delete schemas) |
ksqlDB cluster event categories¶
| Event category | Event type | Resource type | Description |
|---|---|---|---|
| Authentication | io.confluent.ksql.server/authentication |
KSQL |
Authentication to ksqlDB clusters |
| Authorization | io.confluent.ksql.server/authorization |
KSQL |
Authorization checks for stream processing operations |
Flink cluster event categories¶
| Event category | Event type | Resource type | Description |
|---|---|---|---|
| Authentication | io.confluent.flink.server/authentication |
FLINK_REGION |
Authentication to Flink regions and clusters |
| Authorization | io.confluent.flink.server/authorization |
STATEMENT, WORKSPACE |
Authorization checks for Flink SQL statements and workspace access |
| Management and operations | io.confluent.cloud/request |
FLINK_REGION, COMPUTE_POOL, FLINK_WORKSPACE, STATEMENT |
Management of Flink resources (regions, compute pools, workspaces, statements) |
Tableflow event categories¶
Event type: io.confluent.cloud/request
| Event category | Resource type | Description |
|---|---|---|
| Catalog integration | TABLEFLOW_CATALOG, PROVIDER_INTEGRATION |
Integration with external catalog systems (AWS glue, etc.) |
| Control plane operations | TOPIC |
Creating, updating, and managing Tableflow topics |
| Data plane catalog | ICEBERG_NAMESPACE, ICEBERG_TABLE, ENVIRONMENT |
Data plane catalog operations for Iceberg tables and namespaces |
| OAuth | ORGANIZATION |
OAuth authentication and authorization for Tableflow |
| Signer | ICEBERG_SIGNER |
Data plane signing operations for secure access |
| Topic operations | TOPIC |
Tableflow topic enablement, configuration, and lifecycle management |
Organization event categories¶
Organization events are split into separate sections due to the large number of management operations.
Note
Users may attempt to authorize a task solely to find out if they can perform the task, and not follow through with it. In these instances, the authorization is still captured in the audit log.
Organization authorization¶
Event type: io.confluent.cloud/authorization
| Event category | Resource type | Description |
|---|---|---|
| IP filter | ORGANIZATION |
Authorization checks for IP-based access filtering |
Organization management and operations¶
Event type: io.confluent.cloud/request
The following subcategories represent different resource types and their associated operations (create, read, update, delete):
Access Management
| Event subcategory | Resource type |
|---|---|
| API key | API_KEY |
| Identity pool (OAuth/OIDC) | IDENTITY_POOL |
| Identity provider (OAuth/OIDC) | IDENTITY_PROVIDER |
| Role-based access control (RBAC) | CLOUD_CLUSTER |
| Service account | ORGANIZATION |
| Single Sign-on (SSO) connection | SSO_CONNECTION |
| User account | USER |
| User Invitation | USER_INVITATION |
Infrastructure and Resources
| Event subcategory | Resource type |
|---|---|
| Connector | CONNECTOR |
| Custom connector plugin | CUSTOM_CONNECTOR_PLUGIN |
| Environment | ENVIRONMENT |
| Kafka cluster | KAFKA_CLUSTER |
| ksqlDB cluster | KSQL_CLUSTER |
| Schema Registry cluster | SCHEMA_REGISTRY |
Networking
| Event subcategory | Resource type |
|---|---|
| DNS forwarder | DNS_FORWARDER |
| Network | NETWORK |
| Peering connection | PEERING |
| Private link access | PRIVATE_LINK_ACCESS |
| Private link attachment | PRIVATE_LINK_ATTACHMENT |
| Private link attachment connection | PRIVATE_LINK_ATTACHMENT_CONNECTION |
| Transit gateway attachment | ENVIRONMENT |
Services and Integrations
| Event subcategory | Resource type |
|---|---|
| Billing | ORGANIZATION |
| MarketPlace Entitlement | MARKETPLACE_ENTITLEMENT |
| Notification integration | NS_INTEGRATION |
| Notification subscription | NS_SUBSCRIPTION |
| Notification type | NS_NOTIFICATION_TYPE |
| Sign-in attempt | ORGANIZATION |