Parsing of audit log

I got the following from logfile:

"event.type":"transport", "event.action":"access_granted", "":"_xpack_security", "user.realm":"__attach", "user.roles":["superuser"], "origin.type":"local_node", "origin.address":"", "action":"cluster:admin/xpack/security/realm/cache/clear[n]", "":"Node"}

Can anybody summarize the main purpose of this event? It is a cache clear action initiated by xpack_security to the cluster?

Hi Li,

Correct, this is indication of the realm cache being cleared. There are a number of cases that could trigger this including, but not limited to:

  • role mapping changes
  • native/reserved user modification ( password change, user property change, user enabled/disabled)

If this was triggered by a call to the clear cache API, you'd get an "origin.type": "rest"and "" would reflect the user that called the API

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.