What dose "realm_authentication_failed" really mean?

In auditlog,I saw the log below, what dose "realm_authentication_failed" really mean, this query was normal,why "realm_authentication_failed"?

{
    "type":"audit",
    "timestamp":"2022-08-18T02:35:15,041+0000",
    "node.id":"xxxxxxxx",
    "event.type":"rest",
    "event.action":"realm_authentication_failed",
    "user.name":"xxxxxxx",
    "origin.type":"rest",
    "origin.address":"xxxxxxx",
    "realm":"reserved",
    "url.path":"/indexAAA/_search",
    "url.query":"typed_keys=true&ignore_unavailable=false&expand_wildcards=open&allow_no_indices=true&ignore_throttled=true&search_type=query_then_fetch&batched_reduce_size=512&ccs_minimize_roundtrips=true",
    "request.method":"POST",
    "request.body":"{\"from\":10,\"size\":10,\"query\":{\"bool\":{\"must\":[{\"term\":{\"logname\":{\"value\":\"xxxxxx\",\"boost\":1.0}}},{\"range\":{\"logtime-UTC\":{\"from\":\"2022-08-11 00:00:00\",\"to\":\"2022-08-18 10:34:56\",\"include_lower\":true,\"include_upper\":true,\"time_zone\":\"Asia/Shanghai\",\"format\":\"yyyy-MM-dd HH:mm:ss\",\"boost\":1.0}}},{\"bool\":{\"should\":[{\"term\":{\"serverid\":{\"value\":\"xxxx\",\"boost\":1.0}}}],\"adjust_pure_negative\":true,\"boost\":1.0}},{\"match\":{\"userid\":{\"query\":\"xxxxxxx\",\"operator\":\"OR\",\"prefix_length\":0,\"max_expansions\":50,\"fuzzy_transpositions\":true,\"lenient\":false,\"zero_terms_query\":\"NONE\",\"auto_generate_synonyms_phrase_query\":true,\"boost\":1.0}}},{\"match\":{\"roleid\":{\"query\":\"xxxxxx\",\"operator\":\"OR\",\"prefix_length\":0,\"max_expansions\":50,\"fuzzy_transpositions\":true,\"lenient\":false,\"zero_terms_query\":\"NONE\",\"auto_generate_synonyms_phrase_query\":true,\"boost\":1.0}}}],\"adjust_pure_negative\":true,\"boost\":1.0}},\"sort\":[{\"logtime\":{\"order\":\"asc\"}}],\"track_total_hits\":2147483647}",
    "request.id":"xxxxxxx"
}

realm_authentication_failed is not enabled by default in audit logs. It is logged if a realm’s attempt to authenticate a user, but is not successful. This may not be a problem at all because another realm may later successfully authenticate the user.

I'm pretty sure there's nothing wrong with the username and password,so what caused this " realm_authentication_failed"

It almost certainly means that the user (which you've masked out from your log) doesn't exist in the reserved realm. Therefore the reserved realm failed to authenticate the user.

As @Yang_Wang said:

This may not be a problem at all because another realm may later successfully authenticate the user.

Why verify that a user exists in the reserved realm?Or what is the point of this log

Thanks for your reply,I have another problem,what dose "anonymous_access_denied" really mean?
In the auditlog, I saw the log below. But the query executes successfully,why dose "anonymous_access_denied" recorded in logs?

{
    "type":"audit",
    "timestamp":"2022-08-18T07:30:41,843+0000",
    "node.id":"xxxxxxxxx",
    "event.type":"rest",
    "event.action":"anonymous_access_denied",
    "origin.type":"rest",
    "origin.address":"xxxxxxxx",
    "url.path":"/idnexBBBB/_search",
    "url.query":"pre_filter_shard_size=128&typed_keys=true&max_concurrent_shard_requests=5&ignore_unavailable=false&expand_wildcards=open&allow_no_indices=true&ignore_throttled=true&scroll=1m&search_type=query_then_fetch&batched_reduce_size=512&ccs_minimize_roundtrips=true",
    "request.method":"POST",
    "request.body":"{\"size\":10000,\"query\":{\"bool\":{\"must\":[{\"term\":{\"jobid\":{\"value\":xxxxxx,\"boost\":1.0}}},{\"range\":{\"logtime\":{\"from\":\"2022-08-18 14:30:43\",\"to\":\"2022-08-19 14:30:43\",\"include_lower\":true,\"include_upper\":true,\"time_zone\":\"+08:00\",\"format\":\"yyyy-MM-dd HH:mm:ss\",\"boost\":1.0}}}],\"adjust_pure_negative\":true,\"boost\":1.0}},\"sort\":[{\"logtime\":{\"order\":\"asc\"}},{\"linenum\":{\"order\":\"asc\"}}]}",
    "request.id":"xxxxxxxxxx"
}

It is described as follows in official documents:
anonymous_access_denied
"Logged when a request is denied due to missing authentication credentials.",However, the query in the log above was successfully executed and authenticated,so I'm confused.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.