Home / Konnect
Edit
Report

Konnect audit logs

Uses: Konnect Platform
Related Documentation
All Konnect Platform Documentation
OpenAPI Specifications
Konnect Audit Logging
Incompatible with
on-prem
Tags
#logging #audit-logging
Related Resources
Dedicated Cloud Gateways
Konnect Data Plane logs
Konnect org audit log API
Kong Gateway audit logs
Kong Gateway logs

Audit logs can help you detect and respond to potential security incidents when they occur.

Audit logging provides the following benefits:

  • Security: System events can be used to show abnormalities to be investigated, forensic information related to breaches, or provide evidence for compliance and regulatory purposes.
  • Compliance: Regulators and auditors may require audit logs to confirm whether certain certification standards are met.
  • Debugging: Audit logs can help determine the root causes of efficiency or performance issues.
  • Risk management: Prevent issues or catch them early.

Configure audit logging

Konnect captures three types of events:

Event type

Org audit logs
Authentication This is triggered when a user attempts to log into the Konnect web application or use the Konnect API via a personal access token. Also triggered when a system account access token is used.
Authorization Triggered when a permission check is made for a user or system account against a resource.
Access logs Triggered when a request is made to the Konnect API.

Konnect retains audit logs for 7 days.

Audit log webhook status

You can view the webhook status in the UI or via the API for the Konnect org audit logs.

The following table describes the webhook statuses:

Attribute

Description
last_attempt_at The last time Konnect tried to send data to your webhook
last_response_code The last response code from your webhook
webhook_enabled The desired status of the webhook (from audit-log-webhook.enabled)
webhook_status The actual status of the webhook

A combination of webhook_enabled and webhook_status give a full picture of webhook status:

webhook_enabled

webhook_status

Description
true active Konnect is ready to send data to the webhook. Either no attempts have been made yet (last_attempt_at is not set), or the last attempt was successful.
true inactive Last attempt to send data failed, but the webhook is still enabled. This usually means that there was an error in the endpoint or the SIEM provider went down that caused the logs to stop streaming.
false active Webhook config is saved. Konnect is not shipping data to it per webhook configuration.
false inactive Last attempt to send data failed, and customer has turned off the webhook.
false unconfigured The webhook for this region has not been configured yet.

Log formats

Konnect delivers log events in ArcSight CEF Format or JSON. You may specify which format to use in the audit log webhook endpoints.

Webhook calls include a batch of events. Each event is formatted in either CEF or JSON and separated by a newline. The Content-Type is text/plain.

To minimize payload size, the message body is compressed. The Content-Encoding is application/gzip.

All log entries include the following attributes:

Property

Description
Timestamp Time and date of the event in UTC.
rt Milliseconds since Unix epoch.
src The IP address of the request originator.
org_id The originating organization ID.
principal_id The user ID of the user that performed the action.
~kong_initiated~ Whether the action was performed by Kong
trace_id The correlation ID of the request. Use this value to find all log entries for a given request.
user_agent The user agent of the request: application, operating system, vendor, and version.
sig An ED25519 signature.

Authentication logs

Authentication attempts and their outcomes are logged whenever a user logs in to the Konnect application or the Dev Portal either through the UI or the Konnect API.

Example log entry:

2025-05-19T00:03:39Z
konghq.com CEF:0|ExampleOrg|Konnect|1.0|AUTHENTICATION_TYPE_PAT|AUTHENTICATION_OUTCOME_SUCCESS|0|rt=3958q3097698
src=127.0.0.1
request=/api/v1/personal-access-tokens/introspect
success=true
org_id=b065b594-6afc-4658-9101-5d9cf3f36b7b
principal_id=87655c36-8d63-48fe-9a1e-53b28dfbc19b
trace_id=3895213347334635099
user_agent=grpc-go/1.51.0
sig=N_4q2pCgeg0Fg4oGJSfUWKScnTCiC79vq8PIX6Sc_rwaxdWKpVfPwkW45yK_oOFV9gHOmnJBffcB1NmTSwRRDg

In addition to the defaults, each authentication log entry also contains the following attributes:

Property

Description
AUTHENTICATION_TYPE Can be one of the following:
- AUTHENTICATION_TYPE_BASIC: Basic email and password authentication
- AUTHENTICATION_TYPE_SSO: Authentication with single sign-on (SSO)
- AUTHENTICATION_TYPE_PAT: Authentication with a personal access token
AUTHENTICATION_OUTCOME Can be one of the following:
- AUTHENTICATION_OUTCOME_SUCCESS: Authentication is successful
- AUTHENTICATION_OUTCOME_NOT_FOUND: User was not found
- AUTHENTICATION_OUTCOME_INVALID_PASSWORD: Invalid password specified
- AUTHENTICATION_OUTCOME_LOCKED: User account is locked
- AUTHENTICATION_OUTCOME_DISABLED: User account has been disabled
success true or false, depending on whether authentication was successful or not.

Authorization logs

Authorization log entries are created for every permission check in Konnect.

Example log entry:

2025-05-19T00:03:39Z
konghq.com CEF:0|ExampleOrg|Konnect|1.0|konnect|Authz.portals|1|rt=16738287345642
src=127.0.0.6
action=retrieve
granted=true
org_id=b065b594-6afc-4658-9101-5d9cf3f36b7b
principal_id=87655c36-8d63-48fe-9a1e-53b28dfbc19b
actor_id=
trace_id=8809518331550410226
user_agent=grpc-node/1.24.11 grpc-c/8.0.0 (linux; chttp2; ganges)
sig=N_4q2pCgeg0Fg4oGJSfUWKScnTCiC79vq8PIX6Sc_rwaxdWKpVfPwkW45yK_oOFV9gHOmnJBffcB1NmTSwRRDg

In addition to the defaults, each authorization log entry also contains the following attributes:

Property

Description
action The type of action the user performed on the resource. For example, retrieve, list, or edit.
granted Boolean indicating whether the authorization was granted or not.

Access logs

Access logs include information about create, update, and delete requests to the Konnect API.

Example log entry:

2025-05-16T20:09:54Z
konghq.com CEF:0|KongInc|Konnect|1.0|KongGateway|Ingress|1|rt=1684267794226
src=127.0.0.6
request=/konnect-api/api/vitals/v1/explore
act=POST
status=200
org_id=b065b594-6afc-4658-9101-5d9cf3f36b7b
principal_id=87655c36-8d63-48fe-9a1e-53b28dfbc19b
user_agent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36
trace_id=1146381705542353508
query={"end":"1684270800","start":"1684098000"}
sig=JxJaQG3Bozrb5WdHE_Y0HaOsim2F1Xsq_bCfk71VgsfldkLAD_SF234cnKNS

In addition to the defaults, each access log entry also contains the following attributes:

Property

Description
request The endpoint that was called.
query The request query parameters, if any.
act The HTTP request method; for example, POST, PATCH, PUT, or DELETE.
status The HTTP response code; for example, 200 or 403.
Something wrong?
Report an Issue | Edit this Page

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help

Ask in our Forum
Contact Support