This repository has been archived on 2024-05-31. You can view files and clone it, but cannot push or open issues or pull requests.
authentik/website/docs/events/index.md
Jens L 02869d8173
stages/user_login: session binding (#7881)
* start with user_login stage

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

# Conflicts:
#	authentik/root/settings.py

* fix and improve logout event

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* lint pass

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* update authenticated session when IP changes and binding doesn't break

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* update docs, always keep old and new IP in event

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* re-gen api schema

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-12-23 01:20:23 +01:00

7.4 KiB

title
Events

Events are authentik's built-in logging system. Whenever any of the following actions occur, an event is created:

Certain information is stripped from events, to ensure no passwords or other credentials are saved in the log.

Event retention

The event retention is configured on a per-tenant level, with the default being set to 365 days. For events where a related tenant cannot be found, the retention is also set to 365 days.

If you want to forward these events to another application, forward the log output of all authentik containers. Every event creation is logged with the log level "info". For this configuration, it is also recommended to set the internal retention pretty low (for example, days=1).

Event actions

login

A user logs in (including the source, if available)

Example
{
    "pk": "f00f54e7-2b38-421f-bc78-e61f950048d6",
    "user": {
        "pk": 1,
        "email": "root@localhost",
        "username": "akadmin"
    },
    "action": "login",
    "app": "authentik.events.signals",
    "context": {
        "auth_method": "password",
        "http_request": {
            "args": {
                "query": "next=%2F"
            },
            "path": "/api/v3/flows/executor/default-authentication-flow/",
            "method": "GET"
        },
        "auth_method_args": {}
    },
    "client_ip": "::1",
    "created": "2023-02-15T15:33:42.771091Z",
    "expires": "2024-02-15T15:33:42.770425Z",
    "tenant": {
        "pk": "fcba828076b94dedb2d5a6b4c5556fa1",
        "app": "authentik_tenants",
        "name": "Default tenant",
        "model_name": "tenant"
    }
}

login_failed

A failed login attempt

Example
{
    "pk": "2779b173-eb2a-4c2b-a1a4-8283eda308d7",
    "user": {
        "pk": 2,
        "email": "",
        "username": "AnonymousUser"
    },
    "action": "login_failed",
    "app": "authentik.events.signals",
    "context": {
        "stage": {
            "pk": "7e88f4a991c442c1a1335d80f0827d7f",
            "app": "authentik_stages_password",
            "name": "default-authentication-password",
            "model_name": "passwordstage"
        },
        "password": "********************",
        "username": "akadmin",
        "http_request": {
            "args": {
                "query": "next=%2F"
            },
            "path": "/api/v3/flows/executor/default-authentication-flow/",
            "method": "POST"
        }
    },
    "client_ip": "::1",
    "created": "2023-02-15T15:32:55.319608Z",
    "expires": "2024-02-15T15:32:55.314581Z",
    "tenant": {
        "pk": "fcba828076b94dedb2d5a6b4c5556fa1",
        "app": "authentik_tenants",
        "name": "Default tenant",
        "model_name": "tenant"
    }
}

logout

A user logs out.

Example
{
    "pk": "474ffb6b-77e3-401c-b681-7d618962440f",
    "user": {
        "pk": 1,
        "email": "root@localhost",
        "username": "akadmin"
    },
    "action": "logout",
    "app": "authentik.events.signals",
    "context": {
        "http_request": {
            "args": {
                "query": ""
            },
            "path": "/api/v3/flows/executor/default-invalidation-flow/",
            "method": "GET"
        }
    },
    "client_ip": "::1",
    "created": "2023-02-15T15:39:55.976243Z",
    "expires": "2024-02-15T15:39:55.975535Z",
    "tenant": {
        "pk": "fcba828076b94dedb2d5a6b4c5556fa1",
        "app": "authentik_tenants",
        "name": "Default tenant",
        "model_name": "tenant"
    }
}

user_write

A user is written to during a flow execution.

Example
{
    "pk": "d012e8af-cb94-4fa2-9e92-961e4eebc060",
    "user": {
        "pk": 1,
        "email": "root@localhost",
        "username": "akadmin"
    },
    "action": "user_write",
    "app": "authentik.events.signals",
    "context": {
        "name": "authentik Default Admin",
        "email": "root@localhost",
        "created": false,
        "username": "akadmin",
        "attributes": {
            "settings": {
                "locale": ""
            }
        },
        "http_request": {
            "args": {
                "query": ""
            },
            "path": "/api/v3/flows/executor/default-user-settings-flow/",
            "method": "GET"
        }
    },
    "client_ip": "::1",
    "created": "2023-02-15T15:41:18.411017Z",
    "expires": "2024-02-15T15:41:18.410276Z",
    "tenant": {
        "pk": "fcba828076b94dedb2d5a6b4c5556fa1",
        "app": "authentik_tenants",
        "name": "Default tenant",
        "model_name": "tenant"
    }
}

suspicious_request

A suspicious request has been received (for example, a revoked token was used).

password_set

A user sets their password.

secret_view

A user views a token's/certificate's data.

secret_rotate

A token was rotated automatically by authentik.

invitation_used

An invitation is used.

authorize_application

A user authorizes an application.

Example
{
    "pk": "f52f9eb9-dc2a-4f1e-afea-ad5af90bf680",
    "user": {
        "pk": 1,
        "email": "root@localhost",
        "username": "akadmin"
    },
    "action": "authorize_application",
    "app": "authentik.providers.oauth2.views.authorize",
    "context": {
        "asn": {
            "asn": 6805,
            "as_org": "Telefonica Germany",
            "network": "5.4.0.0/14"
        },
        "geo": {
            "lat": 42.0,
            "city": "placeholder",
            "long": 42.0,
            "country": "placeholder",
            "continent": "placeholder"
        },
        "flow": "53287faa8a644b6cb124cb602a84282f",
        "scopes": "ak_proxy profile openid email",
        "http_request": {
            "args": {
                "query": "[...]"
            },
            "path": "/api/v3/flows/executor/default-provider-authorization-implicit-consent/",
            "method": "GET"
        },
        "authorized_application": {
            "pk": "bed6a2495fdc4b2e8c3f93cb2ed7e021",
            "app": "authentik_core",
            "name": "Alertmanager",
            "model_name": "application"
        }
    },
    "client_ip": "::1",
    "created": "2023-02-15T10:02:48.615499Z",
    "expires": "2023-04-26T10:02:48.612809Z",
    "tenant": {
        "pk": "10800be643d44842ab9d97cb5f898ce9",
        "app": "authentik_tenants",
        "name": "Default tenant",
        "model_name": "tenant"
    }
}

source_linked

A user links a source to their account

impersonation_started / impersonation_ended

A user starts/ends impersonation, including the user that was impersonated

policy_execution

A policy is executed (when a policy has "Execution Logging" enabled).

policy_exception / property_mapping_exception

A policy or property mapping causes an exception

system_task_exception

An exception occurred in a system task.

system_exception

A general exception in authentik occurred.

configuration_error

A configuration error occurs, for example during the authorization of an application

model_created / model_updated / model_deleted

Logged when any model is created/updated/deleted, including the user that sent the request.

email_sent

An email has been sent. Included is the email that was sent.

update_available

An update is available