Audit Events
OpenGate IAM emits structured audit events via Apache Kafka for every authentication and administrative action. Use them for security monitoring, compliance, and SIEM integration.
On this page
Event Schema
All events use the DomainEvent envelope:
{
"eventId": "550e8400-e29b-41d4-a716-446655440000",
"eventType": "auth.login.success",
"aggregateId": "usr_abc123",
"realm": "master",
"payload": {
"clientId": "opengate-console",
"ipAddress": "203.0.113.42",
"userAgent": "Mozilla/5.0 ...",
"mfaUsed": true
},
"occurredAt": "2025-06-01T10:30:00Z"
}Event Types
| Topic | Event Type | Trigger |
|---|---|---|
opengate.auth | auth.login.success | Successful password + MFA authentication |
opengate.auth | auth.login.failure | Failed login attempt |
opengate.auth | auth.logout | User logout or token revocation |
opengate.auth | auth.token.refresh | Refresh token exchanged |
opengate.users | user.created | New user registered |
opengate.users | user.updated | User profile updated |
opengate.users | user.deleted | User account deleted |
opengate.users | user.email_verified | Email verification completed |
opengate.users | user.password_changed | Password updated |
opengate.sessions | session.created | New session opened |
opengate.sessions | session.terminated | Session revoked (logout / admin) |
opengate.mfa | mfa.enrolled | User enrolled TOTP or Email OTP |
opengate.mfa | mfa.disabled | MFA removed from account |
Consuming Events
AuditConsumer.javajava
@Service
public class AuditConsumer {
@KafkaListener(topics = {"opengate.auth", "opengate.users", "opengate.sessions"},
groupId = "audit-service")
public void handleAuditEvent(DomainEvent event) {
log.info("AUDIT event={} aggregate={} realm={} at={}",
event.eventType(), event.aggregateId(),
event.realm(), event.occurredAt()
);
// Forward to SIEM, write to audit DB, etc.
}
}Forwarding to SIEM
Kafka → Elasticsearch (via Logstash)
logstash-audit.confconf
input {
kafka {
bootstrap_servers => "localhost:9092"
topics => ["opengate.auth", "opengate.users", "opengate.sessions"]
codec => json
}
}
filter {
date {
match => ["occurredAt", "ISO8601"]
target => "@timestamp"
}
}
output {
elasticsearch {
hosts => ["elasticsearch:9200"]
index => "opengate-audit-%{+YYYY.MM.dd}"
}
}Kafka → Splunk
Use the Splunk Kafka Connector with topics opengate.auth, opengate.users, opengate.sessions.
Retention & Compliance
| Requirement | Recommendation |
|---|---|
| GDPR | Retain audit logs for 1 year; anonymize PII after retention period |
| SOC 2 | Retain for 1 year with tamper-evident storage |
| PCI DSS | Retain for 1 year (3 months readily available) |
| Kafka retention | Set retention.ms=31536000000 (1 year) on audit topics |
PII in audit logs
Audit events may contain email addresses and IP addresses. Ensure your log retention and access policies comply with applicable data protection regulations.