Table 14. REST authentication_success Attributes lists wrong attributes

[elasticmachine]

Original comment by @jakommo:

On https://www.elastic.co/guide/en/x-pack/5.6/auditing.html#audit-event-attributes under "Table 14. REST authentication_success Attributes" we list:

But the logs lines look like:

[2017-09-19T10:13:47,339] [rest] [authentication_success]	principal=[kibana], realm=[reserved], uri=[/_nodes?filter_path=nodes.*.version%2Cnodes.*.http.publish_address%2Cnodes.*.ip], params=[{filter_path=nodes.*.version,nodes.*.http.publish_address,nodes.*.ip}]
[2017-09-19T10:13:47,342] [rest] [authentication_success]	principal=[kibana], realm=[reserved], uri=[/_cluster/health/.monitoring-*-2-*%2C.monitoring-*-6-*?timeout=5s], params=[{index=.monitoring-*-2-*,.monitoring-*-6-*, timeout=5s}]
[2017-09-19T10:13:47,522] [rest] [authentication_success]	principal=[kibana], realm=[reserved], uri=[/.reporting-*/esqueue/_search?version=true], params=[{index=.reporting-*, type=esqueue, version=true}]

It seems to use principal rather than user.

[albertzaharovits]

belatedly resolved by #35510