Skip to Content
SourcesApache Kafka

Apache Kafka

Required
Fields required for a valid configuration.
PathTypeRequiredDescriptionDefaultConstraints
requiredobjectYes
Masked
Sensitive fields under(secrets/credentials).
PathTypeRequiredDescriptionDefaultConstraints
maskedobjectNo
Optional
Optional configuration fields.
PathTypeRequiredDescriptionDefaultConstraints
optionalobjectNono extra properties
optional.connectionobjectNoKafka client connection and security options.no extra properties
optional.connection.request_timeout_msintegerNoClient request timeout in milliseconds30000min 1000
optional.connection.sasl_mechanismenumNoSASL mechanism used when security_protocol is SASL_* Allowed values: PLAIN, SCRAM-SHA-256, SCRAM-SHA-512PLAIN
optional.connection.security_protocolenumNoKafka client security protocol Allowed values: PLAINTEXT, SSL, SASL_PLAINTEXT, SASL_SSLPLAINTEXT
optional.connection.ssl_castringNoPEM-encoded CA certificate for TLS verification (optional for client-certificate auth; validates the broker's certificate)
optional.scopeobjectNoKafka topic selection scope.no extra properties
optional.scope.exclude_topicsarrayNoTopic denylist
optional.scope.exclude_topics[]stringNo
optional.scope.include_internalbooleanNoInclude internal topics (names starting with __)false
optional.scope.include_topicsarrayNoOptional topic allowlist
optional.scope.include_topics[]stringNo
optional.scope.topic_limitintegerNoOptional cap on number of topic assetsmin 1
Extracted Metadata

Topic

FieldTypeRequiredDescription
partition_countintegerYesNumber of partitions
replication_factorintegerNoReplication factor
earliest_offsetintegerNoSum of earliest offsets across partitions
latest_offsetintegerNoSum of latest offsets across partitions
retention_msintegerNoTopic retention in milliseconds
cleanup_policystringNoTopic cleanup policy (delete/compact)
Examples
Topic discovery scan
Discover Kafka topics and sample recent messages on a local, unauthenticated broker

Config Payload

{
  "type": "KAFKA",
  "required": {
    "auth_mode": "NONE",
    "bootstrap_servers": "broker1:9092,broker2:9092"
  },
  "optional": {
    "connection": {
      "security_protocol": "PLAINTEXT"
    }
  },
  "sampling": {
    "strategy": "LATEST",
    "rows_per_page": 50
  }
}

Schedule

{
  "enabled": true,
  "preset": "weekday_business",
  "cron": "13 6 * * 1-5",
  "timezone": "UTC"
}
SASL_SSL secrets detection
Sample messages from selected topics over SASL_SSL and run secrets detection

Config Payload

{
  "type": "KAFKA",
  "required": {
    "auth_mode": "SASL",
    "bootstrap_servers": "broker:9093"
  },
  "masked": {
    "sasl_username": "your-username",
    "sasl_password": "your-password"
  },
  "optional": {
    "connection": {
      "security_protocol": "SASL_SSL",
      "sasl_mechanism": "SCRAM-SHA-256"
    },
    "scope": {
      "include_topics": [
        "payments",
        "users"
      ]
    }
  },
  "sampling": {
    "strategy": "RANDOM",
    "rows_per_page": 100
  },
  "detectors": [
    {
      "type": "SECRETS",
      "enabled": true
    },
    {
      "type": "PII",
      "enabled": true
    }
  ]
}

Schedule

{
  "enabled": true,
  "preset": "weekday_business",
  "cron": "37 8 * * 1-5",
  "timezone": "UTC"
}
Managed Kafka (Aiven/Confluent Cloud) with CA cert
Connect to a managed SASL_SSL Kafka service (e.g. Aiven, Confluent Cloud) using a broker-issued CA certificate for TLS verification

Config Payload

{
  "type": "KAFKA",
  "required": {
    "auth_mode": "SASL",
    "bootstrap_servers": "kafka-example-1234.example-cloud.com:12345"
  },
  "masked": {
    "sasl_username": "avnadmin",
    "sasl_password": "your-service-password"
  },
  "optional": {
    "connection": {
      "security_protocol": "SASL_SSL",
      "sasl_mechanism": "PLAIN",
      "ssl_ca": "-----BEGIN CERTIFICATE-----\nMIIDazCCAlOgAwIBAgIUfakefakefakefakefakefakefakefakewDQYJKoZIhvcNAQEL\nBQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM\nGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yNjAxMDEwMDAwMDBaFw0zNjAx\nMDEwMDAwMDBaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw\nHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB\nAQUAA4IBDwAwggEKAoIBAQDFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEF\nAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEF\n-----END CERTIFICATE-----\n"
    },
    "scope": {
      "include_internal": false
    }
  },
  "sampling": {
    "strategy": "AUTOMATIC",
    "rows_per_page": 100
  }
}

Schedule

{
  "enabled": true,
  "preset": "nightly",
  "cron": "5 2 * * *",
  "timezone": "UTC"
}
Mutual TLS (client certificate) authentication
Authenticate to a Kafka broker using a client certificate and private key instead of SASL — no username/password required

Config Payload

{
  "type": "KAFKA",
  "required": {
    "auth_mode": "CLIENT_CERT",
    "bootstrap_servers": "broker.internal:9094"
  },
  "masked": {
    "ssl_certfile": "-----BEGIN CERTIFICATE-----\nMIIDCTCCAfGgAwIBAgIUfakefakefakefakefakefakefakefakewDQYJKoZIhvcNAQEL\nBQAwFDESMBAGA1UEAwwJY2xpZW50LWNhMB4XDTI2MDEwMTAwMDAwMFoXDTI3MDEw\nMTAwMDAwMFowFDESMBAGA1UEAwwJY2xpZW50LWNhMIIBIjANBgkqhkiG9w0BAQEF\n-----END CERTIFICATE-----\n",
    "ssl_keyfile": "-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDFAKEFAKEFAKEF\nAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEF\n-----END PRIVATE KEY-----\n"
  },
  "optional": {
    "connection": {
      "security_protocol": "SSL",
      "ssl_ca": "-----BEGIN CERTIFICATE-----\nMIIDazCCAlOgAwIBAgIUfakefakefakefakefakefakefakefakewDQYJKoZIhvcNAQEL\nBQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM\n-----END CERTIFICATE-----\n"
    }
  },
  "sampling": {
    "strategy": "AUTOMATIC",
    "rows_per_page": 50
  },
  "detectors": [
    {
      "type": "PII",
      "enabled": true
    }
  ]
}

Schedule

{
  "enabled": true,
  "preset": "nightly",
  "cron": "45 1 * * *",
  "timezone": "UTC"
}