diff --git a/common/src/main/java/com/ericsson/bss/cassandra/ecaudit/common/chronicle/AuditRecordReadMarshallable.java b/common/src/main/java/com/ericsson/bss/cassandra/ecaudit/common/chronicle/AuditRecordReadMarshallable.java
index f31dbdf9..df60203f 100644
--- a/common/src/main/java/com/ericsson/bss/cassandra/ecaudit/common/chronicle/AuditRecordReadMarshallable.java
+++ b/common/src/main/java/com/ericsson/bss/cassandra/ecaudit/common/chronicle/AuditRecordReadMarshallable.java
@@ -45,8 +45,9 @@ public void readMarshallable(@NotNull WireIn wire) throws IORuntimeException
             case WireTags.VALUE_VERSION_0:
                 auditRecord = readV0(wire);
                 break;
+            case WireTags.VALUE_VERSION_1: // NOPMD
             case WireTags.VALUE_VERSION_CURRENT:
-                auditRecord = readV1(wire);
+                auditRecord = readBitmappedRecord(wire);
                 break;
             default:
                 throw new IORuntimeException("Unsupported record version: " + version);
@@ -75,7 +76,7 @@ private StoredAuditRecord readV0(WireIn wire)
                       .build();
     }
 
-    private StoredAuditRecord readV1(WireIn wire)
+    private StoredAuditRecord readBitmappedRecord(WireIn wire)
     {
         checkV1Type(wire);
         int bitmap = wire.read(WireTags.KEY_FIELDS).int32();
@@ -93,6 +94,7 @@ private StoredAuditRecord readV1(WireIn wire)
         fields.ifSelectedRun(Field.STATUS, () -> recordBuilder.withStatus(readStatus(wire)));
         fields.ifSelectedRun(Field.OPERATION, () -> recordBuilder.withOperation(wire.read(WireTags.KEY_OPERATION).text()));
         fields.ifSelectedRun(Field.OPERATION_NAKED, () -> recordBuilder.withNakedOperation(wire.read(WireTags.KEY_NAKED_OPERATION).text()));
+        fields.ifSelectedRun(Field.SUBJECT, () -> recordBuilder.withSubject(wire.read(WireTags.KEY_SUBJECT).text()));
 
         return recordBuilder.build();
     }
diff --git a/common/src/main/java/com/ericsson/bss/cassandra/ecaudit/common/chronicle/AuditRecordWriteMarshallable.java b/common/src/main/java/com/ericsson/bss/cassandra/ecaudit/common/chronicle/AuditRecordWriteMarshallable.java
index 49b9a8a2..74b6dead 100644
--- a/common/src/main/java/com/ericsson/bss/cassandra/ecaudit/common/chronicle/AuditRecordWriteMarshallable.java
+++ b/common/src/main/java/com/ericsson/bss/cassandra/ecaudit/common/chronicle/AuditRecordWriteMarshallable.java
@@ -49,5 +49,6 @@ public void writeMarshallable(@NotNull WireOut wire)
         actualFields.ifSelectedRun(Field.STATUS, () -> wire.write(WireTags.KEY_STATUS).text(auditRecord.getStatus().name()));
         actualFields.ifSelectedRun(Field.OPERATION, () -> wire.write(WireTags.KEY_OPERATION).text(auditRecord.getOperation().getOperationString()));
         actualFields.ifSelectedRun(Field.OPERATION_NAKED, () -> wire.write(WireTags.KEY_NAKED_OPERATION).text(auditRecord.getOperation().getNakedOperationString()));
+        actualFields.ifSelectedRun(Field.SUBJECT, () -> wire.write(WireTags.KEY_SUBJECT).text(auditRecord.getSubject().get()));
     }
 }
diff --git a/common/src/main/java/com/ericsson/bss/cassandra/ecaudit/common/chronicle/FieldFilterFlavorAdapter.java b/common/src/main/java/com/ericsson/bss/cassandra/ecaudit/common/chronicle/FieldFilterFlavorAdapter.java
index 3590f0f4..59a19898 100644
--- a/common/src/main/java/com/ericsson/bss/cassandra/ecaudit/common/chronicle/FieldFilterFlavorAdapter.java
+++ b/common/src/main/java/com/ericsson/bss/cassandra/ecaudit/common/chronicle/FieldFilterFlavorAdapter.java
@@ -32,12 +32,23 @@ private FieldFilterFlavorAdapter()
 
     static FieldSelector getFieldsAvailableInRecord(AuditRecord auditRecord, FieldSelector configuredFields)
     {
-        FieldSelector fields = auditRecord.getBatchId().isPresent()
-                               ? configuredFields
-                               : configuredFields.withoutField(FieldSelector.Field.BATCH_ID);
+        FieldSelector fields = configuredFields;
 
-        return auditRecord.getClientAddress() == null
-               ? fields.withoutField(FieldSelector.Field.CLIENT_IP).withoutField(FieldSelector.Field.CLIENT_PORT)
-               : fields;
+        if (!auditRecord.getBatchId().isPresent())
+        {
+            fields = fields.withoutField(FieldSelector.Field.BATCH_ID);
+        }
+
+        if (!auditRecord.getSubject().isPresent())
+        {
+            fields = fields.withoutField(FieldSelector.Field.SUBJECT);
+        }
+
+        if (auditRecord.getClientAddress() == null)
+        {
+            fields = fields.withoutField(FieldSelector.Field.CLIENT_IP).withoutField(FieldSelector.Field.CLIENT_PORT);
+        }
+
+        return fields;
     }
 }
diff --git a/common/src/main/java/com/ericsson/bss/cassandra/ecaudit/common/chronicle/FieldSelector.java b/common/src/main/java/com/ericsson/bss/cassandra/ecaudit/common/chronicle/FieldSelector.java
index 673a1094..28b35a68 100644
--- a/common/src/main/java/com/ericsson/bss/cassandra/ecaudit/common/chronicle/FieldSelector.java
+++ b/common/src/main/java/com/ericsson/bss/cassandra/ecaudit/common/chronicle/FieldSelector.java
@@ -17,6 +17,8 @@
 
 import java.util.List;
 
+import com.google.common.annotations.VisibleForTesting;
+
 public final class FieldSelector
 {
     /**
@@ -36,7 +38,8 @@ public enum Field
         STATUS(1 << 5),
         OPERATION(1 << 6),
         OPERATION_NAKED(1 << 7),
-        TIMESTAMP(1 << 8);
+        TIMESTAMP(1 << 8),
+        SUBJECT(1 << 9);
 
         private final int bit;
 
@@ -89,6 +92,17 @@ public boolean isSelected(Field field)
         return (bitmap & field.getBit()) > 0;
     }
 
+    /**
+     * Toggle a field as selected
+     * @param field the field to select
+     * @return a new field selector with the field selected
+     */
+    @VisibleForTesting
+    FieldSelector withField(Field field)
+    {
+        return new FieldSelector(bitmap | field.getBit());
+    }
+
     /**
      * Copies this field selector, but without the provided field selected.
      *
diff --git a/common/src/main/java/com/ericsson/bss/cassandra/ecaudit/common/chronicle/WireTags.java b/common/src/main/java/com/ericsson/bss/cassandra/ecaudit/common/chronicle/WireTags.java
index 4a218670..22d39597 100644
--- a/common/src/main/java/com/ericsson/bss/cassandra/ecaudit/common/chronicle/WireTags.java
+++ b/common/src/main/java/com/ericsson/bss/cassandra/ecaudit/common/chronicle/WireTags.java
@@ -29,10 +29,12 @@ class WireTags
     static final String KEY_STATUS = "status";
     static final String KEY_OPERATION = "operation";
     static final String KEY_NAKED_OPERATION = "naked_operation";
+    static final String KEY_SUBJECT = "subject";
 
     static final short VALUE_VERSION_0 = 0;
     static final short VALUE_VERSION_1 = 1;
-    static final short VALUE_VERSION_CURRENT = VALUE_VERSION_1;
+    static final short VALUE_VERSION_2 = 2;
+    static final short VALUE_VERSION_CURRENT = VALUE_VERSION_2;
     static final String VALUE_TYPE_BATCH_ENTRY = "ecaudit-batch";
     static final String VALUE_TYPE_SINGLE_ENTRY = "ecaudit-single";
     static final String VALUE_TYPE_AUDIT = "ecaudit";
diff --git a/common/src/main/java/com/ericsson/bss/cassandra/ecaudit/common/record/AuditRecord.java b/common/src/main/java/com/ericsson/bss/cassandra/ecaudit/common/record/AuditRecord.java
index 7af310d9..36e43bad 100644
--- a/common/src/main/java/com/ericsson/bss/cassandra/ecaudit/common/record/AuditRecord.java
+++ b/common/src/main/java/com/ericsson/bss/cassandra/ecaudit/common/record/AuditRecord.java
@@ -35,4 +35,6 @@ public interface AuditRecord
     Status getStatus();
 
     AuditOperation getOperation();
+
+    Optional<String> getSubject();
 }
diff --git a/common/src/main/java/com/ericsson/bss/cassandra/ecaudit/common/record/StoredAuditRecord.java b/common/src/main/java/com/ericsson/bss/cassandra/ecaudit/common/record/StoredAuditRecord.java
index aa099246..86373ac2 100644
--- a/common/src/main/java/com/ericsson/bss/cassandra/ecaudit/common/record/StoredAuditRecord.java
+++ b/common/src/main/java/com/ericsson/bss/cassandra/ecaudit/common/record/StoredAuditRecord.java
@@ -34,6 +34,7 @@ public class StoredAuditRecord
     private final String operation;
     private final String nakedOperation;
     private final Long timestamp;
+    private final String subject;
 
     private StoredAuditRecord(Builder builder)
     {
@@ -46,6 +47,7 @@ private StoredAuditRecord(Builder builder)
         this.operation = builder.operation;
         this.nakedOperation = builder.nakedOperation;
         this.timestamp = builder.timestamp;
+        this.subject = builder.subject;
     }
 
     public Optional<Long> getTimestamp()
@@ -93,6 +95,11 @@ public Optional<String> getNakedOperation()
         return Optional.ofNullable(nakedOperation);
     }
 
+    public Optional<String> getSubject()
+    {
+        return Optional.ofNullable(subject);
+    }
+
     public static Builder builder()
     {
         return new Builder();
@@ -109,6 +116,7 @@ public static class Builder
         private String operation;
         private String nakedOperation;
         private Long timestamp;
+        private String subject;
 
         public Builder withClientAddress(InetAddress clientAddress)
         {
@@ -164,6 +172,12 @@ public Builder withTimestamp(long timestamp)
             return this;
         }
 
+        public Builder withSubject(String subject)
+        {
+            this.subject = subject;
+            return this;
+        }
+
         public StoredAuditRecord build()
         {
             return new StoredAuditRecord(this);
diff --git a/common/src/test/java/com/ericsson/bss/cassandra/ecaudit/common/chronicle/TestAuditRecordReadMarshallable.java b/common/src/test/java/com/ericsson/bss/cassandra/ecaudit/common/chronicle/TestAuditRecordReadMarshallable.java
index 31afe73e..ab98bdec 100644
--- a/common/src/test/java/com/ericsson/bss/cassandra/ecaudit/common/chronicle/TestAuditRecordReadMarshallable.java
+++ b/common/src/test/java/com/ericsson/bss/cassandra/ecaudit/common/chronicle/TestAuditRecordReadMarshallable.java
@@ -84,6 +84,20 @@ public void testReadBatchBatch() throws Exception
         assertThatRecordIsSame(actualAuditRecord, expectedValues);
     }
 
+     @Test
+     public void testReadSubjectMatch() throws Exception
+     {
+         RecordValues expectedValues = defaultValues.butWithSubject("bob-subject");
+
+         givenNextRecordIs(expectedValues);
+
+         readMarshallable.readMarshallable(wireInMock);
+
+         StoredAuditRecord actualAuditRecord = readMarshallable.getAuditRecord();
+
+         assertThatRecordIsSame(actualAuditRecord, expectedValues);
+     }
+
     @Test
     public void testReuseMarshallable()
     {
@@ -166,9 +180,19 @@ private void givenNextRecordIs(RecordValues values)
         when(typeValueMock.text()).thenReturn(values.getType());
         when(wireInMock.read(eq("type"))).thenReturn(typeValueMock);
 
-        int fieldsBitmap = values.getBatchId() != null ? FieldSelector.DEFAULT_FIELDS.getBitmap() : FieldSelector.DEFAULT_FIELDS.withoutField(Field.BATCH_ID).getBitmap();
+        FieldSelector selectedFields = FieldSelector.DEFAULT_FIELDS;
+        if (values.getBatchId() == null)
+        {
+            selectedFields = selectedFields.withoutField(Field.BATCH_ID);
+        }
+
+        if (values.getSubject() != null)
+        {
+            selectedFields = selectedFields.withField(Field.SUBJECT);
+        }
+
         ValueIn fieldsValueMock = mock(ValueIn.class);
-        when(fieldsValueMock.int32()).thenReturn(fieldsBitmap);
+        when(fieldsValueMock.int32()).thenReturn(selectedFields.getBitmap());
         when(wireInMock.read(eq("fields"))).thenReturn(fieldsValueMock);
 
         ValueIn timestampValueMock = mock(ValueIn.class);
@@ -205,6 +229,13 @@ private void givenNextRecordIs(RecordValues values)
         ValueIn operationValueMock = mock(ValueIn.class);
         when(operationValueMock.text()).thenReturn(values.getOperation());
         when(wireInMock.read(eq("operation"))).thenReturn(operationValueMock);
+
+        if (values.getSubject() != null)
+        {
+            ValueIn subjectValueMock = mock(ValueIn.class);
+            when(subjectValueMock.text()).thenReturn(values.getSubject());
+            when(wireInMock.read(eq("subject"))).thenReturn(subjectValueMock);
+        }
     }
 
     private void assertThatRecordIsSame(StoredAuditRecord actualAuditRecord, RecordValues expectedValues) throws UnknownHostException
@@ -218,5 +249,6 @@ private void assertThatRecordIsSame(StoredAuditRecord actualAuditRecord, RecordV
         assertThat(actualAuditRecord.getNakedOperation()).isEmpty();
         assertThat(actualAuditRecord.getUser()).contains(expectedValues.gethUser());
         assertThat(actualAuditRecord.getTimestamp()).contains(expectedValues.getTimestamp());
+        assertThat(actualAuditRecord.getSubject()).isEqualTo(Optional.ofNullable(expectedValues.getSubject()));
     }
 }
diff --git a/common/src/test/java/com/ericsson/bss/cassandra/ecaudit/common/chronicle/TestFieldFilterFlavorAdapter.java b/common/src/test/java/com/ericsson/bss/cassandra/ecaudit/common/chronicle/TestFieldFilterFlavorAdapter.java
index f524cbd0..7266d882 100644
--- a/common/src/test/java/com/ericsson/bss/cassandra/ecaudit/common/chronicle/TestFieldFilterFlavorAdapter.java
+++ b/common/src/test/java/com/ericsson/bss/cassandra/ecaudit/common/chronicle/TestFieldFilterFlavorAdapter.java
@@ -27,12 +27,13 @@ public class TestFieldFilterFlavorAdapter
     @Test
     public void testGetFieldsAvailableInRecord()
     {
-        AuditRecord recordWithoutClientIPAndBatchId = SimpleAuditRecord.builder().build();
+        AuditRecord recordWithoutOptionals = SimpleAuditRecord.builder().build();
 
-        FieldSelector fields = FieldFilterFlavorAdapter.getFieldsAvailableInRecord(recordWithoutClientIPAndBatchId, FieldSelector.ALL_FIELDS);
+        FieldSelector fields = FieldFilterFlavorAdapter.getFieldsAvailableInRecord(recordWithoutOptionals, FieldSelector.ALL_FIELDS);
 
         assertThat(fields.isSelected(FieldSelector.Field.CLIENT_IP)).isFalse();
         assertThat(fields.isSelected(FieldSelector.Field.CLIENT_PORT)).isFalse();
         assertThat(fields.isSelected(FieldSelector.Field.BATCH_ID)).isFalse();
+        assertThat(fields.isSelected(FieldSelector.Field.SUBJECT)).isFalse();
     }
 }
diff --git a/common/src/test/java/com/ericsson/bss/cassandra/ecaudit/common/chronicle/TestFieldSelector.java b/common/src/test/java/com/ericsson/bss/cassandra/ecaudit/common/chronicle/TestFieldSelector.java
index 68c7b961..2d52d58e 100644
--- a/common/src/test/java/com/ericsson/bss/cassandra/ecaudit/common/chronicle/TestFieldSelector.java
+++ b/common/src/test/java/com/ericsson/bss/cassandra/ecaudit/common/chronicle/TestFieldSelector.java
@@ -51,6 +51,7 @@ public void testFieldBitOrder()
         assertThat(Field.OPERATION.getBit()).isEqualTo(64);
         assertThat(Field.OPERATION_NAKED.getBit()).isEqualTo(128);
         assertThat(Field.TIMESTAMP.getBit()).isEqualTo(256);
+        assertThat(Field.SUBJECT.getBit()).isEqualTo(512);
     }
 
     @Test
@@ -84,7 +85,7 @@ public void testAllFieldsSelected()
 
         assertAllFieldsAreSelected(fields);
 
-        assertThat(fields.getBitmap()).isEqualTo(511)
+        assertThat(fields.getBitmap()).isEqualTo(1023)
                                       .isEqualTo(FieldSelector.ALL_FIELDS.getBitmap());
     }
 
@@ -147,7 +148,7 @@ public void testInvalidBitmapLowerRange()
     public void testInvalidBitmapUpperRange()
     {
         assertThatExceptionOfType(IllegalArgumentException.class)
-        .isThrownBy(() -> FieldSelector.fromBitmap(512)) // Only 9 fields available == Max 9 bits => max bitmap value 2^9 - 1
+        .isThrownBy(() -> FieldSelector.fromBitmap(1024)) // Only 10 fields available == Max 10 bits => max bitmap value 2^10 - 1
         .withMessageContaining("Bitmap value is out of bounds");
     }
 
diff --git a/common/src/test/java/com/ericsson/bss/cassandra/ecaudit/common/chronicle/TestReadVersion2.java b/common/src/test/java/com/ericsson/bss/cassandra/ecaudit/common/chronicle/TestReadVersion2.java
new file mode 100644
index 00000000..395bc698
--- /dev/null
+++ b/common/src/test/java/com/ericsson/bss/cassandra/ecaudit/common/chronicle/TestReadVersion2.java
@@ -0,0 +1,163 @@
+/*
+ * Copyright 2020 Telefonaktiebolaget LM Ericsson
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.ericsson.bss.cassandra.ecaudit.common.chronicle;
+
+import java.io.File;
+import java.net.InetAddress;
+import java.util.UUID;
+
+import org.junit.AfterClass;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import com.ericsson.bss.cassandra.ecaudit.common.chronicle.AuditRecordReadMarshallable;
+import com.ericsson.bss.cassandra.ecaudit.common.chronicle.WriteTestDataUtil;
+import com.ericsson.bss.cassandra.ecaudit.common.record.Status;
+import com.ericsson.bss.cassandra.ecaudit.common.record.StoredAuditRecord;
+import net.openhft.chronicle.queue.ChronicleQueue;
+import net.openhft.chronicle.queue.ChronicleQueueBuilder;
+import net.openhft.chronicle.queue.ExcerptTailer;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+/**
+ * Test reading records stored in the binary log file produced by {@link WriteTestDataUtil} using entry version 2 with the following data:
+ * <ul>
+ *   <li> CLIENT_IP = 0.1.2.3
+ *   <li> CLIENT_PORT = 777
+ *   <li> COORDINATOR_IP = 4.5.6.7
+ *   <li> USER = "bob"
+ *   <li> BATCH_ID = bd92aeb1-3373-4d6a-b65a-0d60295f66c9
+ *   <li> STATUS = SUCCEEDED
+ *   <li> OPERATION = "SELECT SOMETHING"
+ *   <li> OPERATION_NAKED = "SELECT SOMETHING NAKED"
+ *   <li> TIMESTAMP = 1554188832013L
+ *   <li> SUBJECT = "bob-the-subject
+ * </ul>
+ * <p>
+ * Is written in 4 records with different fields selected:
+ * <ul>
+ *   <li> record1 - Default fields selected (TIMESTAMP, CLIENT_IP, CLIENT_PORT, COORDINATOR_IP, USER, BATCH_ID, STATUS, OPERATION)
+ *   <li> record2 - No fields selected
+ *   <li> record3 - All fields selected (TIMESTAMP, CLIENT_IP, CLIENT_PORT, COORDINATOR_IP, USER, BATCH_ID, STATUS, OPERATION, OPERATION_NAKED, SUBJECT)
+ *   <li> record4 - Custom fields selected (USER, STATUS, OPERATION_NAKED, SUBJECT)
+ * </ul>
+ */
+public class TestReadVersion2
+{
+    private static ChronicleQueue chronicleQueue;
+    private static ExcerptTailer tailer;
+
+    @BeforeClass
+    public static void beforeClass()
+    {
+        File queueDirVersion1 = new File("src/test/resources/q2");
+        chronicleQueue = ChronicleQueueBuilder
+                         .single(queueDirVersion1)
+                         .blockSize(1024)
+                         .readOnly(true)
+                         .build();
+        tailer = chronicleQueue.createTailer();
+    }
+
+    @AfterClass
+    public static void afterClass()
+    {
+        chronicleQueue.close();
+    }
+
+    @Test
+    public void test() throws Exception
+    {
+        readDefault();
+        readEmpty();
+        readFull();
+        readCustom();
+    }
+
+    private void readDefault() throws Exception
+    {
+        StoredAuditRecord actualAuditRecord = readAuditRecordFromChronicle();
+
+        assertThat(actualAuditRecord.getClientAddress()).contains(InetAddress.getByName("0.1.2.3"));
+        assertThat(actualAuditRecord.getClientPort()).contains(777);
+        assertThat(actualAuditRecord.getCoordinatorAddress()).contains(InetAddress.getByName("4.5.6.7"));
+        assertThat(actualAuditRecord.getUser()).contains("bob");
+        assertThat(actualAuditRecord.getBatchId()).contains(UUID.fromString("bd92aeb1-3373-4d6a-b65a-0d60295f66c9"));
+        assertThat(actualAuditRecord.getStatus()).contains(Status.SUCCEEDED);
+        assertThat(actualAuditRecord.getOperation()).contains("SELECT SOMETHING");
+        assertThat(actualAuditRecord.getNakedOperation()).isEmpty();
+        assertThat(actualAuditRecord.getTimestamp()).contains(1554188832013L);
+        assertThat(actualAuditRecord.getSubject()).isEmpty();
+    }
+
+    private void readEmpty()
+    {
+        StoredAuditRecord actualAuditRecord = readAuditRecordFromChronicle();
+
+        assertThat(actualAuditRecord.getClientAddress()).isEmpty();
+        assertThat(actualAuditRecord.getClientPort()).isEmpty();
+        assertThat(actualAuditRecord.getCoordinatorAddress()).isEmpty();
+        assertThat(actualAuditRecord.getUser()).isEmpty();
+        assertThat(actualAuditRecord.getBatchId()).isEmpty();
+        assertThat(actualAuditRecord.getStatus()).isEmpty();
+        assertThat(actualAuditRecord.getOperation()).isEmpty();
+        assertThat(actualAuditRecord.getNakedOperation()).isEmpty();
+        assertThat(actualAuditRecord.getTimestamp()).isEmpty();
+        assertThat(actualAuditRecord.getSubject()).isEmpty();
+    }
+
+    private void readFull() throws Exception
+    {
+        StoredAuditRecord actualAuditRecord = readAuditRecordFromChronicle();
+
+        assertThat(actualAuditRecord.getClientAddress()).contains(InetAddress.getByName("0.1.2.3"));
+        assertThat(actualAuditRecord.getClientPort()).contains(777);
+        assertThat(actualAuditRecord.getCoordinatorAddress()).contains(InetAddress.getByName("4.5.6.7"));
+        assertThat(actualAuditRecord.getUser()).contains("bob");
+        assertThat(actualAuditRecord.getBatchId()).contains(UUID.fromString("bd92aeb1-3373-4d6a-b65a-0d60295f66c9"));
+        assertThat(actualAuditRecord.getStatus()).contains(Status.SUCCEEDED);
+        assertThat(actualAuditRecord.getOperation()).contains("SELECT SOMETHING");
+        assertThat(actualAuditRecord.getNakedOperation()).contains("SELECT SOMETHING NAKED");
+        assertThat(actualAuditRecord.getTimestamp()).contains(1554188832013L);
+        assertThat(actualAuditRecord.getSubject()).contains("bob-the-subject");
+    }
+
+    private void readCustom()
+    {
+        StoredAuditRecord actualAuditRecord = readAuditRecordFromChronicle();
+
+        assertThat(actualAuditRecord.getClientAddress()).isEmpty();
+        assertThat(actualAuditRecord.getClientPort()).isEmpty();
+        assertThat(actualAuditRecord.getCoordinatorAddress()).isEmpty();
+        assertThat(actualAuditRecord.getUser()).contains("bob");
+        assertThat(actualAuditRecord.getBatchId()).isEmpty();
+        assertThat(actualAuditRecord.getStatus()).contains(Status.SUCCEEDED);
+        assertThat(actualAuditRecord.getOperation()).isEmpty();
+        assertThat(actualAuditRecord.getNakedOperation()).contains("SELECT SOMETHING NAKED");
+        assertThat(actualAuditRecord.getTimestamp()).isEmpty();
+        assertThat(actualAuditRecord.getSubject()).contains("bob-the-subject");
+    }
+
+    private StoredAuditRecord readAuditRecordFromChronicle()
+    {
+        AuditRecordReadMarshallable readMarshallable = new AuditRecordReadMarshallable();
+
+        tailer.readDocument(readMarshallable);
+
+        return readMarshallable.getAuditRecord();
+    }
+}
diff --git a/common/src/test/java/com/ericsson/bss/cassandra/ecaudit/common/chronicle/TestWriteReadVersionCurrent.java b/common/src/test/java/com/ericsson/bss/cassandra/ecaudit/common/chronicle/TestWriteReadVersionCurrent.java
index 51677fc9..1c26364e 100644
--- a/common/src/test/java/com/ericsson/bss/cassandra/ecaudit/common/chronicle/TestWriteReadVersionCurrent.java
+++ b/common/src/test/java/com/ericsson/bss/cassandra/ecaudit/common/chronicle/TestWriteReadVersionCurrent.java
@@ -60,6 +60,20 @@ public void after()
         chronicleQueue.close();
     }
 
+    @Test
+    public void writeReadSubject() throws  Exception
+    {
+        AuditRecord expectedAuditRecord = likeGenericRecord().withSubject("bob-the-subject").build();
+
+        FieldSelector fieldsWithSubject = FieldSelector.DEFAULT_FIELDS.withField(FieldSelector.Field.SUBJECT);
+
+        writeAuditRecordToChronicle(expectedAuditRecord, fieldsWithSubject);
+
+        StoredAuditRecord actualAuditRecord = readAuditRecordFromChronicle();
+
+        assertThatRecordsMatch(actualAuditRecord, expectedAuditRecord);
+    }
+
     @Test
     public void writeReadBatch() throws Exception
     {
@@ -116,7 +130,12 @@ private SimpleAuditRecord.Builder likeGenericRecord() throws UnknownHostExceptio
 
     private void writeAuditRecordToChronicle(AuditRecord auditRecord)
     {
-        WriteMarshallable writeMarshallable = new AuditRecordWriteMarshallable(auditRecord, FieldSelector.DEFAULT_FIELDS);
+        writeAuditRecordToChronicle(auditRecord, FieldSelector.DEFAULT_FIELDS);
+    }
+
+    private void writeAuditRecordToChronicle(AuditRecord auditRecord, FieldSelector fields)
+    {
+        WriteMarshallable writeMarshallable = new AuditRecordWriteMarshallable(auditRecord, fields);
 
         ExcerptAppender appender = chronicleQueue.acquireAppender();
         appender.writeDocument(writeMarshallable);
@@ -143,5 +162,6 @@ private void assertThatRecordsMatch(StoredAuditRecord actualAuditRecord, AuditRe
         assertThat(actualAuditRecord.getNakedOperation()).isEmpty();
         assertThat(actualAuditRecord.getUser()).contains(expectedAuditRecord.getUser());
         assertThat(actualAuditRecord.getTimestamp()).contains(expectedAuditRecord.getTimestamp());
+        assertThat(actualAuditRecord.getSubject()).isEqualTo(expectedAuditRecord.getSubject());
     }
 }
diff --git a/common/src/test/java/com/ericsson/bss/cassandra/ecaudit/common/chronicle/WriteTestDataUtil.java b/common/src/test/java/com/ericsson/bss/cassandra/ecaudit/common/chronicle/WriteTestDataUtil.java
index 9b4725f7..f6c5588b 100644
--- a/common/src/test/java/com/ericsson/bss/cassandra/ecaudit/common/chronicle/WriteTestDataUtil.java
+++ b/common/src/test/java/com/ericsson/bss/cassandra/ecaudit/common/chronicle/WriteTestDataUtil.java
@@ -45,7 +45,7 @@ public class WriteTestDataUtil
 {
     public static void main(String[] args) throws Exception
     {
-        String version = "X"; // Set the version here!
+        String version = "2"; // Set the version here!
 
         // Data
         AuditRecord record = SimpleAuditRecord.builder()
@@ -56,6 +56,7 @@ public static void main(String[] args) throws Exception
                                               .withStatus(Status.SUCCEEDED)
                                               .withOperation(mockOperation("SELECT SOMETHING", "SELECT SOMETHING NAKED"))
                                               .withTimestamp(1554188832013L)
+                                              .withSubject("bob-the-subject")
                                               .build();
 
         // Write Data to Queue
@@ -68,7 +69,7 @@ public static void main(String[] args) throws Exception
         appender.writeDocument(new AuditRecordWriteMarshallable(record, FieldSelector.DEFAULT_FIELDS));
         appender.writeDocument(new AuditRecordWriteMarshallable(record, FieldSelector.NO_FIELDS));
         appender.writeDocument(new AuditRecordWriteMarshallable(record, FieldSelector.ALL_FIELDS));
-        appender.writeDocument(new AuditRecordWriteMarshallable(record, FieldSelector.fromFields(asList("USER", "OPERATION_NAKED", "STATUS")))); // Custom fields
+        appender.writeDocument(new AuditRecordWriteMarshallable(record, FieldSelector.fromFields(asList("USER", "OPERATION_NAKED", "STATUS", "SUBJECT")))); // Custom fields
 
         chronicleQueue.close();
     }
diff --git a/common/src/test/java/com/ericsson/bss/cassandra/ecaudit/common/record/SimpleAuditRecord.java b/common/src/test/java/com/ericsson/bss/cassandra/ecaudit/common/record/SimpleAuditRecord.java
index edf5ad25..3c1f71a9 100644
--- a/common/src/test/java/com/ericsson/bss/cassandra/ecaudit/common/record/SimpleAuditRecord.java
+++ b/common/src/test/java/com/ericsson/bss/cassandra/ecaudit/common/record/SimpleAuditRecord.java
@@ -29,6 +29,7 @@ public class SimpleAuditRecord implements AuditRecord
     private final Status status;
     private final AuditOperation operation;
     private final long timestamp;
+    private final String subject;
 
     private SimpleAuditRecord(Builder builder)
     {
@@ -39,6 +40,7 @@ private SimpleAuditRecord(Builder builder)
         this.status = builder.status;
         this.operation = builder.operation;
         this.timestamp = builder.timestamp;
+        this.subject = builder.subject;
     }
 
     @Override
@@ -83,6 +85,12 @@ public AuditOperation getOperation()
         return operation;
     }
 
+    @Override
+    public Optional<String> getSubject()
+    {
+        return Optional.ofNullable(subject);
+    }
+
     public static Builder builder()
     {
         return new Builder();
@@ -97,6 +105,7 @@ public static class Builder
         private Status status;
         private AuditOperation operation;
         private long timestamp;
+        private String subject;
 
         public Builder withClientAddress(InetSocketAddress clientAddress)
         {
@@ -140,6 +149,12 @@ public Builder withTimestamp(long timestamp)
             return this;
         }
 
+        public Builder withSubject(String subject)
+        {
+            this.subject = subject;
+            return this;
+        }
+
         public AuditRecord build()
         {
             return new SimpleAuditRecord(this);
diff --git a/common/src/test/java/com/ericsson/bss/cassandra/ecaudit/common/record/TestStoredAuditRecord.java b/common/src/test/java/com/ericsson/bss/cassandra/ecaudit/common/record/TestStoredAuditRecord.java
index 6a2fc79d..47d005e0 100644
--- a/common/src/test/java/com/ericsson/bss/cassandra/ecaudit/common/record/TestStoredAuditRecord.java
+++ b/common/src/test/java/com/ericsson/bss/cassandra/ecaudit/common/record/TestStoredAuditRecord.java
@@ -42,6 +42,7 @@ public void testEmptyRecord()
         assertThat(record.getOperation()).isEmpty();
         assertThat(record.getNakedOperation()).isEmpty();
         assertThat(record.getTimestamp()).isEmpty();
+        assertThat(record.getSubject()).isEmpty();
     }
 
     @Test
@@ -57,6 +58,7 @@ public void testFullRecord() throws UnknownHostException
                                                     .withOperation("insert into user (name) values (?)['Bob']")
                                                     .withNakedOperation("insert into user (name) values (?)")
                                                     .withTimestamp(123456789L)
+                                                    .withSubject("subject")
                                                     .build();
 
         assertThat(record.getClientAddress()).contains(InetAddress.getByName("1.2.3.4"));
@@ -68,5 +70,6 @@ public void testFullRecord() throws UnknownHostException
         assertThat(record.getOperation()).contains("insert into user (name) values (?)['Bob']");
         assertThat(record.getNakedOperation()).contains("insert into user (name) values (?)");
         assertThat(record.getTimestamp()).contains(123456789L);
+        assertThat(record.getSubject()).contains("subject");
     }
 }
diff --git a/common/src/test/resources/q2/20200318.cq4 b/common/src/test/resources/q2/20200318.cq4
new file mode 100644
index 00000000..e85abfa8
Binary files /dev/null and b/common/src/test/resources/q2/20200318.cq4 differ
diff --git a/common/src/test/resources/q2/directory-listing.cq4t b/common/src/test/resources/q2/directory-listing.cq4t
new file mode 100644
index 00000000..5bb89a97
Binary files /dev/null and b/common/src/test/resources/q2/directory-listing.cq4t differ
diff --git a/conf/audit.yaml b/conf/audit.yaml
index 0caed781..edd17c87 100644
--- a/conf/audit.yaml
+++ b/conf/audit.yaml
@@ -18,6 +18,15 @@
 # This configuration file will be automatically picked up by ecAudit if it is placed in the Cassandra configuration
 # directory.
 
+# The authenticator backend where WrappingAuditAuthenticator delegate authentication requests.
+#
+# The value must represent a class name implementing the IAuditAuthenticator interface. This can be either:
+# - com.ericsson.bss.cassandra.ecaudit.auth.AuditPasswordAuthenticator, provided by ecAudit
+# - a custom implementation of IAuditAuthenticator
+#
+# By default ecAudit delegates to the AuditPasswordAuthenticator.
+wrapped_authenticator: com.ericsson.bss.cassandra.ecaudit.auth.AuditPasswordAuthenticator
+
 
 # The authorizer backend where the AuditAuthorizer delegate authorization requests.
 #
diff --git a/doc/setup.md b/doc/setup.md
index 3e389500..284e6907 100644
--- a/doc/setup.md
+++ b/doc/setup.md
@@ -28,6 +28,12 @@ Read on below to learn how to tune the logger backend and manage audit whitelist
 
 In the [audit.yaml reference](audit_yaml_reference.md) you'll find more details about different options.
 
+### Wrapped Authenticator Backend
+
+The ecAudit plug-in supports wrapping ```authenticators``` implementing the ```IAuditAuthenticator``` interface, using
+the ```wrapped_authenticator``` setting in the ```audit.yaml``` file together with setting the authenticator as ```WrappingAuditAuthenticator``` in the ```cassandra.yaml```.
+This is useful if requiring a non-default (i.e. not ```PasswordAuthenticator```) implementation of an authenticator but still want authentication logs.
+If omitting the ```wrapped_autenticator``` setting when using ```WrappingAuditAuthenticator```, then the plug-in will fall back to using the default ```AuditPasswordAuthenticator```.
 
 ### Wrapped Authorizer Backend
 
diff --git a/ecaudit/src/main/java/com/ericsson/bss/cassandra/ecaudit/AuditAdapter.java b/ecaudit/src/main/java/com/ericsson/bss/cassandra/ecaudit/AuditAdapter.java
index c2274944..d2a78ed0 100644
--- a/ecaudit/src/main/java/com/ericsson/bss/cassandra/ecaudit/AuditAdapter.java
+++ b/ecaudit/src/main/java/com/ericsson/bss/cassandra/ecaudit/AuditAdapter.java
@@ -183,12 +183,27 @@ public void auditBatch(BatchStatement statement, UUID uuid, ClientState state, B
      * @throws AuthenticationException if the audit operation could not be performed
      */
     public void auditAuth(String username, Status status, long timestamp) throws AuthenticationException
+    {
+        auditAuth(username, null, status, timestamp);
+    }
+
+    /**
+     * Audit an authentication attempt with a subject.
+     *
+     * @param userName  the user to authenticate
+     * @param subject   the subject to authenticate
+     * @param status    the status of the operation
+     * @param timestamp the system timestamp for the request
+     * @throws AuthenticationException if the audit operation could not be performed
+     */
+    public void auditAuth(String userName, String subject, Status status, long timestamp)
     {
         if (auditor.shouldLogForStatus(status))
         {
             AuditEntry logEntry = entryBuilderFactory.createAuthenticationEntryBuilder()
                                                      .coordinator(FBUtilities.getBroadcastAddress())
-                                                     .user(username)
+                                                     .user(userName)
+                                                     .subject(subject)
                                                      .status(status)
                                                      .operation(statusToAuthenticationOperation(status))
                                                      .timestamp(timestamp)
diff --git a/ecaudit/src/main/java/com/ericsson/bss/cassandra/ecaudit/auth/AuditPasswordAuthenticator.java b/ecaudit/src/main/java/com/ericsson/bss/cassandra/ecaudit/auth/AuditPasswordAuthenticator.java
index a58962ee..27676094 100644
--- a/ecaudit/src/main/java/com/ericsson/bss/cassandra/ecaudit/auth/AuditPasswordAuthenticator.java
+++ b/ecaudit/src/main/java/com/ericsson/bss/cassandra/ecaudit/auth/AuditPasswordAuthenticator.java
@@ -21,6 +21,7 @@
 import java.util.Set;
 
 import com.google.common.annotations.VisibleForTesting;
+import com.google.common.collect.ImmutableSet;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -29,14 +30,16 @@
 import org.apache.cassandra.auth.AuthenticatedUser;
 import org.apache.cassandra.auth.IAuthenticator;
 import org.apache.cassandra.auth.IResource;
+import org.apache.cassandra.auth.IRoleManager;
 import org.apache.cassandra.auth.PasswordAuthenticator;
+import org.apache.cassandra.config.DatabaseDescriptor;
 import org.apache.cassandra.exceptions.AuthenticationException;
 import org.apache.cassandra.exceptions.ConfigurationException;
 
 /**
  * A decorator of {@link PasswordAuthenticator} with added audit logging.
  */
-public class AuditPasswordAuthenticator implements IAuthenticator
+public class AuditPasswordAuthenticator implements IAuditAuthenticator
 {
     private static final Logger LOG = LoggerFactory.getLogger(AuditPasswordAuthenticator.class);
 
@@ -89,8 +92,32 @@ public void setup()
     @Override
     public SaslNegotiator newSaslNegotiator()
     {
+        return newAuditSaslNegotiator();
+    }
+
+    @Override
+    public AuditSaslNegotiator newAuditSaslNegotiator()
+    {
+        // For BWC, check if being wrapped. If not, log authentication attempts as normal.
+        // If being wrapped, i.e. not used standalone, let the wrapper do the authentication
+        // logging for us (disable logging)
+        IAuthenticator authenticator = DatabaseDescriptor.getAuthenticator();
+        boolean disableLogging = authenticator instanceof WrappingAuditAuthenticator;
+
         LOG.debug("Setting up SASL negotiation with client peer");
-        return new AuditPlainTextSaslAuthenticator(wrappedAuthenticator.newSaslNegotiator());
+        return new AuditPlainTextSaslAuthenticator(wrappedAuthenticator.newSaslNegotiator(), disableLogging);
+    }
+
+    @Override
+    public Set<IRoleManager.Option> supportedOptions()
+    {
+        return ImmutableSet.of(IRoleManager.Option.LOGIN, IRoleManager.Option.SUPERUSER, IRoleManager.Option.PASSWORD, IRoleManager.Option.OPTIONS);
+    }
+
+    @Override
+    public Set<IRoleManager.Option> alterableOptions()
+    {
+        return  ImmutableSet.of(IRoleManager.Option.PASSWORD, IRoleManager.Option.OPTIONS);
     }
 
     @Override
@@ -99,15 +126,17 @@ public AuthenticatedUser legacyAuthenticate(Map<String, String> credentials) thr
         return wrappedAuthenticator.legacyAuthenticate(credentials);
     }
 
-    private class AuditPlainTextSaslAuthenticator implements SaslNegotiator
+    private class AuditPlainTextSaslAuthenticator implements AuditSaslNegotiator
     {
         private final SaslNegotiator saslNegotiator;
 
         private String decodedUsername;
+        private final boolean disableLogging;
 
-        AuditPlainTextSaslAuthenticator(SaslNegotiator saslNegotiator)
+        AuditPlainTextSaslAuthenticator(SaslNegotiator saslNegotiator, boolean disableLogging)
         {
             this.saslNegotiator = saslNegotiator;
+            this.disableLogging = disableLogging;
         }
 
         @Override
@@ -126,6 +155,13 @@ public boolean isComplete()
         @Override
         public AuthenticatedUser getAuthenticatedUser() throws AuthenticationException
         {
+            // If wrapped by the WrappingAuditAuthenticator just try to authenticate without logging
+            // since the wrapper will log for us
+            if (disableLogging)
+            {
+                return saslNegotiator.getAuthenticatedUser();
+            }
+
             long timestamp = System.currentTimeMillis();
             auditAdapter.auditAuth(decodedUsername, Status.ATTEMPT, timestamp);
             try
@@ -141,6 +177,12 @@ public AuthenticatedUser getAuthenticatedUser() throws AuthenticationException
             }
         }
 
+        @Override
+        public String getUser()
+        {
+            return decodedUsername;
+        }
+
         /**
          * Decoded the credentials so that we know what username was used in the authentication attempt.
          *
diff --git a/ecaudit/src/main/java/com/ericsson/bss/cassandra/ecaudit/auth/AuditRoleManager.java b/ecaudit/src/main/java/com/ericsson/bss/cassandra/ecaudit/auth/AuditRoleManager.java
index 0fae9708..926f3298 100644
--- a/ecaudit/src/main/java/com/ericsson/bss/cassandra/ecaudit/auth/AuditRoleManager.java
+++ b/ecaudit/src/main/java/com/ericsson/bss/cassandra/ecaudit/auth/AuditRoleManager.java
@@ -28,8 +28,10 @@
 import org.apache.cassandra.auth.AuthenticatedUser;
 import org.apache.cassandra.auth.CassandraRoleManager;
 import org.apache.cassandra.auth.DataResource;
+import org.apache.cassandra.auth.IAuthenticator;
 import org.apache.cassandra.auth.IResource;
 import org.apache.cassandra.auth.IRoleManager;
+import org.apache.cassandra.auth.PasswordAuthenticator;
 import org.apache.cassandra.auth.RoleOptions;
 import org.apache.cassandra.auth.RoleResource;
 import org.apache.cassandra.config.DatabaseDescriptor;
@@ -68,11 +70,11 @@ public AuditRoleManager()
     {
         this(new CassandraRoleManager(),
              new AuditWhitelistManager(),
-             DatabaseDescriptor.getAuthenticator() instanceof AuditPasswordAuthenticator);
+             DatabaseDescriptor.getAuthenticator());
     }
 
     @VisibleForTesting
-    AuditRoleManager(IRoleManager wrappedRoleManager, AuditWhitelistManager whitelistManager, boolean hasAuditPasswordAuthenticator)
+    AuditRoleManager(IRoleManager wrappedRoleManager, AuditWhitelistManager whitelistManager, IAuthenticator authenticator)
     {
         LOG.info("Auditing enabled on role manager");
 
@@ -80,12 +82,22 @@ public AuditRoleManager()
         this.whitelistManager = whitelistManager;
         permissionChecker = new PermissionChecker();
 
-        supportedOptions = hasAuditPasswordAuthenticator
-                           ? ImmutableSet.of(Option.LOGIN, Option.SUPERUSER, Option.PASSWORD, Option.OPTIONS)
-                           : ImmutableSet.of(Option.LOGIN, Option.SUPERUSER);
-        alterableOptions = hasAuditPasswordAuthenticator
-                           ? ImmutableSet.of(Option.PASSWORD, Option.OPTIONS)
-                           : ImmutableSet.of();
+        if (authenticator instanceof IOptionsProvider)
+        {
+            IOptionsProvider optionsProvider = (IOptionsProvider) authenticator;
+            supportedOptions = optionsProvider.supportedOptions();
+            alterableOptions = optionsProvider.alterableOptions();
+        }
+        else
+        {
+            // To be compatible with CassandraRoleManager options
+            supportedOptions = authenticator.getClass() == PasswordAuthenticator.class
+                               ? ImmutableSet.of(Option.LOGIN, Option.SUPERUSER, Option.PASSWORD)
+                               : ImmutableSet.of(Option.LOGIN, Option.SUPERUSER);
+            alterableOptions = authenticator.getClass().equals(PasswordAuthenticator.class)
+                               ? ImmutableSet.of(Option.PASSWORD)
+                               : ImmutableSet.<Option>of();
+        }
     }
 
     @Override
diff --git a/ecaudit/src/main/java/com/ericsson/bss/cassandra/ecaudit/auth/IAuditAuthenticator.java b/ecaudit/src/main/java/com/ericsson/bss/cassandra/ecaudit/auth/IAuditAuthenticator.java
new file mode 100644
index 00000000..44112d78
--- /dev/null
+++ b/ecaudit/src/main/java/com/ericsson/bss/cassandra/ecaudit/auth/IAuditAuthenticator.java
@@ -0,0 +1,64 @@
+/*
+ * Copyright 2020 Telefonaktiebolaget LM Ericsson
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.ericsson.bss.cassandra.ecaudit.auth;
+
+import java.util.Optional;
+
+import org.apache.cassandra.auth.IAuthenticator;
+
+/**
+ * An {@link IAuthenticator} that provide custom fields to be used during authentication auditing.
+ */
+public interface IAuditAuthenticator extends IAuthenticator, IOptionsProvider
+{
+    /**
+     * Returns an <em>audited</em> {@link AuditSaslNegotiator SaslNegotiator}.
+     * <p>
+     * Note: Implementations should probably use this method when {@link IAuthenticator#newSaslNegotiator()} is called.
+     *
+     * @return an instance of an {@link AuditSaslNegotiator}
+     */
+    AuditSaslNegotiator newAuditSaslNegotiator();
+
+
+    /**
+     * An <em>audited</em> implementation of {@link org.apache.cassandra.auth.IAuthenticator.SaslNegotiator}
+     * that may optionally return additional fields to be used for auditing authentication attempts.
+     */
+    interface AuditSaslNegotiator extends SaslNegotiator
+    {
+        /**
+         * Get the user used in the authentication attempt.
+         * <p>
+         * This method should only be called if {@link SaslNegotiator#isComplete()} returns true.
+         *
+         * @return the name of the user.
+         */
+        String getUser();
+
+        /**
+         * Get the <em>subject</em> of the authentication attempt, if applicable.
+         * <p>
+         * This method should only be called if {@link SaslNegotiator#isComplete()} returns true.
+         *
+         * @return the subject, if applicable
+         */
+        default Optional<String> getSubject()
+        {
+            return Optional.empty();
+        }
+    }
+}
diff --git a/ecaudit/src/main/java/com/ericsson/bss/cassandra/ecaudit/auth/IOptionsProvider.java b/ecaudit/src/main/java/com/ericsson/bss/cassandra/ecaudit/auth/IOptionsProvider.java
new file mode 100644
index 00000000..3840579e
--- /dev/null
+++ b/ecaudit/src/main/java/com/ericsson/bss/cassandra/ecaudit/auth/IOptionsProvider.java
@@ -0,0 +1,41 @@
+/*
+ * Copyright 2020 Telefonaktiebolaget LM Ericsson
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.ericsson.bss.cassandra.ecaudit.auth;
+
+import java.util.Set;
+
+import org.apache.cassandra.auth.IRoleManager;
+
+/**
+ * Provides {@link IRoleManager options} for use by {@link AuditRoleManager} when getting options.
+ */
+public interface IOptionsProvider
+{
+    /**
+     * Returns a set of supported options relevant to this authenticator.
+     * @return the options, empty if not applicable
+     * @see IRoleManager#supportedOptions()
+     */
+    Set<IRoleManager.Option> supportedOptions();
+
+    /**
+     * Returns a set of alterable options relevant to this authenticator.
+     * @return the options, empty if not applicable
+     * @see IRoleManager#alterableOptions()
+     */
+    Set<IRoleManager.Option> alterableOptions();
+}
diff --git a/ecaudit/src/main/java/com/ericsson/bss/cassandra/ecaudit/auth/WrappingAuditAuthenticator.java b/ecaudit/src/main/java/com/ericsson/bss/cassandra/ecaudit/auth/WrappingAuditAuthenticator.java
new file mode 100644
index 00000000..0e68c3b3
--- /dev/null
+++ b/ecaudit/src/main/java/com/ericsson/bss/cassandra/ecaudit/auth/WrappingAuditAuthenticator.java
@@ -0,0 +1,177 @@
+/*
+ * Copyright 2020 Telefonaktiebolaget LM Ericsson
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.ericsson.bss.cassandra.ecaudit.auth;
+
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Optional;
+import java.util.Set;
+
+import com.google.common.annotations.VisibleForTesting;
+
+import com.ericsson.bss.cassandra.ecaudit.AuditAdapter;
+import com.ericsson.bss.cassandra.ecaudit.common.record.Status;
+import com.ericsson.bss.cassandra.ecaudit.config.AuditConfig;
+import org.apache.cassandra.auth.AuthenticatedUser;
+import org.apache.cassandra.auth.IAuthenticator;
+import org.apache.cassandra.auth.IResource;
+import org.apache.cassandra.auth.IRoleManager;
+import org.apache.cassandra.exceptions.AuthenticationException;
+import org.apache.cassandra.exceptions.ConfigurationException;
+import org.apache.cassandra.utils.FBUtilities;
+
+public class WrappingAuditAuthenticator implements IAuthenticator, IOptionsProvider
+{
+    private final IAuditAuthenticator wrappedAuthenticator;
+    private final AuditAdapter auditAdapter;
+
+    /**
+     * Default constructor called by Cassandra.
+     * <p>
+     * This creates an instance of {@link WrappingAuditAuthenticator} with the default {@link AuditAdapter}
+     * and gets an {@link IAuditAuthenticator} from configuration (or the default one).
+     */
+    public WrappingAuditAuthenticator()
+    {
+        this(newWrappedAuthenticator(AuditConfig.getInstance()), AuditAdapter.getInstance());
+    }
+
+    @VisibleForTesting
+    WrappingAuditAuthenticator(IAuditAuthenticator wrappedAuthenticator, AuditAdapter auditAdapter)
+    {
+        this.wrappedAuthenticator = wrappedAuthenticator;
+        this.auditAdapter = auditAdapter;
+    }
+
+    @VisibleForTesting
+    static IAuditAuthenticator newWrappedAuthenticator(AuditConfig auditConfig)
+    {
+        String className = auditConfig.getWrappedAuthenticator();
+        return FBUtilities.construct(className, "authenticator");
+    }
+
+    @Override
+    public boolean requireAuthentication()
+    {
+        return wrappedAuthenticator.requireAuthentication();
+    }
+
+    @Override
+    public Set<? extends IResource> protectedResources()
+    {
+        return wrappedAuthenticator.protectedResources();
+    }
+
+    @Override
+    public void validateConfiguration() throws ConfigurationException
+    {
+        wrappedAuthenticator.validateConfiguration();
+    }
+
+    @Override
+    public void setup()
+    {
+        wrappedAuthenticator.setup();
+    }
+
+    @Override
+    public IAuthenticator.SaslNegotiator newSaslNegotiator()
+    {
+        return new AuditingSaslNegotiator(wrappedAuthenticator.newAuditSaslNegotiator());
+    }
+
+    @Override
+    public AuthenticatedUser legacyAuthenticate(Map<String, String> credentials) throws AuthenticationException
+    {
+        return wrappedAuthenticator.legacyAuthenticate(credentials);
+    }
+
+    @Override
+    public Set<IRoleManager.Option> supportedOptions()
+    {
+        Set<IRoleManager.Option> supportedOptions = new HashSet<>(wrappedAuthenticator.supportedOptions());
+        supportedOptions.add(IRoleManager.Option.OPTIONS);
+        return Collections.unmodifiableSet(supportedOptions);
+    }
+
+    @Override
+    public Set<IRoleManager.Option> alterableOptions()
+    {
+        Set<IRoleManager.Option> alterableOptions = new HashSet<>(wrappedAuthenticator.alterableOptions());
+        alterableOptions.add(IRoleManager.Option.OPTIONS);
+        return Collections.unmodifiableSet(alterableOptions);
+    }
+
+    /**
+     * Implements a {@link org.apache.cassandra.auth.IAuthenticator.SaslNegotiator} that performs auditing on
+     * login attempts.
+     */
+    private class AuditingSaslNegotiator implements SaslNegotiator
+    {
+        private final IAuditAuthenticator.AuditSaslNegotiator auditSaslNegotiator;
+
+        public AuditingSaslNegotiator(IAuditAuthenticator.AuditSaslNegotiator auditSaslNegotiator)
+        {
+            this.auditSaslNegotiator = auditSaslNegotiator;
+        }
+
+        @Override
+        public byte[] evaluateResponse(byte[] clientResponse) throws AuthenticationException
+        {
+            return auditSaslNegotiator.evaluateResponse(clientResponse);
+        }
+
+        @Override
+        public boolean isComplete()
+        {
+            return auditSaslNegotiator.isComplete();
+        }
+
+        @Override
+        public AuthenticatedUser getAuthenticatedUser() throws AuthenticationException
+        {
+            String userName = auditSaslNegotiator.getUser();
+
+            long timestamp = System.currentTimeMillis();
+            auditAuth(userName, Status.ATTEMPT, timestamp);
+            try
+            {
+                AuthenticatedUser result = auditSaslNegotiator.getAuthenticatedUser();
+                auditAuth(userName, Status.SUCCEEDED, timestamp);
+                return result;
+            }
+            catch (RuntimeException e)
+            {
+                auditAuth(userName, Status.FAILED, timestamp);
+                throw e;
+            }
+        }
+
+        private void auditAuth(String userName, Status status, long timestamp)
+        {
+            Optional<String> subject = auditSaslNegotiator.getSubject();
+            if (subject.isPresent())
+            {
+                auditAdapter.auditAuth(userName, subject.get(), status, timestamp);
+            }
+            else
+            {
+                auditAdapter.auditAuth(userName, status, timestamp);
+            }
+        }
+    }
+}
diff --git a/ecaudit/src/main/java/com/ericsson/bss/cassandra/ecaudit/config/AuditConfig.java b/ecaudit/src/main/java/com/ericsson/bss/cassandra/ecaudit/config/AuditConfig.java
index 5544e443..4001245f 100644
--- a/ecaudit/src/main/java/com/ericsson/bss/cassandra/ecaudit/config/AuditConfig.java
+++ b/ecaudit/src/main/java/com/ericsson/bss/cassandra/ecaudit/config/AuditConfig.java
@@ -71,6 +71,13 @@ public String getWrappedAuthorizer()
         return yamlConfig.getWrappedAuthorizer();
     }
 
+    public String getWrappedAuthenticator()
+    {
+        loadConfigIfNeeded();
+
+        return yamlConfig.getWrappedAuthenticator();
+    }
+
     public String getBoundValueSuppressor()
     {
         loadConfigIfNeeded();
diff --git a/ecaudit/src/main/java/com/ericsson/bss/cassandra/ecaudit/config/AuditYamlConfig.java b/ecaudit/src/main/java/com/ericsson/bss/cassandra/ecaudit/config/AuditYamlConfig.java
index a984f341..fd4e8987 100644
--- a/ecaudit/src/main/java/com/ericsson/bss/cassandra/ecaudit/config/AuditYamlConfig.java
+++ b/ecaudit/src/main/java/com/ericsson/bss/cassandra/ecaudit/config/AuditYamlConfig.java
@@ -20,6 +20,7 @@
 import java.util.Map;
 import java.util.stream.Collectors;
 
+import com.ericsson.bss.cassandra.ecaudit.auth.AuditPasswordAuthenticator;
 import com.ericsson.bss.cassandra.ecaudit.entry.suppressor.SuppressNothing;
 import com.ericsson.bss.cassandra.ecaudit.logger.Slf4jAuditLogger;
 import org.apache.cassandra.config.DatabaseDescriptor;
@@ -34,6 +35,7 @@ public final class AuditYamlConfig
     private static final List<String> DEFAULT_WHITELIST = Collections.emptyList();
     private static final ParameterizedClass DEFAULT_LOGGER_BACKEND = new ParameterizedClass(Slf4jAuditLogger.class.getCanonicalName(), Collections.emptyMap());
     private static final String DEFAULT_WRAPPED_AUTHORIZER = "org.apache.cassandra.auth.CassandraAuthorizer";
+    private static final String DEFAULT_WRAPPED_AUTHENTICATOR = AuditPasswordAuthenticator.class.getName();
     private static final String DEFAULT_BOUND_VALUE_SUPPRESSOR = SuppressNothing.class.getName();
 
     private boolean fromFile = true;
@@ -44,6 +46,7 @@ public final class AuditYamlConfig
     public ParameterizedClass logger_backend;
     public LoggerTiming log_timing_strategy;
     public String wrapped_authorizer;
+    public String wrapped_authenticator;
     public String bound_value_suppressor;
     public Integer whitelist_cache_validity_in_ms;
     public Integer whitelist_cache_update_interval_in_ms;
@@ -108,6 +111,11 @@ String getWrappedAuthorizer()
         return wrapped_authorizer == null ? DEFAULT_WRAPPED_AUTHORIZER : wrapped_authorizer;
     }
 
+    String getWrappedAuthenticator()
+    {
+        return wrapped_authenticator == null ? DEFAULT_WRAPPED_AUTHENTICATOR : wrapped_authenticator;
+    }
+
     String getBoundValueSuppressor()
     {
         return bound_value_suppressor == null ? DEFAULT_BOUND_VALUE_SUPPRESSOR : bound_value_suppressor;
diff --git a/ecaudit/src/main/java/com/ericsson/bss/cassandra/ecaudit/entry/AuditEntry.java b/ecaudit/src/main/java/com/ericsson/bss/cassandra/ecaudit/entry/AuditEntry.java
index e0dec7fb..06deb41e 100644
--- a/ecaudit/src/main/java/com/ericsson/bss/cassandra/ecaudit/entry/AuditEntry.java
+++ b/ecaudit/src/main/java/com/ericsson/bss/cassandra/ecaudit/entry/AuditEntry.java
@@ -45,6 +45,7 @@ public class AuditEntry implements AuditRecord
     private final UUID batchId;
     private final Status status;
     private final Long timestamp;
+    private final String subject;
 
     /**
      * @see #newBuilder()
@@ -60,6 +61,7 @@ private AuditEntry(Builder builder)
         this.batchId = builder.batchId;
         this.status = builder.status;
         this.timestamp = builder.timestamp;
+        this.subject = builder.subject;
     }
 
     @Override
@@ -137,6 +139,12 @@ public Long getTimestamp()
         return timestamp;
     }
 
+    @Override
+    public Optional<String> getSubject()
+    {
+        return Optional.ofNullable(subject);
+    }
+
     /**
      * Create a new {@link Builder} instance.
      *
@@ -161,6 +169,7 @@ public static class Builder
         private UUID batchId;
         private Status status;
         private Long timestamp;
+        private String subject;
 
         public Builder client(InetSocketAddress address)
         {
@@ -216,6 +225,12 @@ public Builder user(String user)
             return this;
         }
 
+        public Builder subject(String subject)
+        {
+            this.subject = subject;
+            return this;
+        }
+
         /**
          * Set the optional batch identifier.
          *
@@ -257,6 +272,7 @@ public Builder basedOn(AuditEntry entry)
             this.batchId = entry.getBatchId().orElse(null);
             this.status = entry.getStatus();
             this.timestamp = entry.getTimestamp();
+            this.subject = entry.getSubject().orElse(null);
             return this;
         }
 
diff --git a/ecaudit/src/main/java/com/ericsson/bss/cassandra/ecaudit/logger/Slf4jAuditLogger.java b/ecaudit/src/main/java/com/ericsson/bss/cassandra/ecaudit/logger/Slf4jAuditLogger.java
index 26fda8db..66e91b4e 100644
--- a/ecaudit/src/main/java/com/ericsson/bss/cassandra/ecaudit/logger/Slf4jAuditLogger.java
+++ b/ecaudit/src/main/java/com/ericsson/bss/cassandra/ecaudit/logger/Slf4jAuditLogger.java
@@ -101,6 +101,7 @@ static Map<String, Function<AuditEntry, Object>> getAvailableFieldFunctionMap(Sl
                .put("OPERATION", entry -> entry.getOperation().getOperationString())
                .put("OPERATION_NAKED", entry -> entry.getOperation().getNakedOperationString())
                .put("TIMESTAMP", getTimeFunction(auditConfig))
+               .put("SUBJECT", entry -> entry.getSubject().orElse(null))
                .build();
     }
 
diff --git a/ecaudit/src/test/java/com/ericsson/bss/cassandra/ecaudit/TestAuditAdapter.java b/ecaudit/src/test/java/com/ericsson/bss/cassandra/ecaudit/TestAuditAdapter.java
index 9a4971e2..41d6fb2b 100644
--- a/ecaudit/src/test/java/com/ericsson/bss/cassandra/ecaudit/TestAuditAdapter.java
+++ b/ecaudit/src/test/java/com/ericsson/bss/cassandra/ecaudit/TestAuditAdapter.java
@@ -354,12 +354,13 @@ public void testProcessAuth()
         // Given
         String expectedOperation = "Authentication attempt";
         ConnectionResource resource = ConnectionResource.root();
+        String expectedSubject = "bob-the-subject";
 
         AuditEntry.Builder auditBuilder = AuditEntry.newBuilder().permissions(PERMISSIONS).resource(resource);
         when(mockAuditEntryBuilderFactory.createAuthenticationEntryBuilder()).thenReturn(auditBuilder);
 
         // When
-        auditAdapter.auditAuth(USER, Status.ATTEMPT, TIMESTAMP);
+        auditAdapter.auditAuth(USER, expectedSubject, Status.ATTEMPT, TIMESTAMP);
 
         // Then
         AuditEntry entry = getAuditEntry();
@@ -372,6 +373,7 @@ public void testProcessAuth()
         assertThat(entry.getPermissions()).isEqualTo(PERMISSIONS);
         assertThat(entry.getResource()).isEqualTo(resource);
         assertThat(entry.getTimestamp()).isEqualTo(TIMESTAMP);
+        assertThat(entry.getSubject()).isEqualTo(Optional.of(expectedSubject));
     }
 
     @Test
diff --git a/ecaudit/src/test/java/com/ericsson/bss/cassandra/ecaudit/auth/TestAuditRoleManager.java b/ecaudit/src/test/java/com/ericsson/bss/cassandra/ecaudit/auth/TestAuditRoleManager.java
index d366f1ac..18d16e3a 100644
--- a/ecaudit/src/test/java/com/ericsson/bss/cassandra/ecaudit/auth/TestAuditRoleManager.java
+++ b/ecaudit/src/test/java/com/ericsson/bss/cassandra/ecaudit/auth/TestAuditRoleManager.java
@@ -28,14 +28,18 @@
 import org.junit.Test;
 import org.junit.runner.RunWith;
 
+import com.ericsson.bss.cassandra.ecaudit.AuditAdapter;
 import com.ericsson.bss.cassandra.ecaudit.test.mode.ClientInitializer;
 import org.apache.cassandra.auth.AuthenticatedUser;
 import org.apache.cassandra.auth.DataResource;
+import org.apache.cassandra.auth.IAuthenticator;
 import org.apache.cassandra.auth.IResource;
 import org.apache.cassandra.auth.IRoleManager;
 import org.apache.cassandra.auth.RoleOptions;
 import org.apache.cassandra.auth.RoleResource;
+import org.mockito.InjectMocks;
 import org.mockito.Mock;
+import org.mockito.Spy;
 import org.mockito.junit.MockitoJUnitRunner;
 
 import static org.assertj.core.api.Assertions.assertThat;
@@ -58,6 +62,12 @@ public class TestAuditRoleManager
     @Mock
     private AuditWhitelistManager mockAuditWhitelistManager;
 
+    @Mock
+    private IAuthenticator mockRegularAuthenticator;
+
+    @Mock
+    private AuditAdapter mockAuditAdapter;
+
     @BeforeClass
     public static void beforeClass()
     {
@@ -67,7 +77,7 @@ public static void beforeClass()
     @Before
     public void before()
     {
-        auditRoleManager = new AuditRoleManager(mockWrappedRoleManager, mockAuditWhitelistManager, true);
+        auditRoleManager = new AuditRoleManager(mockWrappedRoleManager, mockAuditWhitelistManager, new AuditPasswordAuthenticator(mockRegularAuthenticator, mockAuditAdapter));
     }
 
     @After
@@ -103,7 +113,7 @@ public void testSupportedOptions()
     @Test
     public void testStandAloneSupportedOptions()
     {
-        AuditRoleManager standAloneAuditRoleManager = new AuditRoleManager(mockWrappedRoleManager, mockAuditWhitelistManager, false);
+        AuditRoleManager standAloneAuditRoleManager = new AuditRoleManager(mockWrappedRoleManager, mockAuditWhitelistManager, mockRegularAuthenticator);
 
         Set<IRoleManager.Option> options = standAloneAuditRoleManager.supportedOptions();
 
@@ -121,7 +131,7 @@ public void testAlterableOptions()
     @Test
     public void testStandAloneAlterableOptions()
     {
-        AuditRoleManager standAloneAuditRoleManager = new AuditRoleManager(mockWrappedRoleManager, mockAuditWhitelistManager, false);
+        AuditRoleManager standAloneAuditRoleManager = new AuditRoleManager(mockWrappedRoleManager, mockAuditWhitelistManager, mockRegularAuthenticator);
 
         Set<IRoleManager.Option> options = standAloneAuditRoleManager.alterableOptions();
 
diff --git a/ecaudit/src/test/java/com/ericsson/bss/cassandra/ecaudit/auth/TestWrappingAuditAuthenticator.java b/ecaudit/src/test/java/com/ericsson/bss/cassandra/ecaudit/auth/TestWrappingAuditAuthenticator.java
new file mode 100644
index 00000000..7b6b7a69
--- /dev/null
+++ b/ecaudit/src/test/java/com/ericsson/bss/cassandra/ecaudit/auth/TestWrappingAuditAuthenticator.java
@@ -0,0 +1,230 @@
+/*
+ * Copyright 2020 Telefonaktiebolaget LM Ericsson
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.ericsson.bss.cassandra.ecaudit.auth;
+
+import java.util.Collection;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Optional;
+import java.util.Set;
+
+import com.google.common.collect.ImmutableSet;
+import org.junit.After;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import com.ericsson.bss.cassandra.ecaudit.AuditAdapter;
+import com.ericsson.bss.cassandra.ecaudit.common.record.Status;
+import com.ericsson.bss.cassandra.ecaudit.config.AuditConfig;
+import com.ericsson.bss.cassandra.ecaudit.test.mode.ClientInitializer;
+import org.apache.cassandra.auth.AuthenticatedUser;
+import org.apache.cassandra.auth.IAuthenticator;
+import org.apache.cassandra.auth.IResource;
+import org.apache.cassandra.auth.IRoleManager;
+import org.apache.cassandra.exceptions.AuthenticationException;
+import org.mockito.ArgumentCaptor;
+import org.mockito.InjectMocks;
+import org.mockito.Mock;
+import org.mockito.junit.MockitoJUnitRunner;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
+import static org.junit.Assert.fail;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.anyLong;
+import static org.mockito.ArgumentMatchers.eq;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.times;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.verifyNoMoreInteractions;
+import static org.mockito.Mockito.verifyZeroInteractions;
+import static org.mockito.Mockito.when;
+
+@RunWith(MockitoJUnitRunner.StrictStubs.class)
+public class TestWrappingAuditAuthenticator
+{
+    @Mock
+    IAuditAuthenticator mockAuthenticator;
+
+    @Mock
+    AuditAdapter mockAuditAdapter;
+
+    @Mock
+    AuditConfig mockConfig;
+
+    @Mock
+    IAuditAuthenticator.AuditSaslNegotiator mockSaslNegotiator;
+
+    @InjectMocks
+    WrappingAuditAuthenticator authenticator;
+
+    @BeforeClass
+    public static void beforeClass()
+    {
+        ClientInitializer.beforeClass();
+    }
+
+    @Before
+    public void setup()
+    {
+        when(mockAuthenticator.newAuditSaslNegotiator()).thenReturn(mockSaslNegotiator);
+    }
+
+    @After
+    public void after()
+    {
+        verifyNoMoreInteractions(mockAuthenticator, mockAuditAdapter);
+    }
+
+    @AfterClass
+    public static void afterClass()
+    {
+        ClientInitializer.afterClass();
+    }
+
+    @Test
+    public void testSimpleWrappedMethodsAreDelegated()
+    {
+        authenticator.setup();
+        authenticator.validateConfiguration();
+
+        verify(mockAuthenticator, times(1)).setup();
+        verify(mockAuthenticator, times(1)).validateConfiguration();
+
+        IAuthenticator.SaslNegotiator negotiator = authenticator.newSaslNegotiator();
+        negotiator.evaluateResponse(new byte[]{});
+        negotiator.isComplete();
+
+        verify(mockSaslNegotiator, times(1)).evaluateResponse(eq(new byte[] {}));
+        verify(mockSaslNegotiator, times(1)).isComplete();
+    }
+
+    @Test
+    public void testProtectedResourcesAreProperlyDelegated()
+    {
+        Set<? extends IResource> expectedResources = ImmutableSet.of(mock(IResource.class));
+        when(mockAuthenticator.protectedResources()).thenReturn((Set)expectedResources);
+
+        Set<? extends IResource> actualResources = authenticator.protectedResources();
+        verify(mockAuthenticator, times(1)).protectedResources();
+        assertThat(actualResources).isEqualTo(expectedResources);
+    }
+
+    @Test
+    public void testLegacyAuthenticateIsDelegated()
+    {
+        Map<String, String> expectedCredentials = new HashMap<>();
+        expectedCredentials.put("user", "password");
+
+        AuthenticatedUser expectedUser = mock(AuthenticatedUser.class);
+        when(mockAuthenticator.legacyAuthenticate(eq(expectedCredentials))).thenReturn(expectedUser);
+
+        AuthenticatedUser actualUser = authenticator.legacyAuthenticate(expectedCredentials);
+
+        ArgumentCaptor<Map> captor = ArgumentCaptor.forClass(Map.class);
+        verify(mockAuthenticator, times(1)).legacyAuthenticate(captor.capture());
+
+        Map<String, String> actualCredentials = captor.getValue();
+        assertThat(actualCredentials).isEqualTo(expectedCredentials);
+        assertThat(expectedUser).isEqualTo(actualUser);
+    }
+
+    @Test
+    public void testDelegatedOptions()
+    {
+        Set<IRoleManager.Option> expectedAlterableOptions = ImmutableSet.of(IRoleManager.Option.OPTIONS, IRoleManager.Option.SUPERUSER);
+        Set<IRoleManager.Option> expectedSupportedOptions = ImmutableSet.of(IRoleManager.Option.OPTIONS, IRoleManager.Option.PASSWORD, IRoleManager.Option.LOGIN);
+
+        when(mockAuthenticator.alterableOptions()).thenReturn(expectedAlterableOptions);
+        when(mockAuthenticator.supportedOptions()).thenReturn(expectedSupportedOptions);
+
+        Set<IRoleManager.Option> actualAlterableOptions = authenticator.alterableOptions();
+        Set<IRoleManager.Option> actualSupportedOptions = authenticator.supportedOptions();
+
+        verify(mockAuthenticator, times(1)).alterableOptions();
+        verify(mockAuthenticator, times(1)).supportedOptions();
+
+        assertThat(actualAlterableOptions).isEqualTo(expectedAlterableOptions);
+        assertThat(actualSupportedOptions).isEqualTo(expectedSupportedOptions);
+    }
+
+    @Test
+    public void testRequireAuthenticationIsDelegated()
+    {
+        when(mockAuthenticator.requireAuthentication()).thenReturn(true);
+
+        assertThat(authenticator.requireAuthentication()).isTrue();
+        verify(mockAuthenticator, times(1)).requireAuthentication();
+    }
+
+    @Test
+    public void testWhenUserIsProvidedAuthenticationAttemptIsLogged()
+    {
+        AuthenticatedUser expected = mock(AuthenticatedUser.class);
+        when(mockSaslNegotiator.getAuthenticatedUser()).thenReturn(expected);
+        when(mockSaslNegotiator.getUser()).thenReturn("audited_user");
+
+        IAuthenticator.SaslNegotiator negotiator = authenticator.newSaslNegotiator();
+        AuthenticatedUser actual = negotiator.getAuthenticatedUser();
+
+        assertThat(actual).isSameAs(expected);
+        verify(mockAuditAdapter, times(1)).auditAuth(eq("audited_user"), eq(Status.ATTEMPT), anyLong());
+        verify(mockAuditAdapter, times(1)).auditAuth(eq("audited_user"), eq(Status.SUCCEEDED), anyLong());
+    }
+
+    @Test
+    public void testWhenAuthenticationFailsIsStillAudited()
+    {
+        when(mockSaslNegotiator.getUser()).thenReturn("audited_user");
+        when(mockSaslNegotiator.getAuthenticatedUser()).thenThrow(new AuthenticationException("audited_user"));
+
+        IAuthenticator.SaslNegotiator negotiator = authenticator.newSaslNegotiator();
+
+        assertThatExceptionOfType(AuthenticationException.class).isThrownBy(() -> negotiator.getAuthenticatedUser());
+        verify(mockAuditAdapter, times(1)).auditAuth(eq("audited_user"), eq(Status.ATTEMPT), anyLong());
+        verify(mockAuditAdapter, times(1)).auditAuth(eq("audited_user"), eq(Status.FAILED), anyLong());
+    }
+
+    @Test
+    public void testConstructFromAuditConfigWorksAsExpected()
+    {
+        String wrappedAuthenticatorName = AuditPasswordAuthenticator.class.getName();
+        when(mockConfig.getWrappedAuthenticator()).thenReturn(wrappedAuthenticatorName);
+
+        IAuditAuthenticator wrappedAuthenticator = WrappingAuditAuthenticator.newWrappedAuthenticator(mockConfig);
+        assertThat(wrappedAuthenticator).isInstanceOf(AuditPasswordAuthenticator.class);
+    }
+
+    @Test
+    public void testAuthWithSubject()
+    {
+        AuthenticatedUser expected = mock(AuthenticatedUser.class);
+        when(mockSaslNegotiator.getAuthenticatedUser()).thenReturn(expected);
+        when(mockSaslNegotiator.getUser()).thenReturn("audited_user");
+        when(mockSaslNegotiator.getSubject()).thenReturn(Optional.of("subject_user"));
+
+        IAuthenticator.SaslNegotiator negotiator = authenticator.newSaslNegotiator();
+        AuthenticatedUser actual = negotiator.getAuthenticatedUser();
+
+        assertThat(actual).isSameAs(expected);
+        verify(mockAuditAdapter, times(1)).auditAuth(eq("audited_user"), eq("subject_user"), eq(Status.ATTEMPT), anyLong());
+        verify(mockAuditAdapter, times(1)).auditAuth(eq("audited_user"), eq("subject_user"), eq(Status.SUCCEEDED), anyLong());
+    }
+}
diff --git a/ecaudit/src/test/java/com/ericsson/bss/cassandra/ecaudit/logger/TestChronicleAuditLogger.java b/ecaudit/src/test/java/com/ericsson/bss/cassandra/ecaudit/logger/TestChronicleAuditLogger.java
index 56ca76e7..4eae6eca 100644
--- a/ecaudit/src/test/java/com/ericsson/bss/cassandra/ecaudit/logger/TestChronicleAuditLogger.java
+++ b/ecaudit/src/test/java/com/ericsson/bss/cassandra/ecaudit/logger/TestChronicleAuditLogger.java
@@ -130,7 +130,7 @@ private void assertThatWireMatchRecord(AuditEntry expectedAuditEntry) throws Exc
         writeMarshallable.writeMarshallable(mockWire);
 
         verify(mockWire).write(eq("version"));
-        verify(mockValue).int16(eq((short) 1));
+        verify(mockValue).int16(eq((short) 2));
         verify(mockWire).write(eq("type"));
         verify(mockValue).text(eq("ecaudit"));
         verify(mockWire).write(eq("fields"));
@@ -144,7 +144,7 @@ private void assertThatWireMatchRecord(AuditEntry expectedAuditEntry) throws Exc
         {
             int bitmapWithoutBatch = FieldSelector.DEFAULT_FIELDS.withoutField(Field.BATCH_ID).getBitmap();
             verify(mockValue).int32(eq(bitmapWithoutBatch));
-        }
+        } 
 
         verify(mockWire).write(eq("timestamp"));
         verify(mockValue).int64(eq(expectedAuditEntry.getTimestamp()));
diff --git a/ecaudit/src/test/java/com/ericsson/bss/cassandra/ecaudit/logger/TestSlf4jAuditLogger.java b/ecaudit/src/test/java/com/ericsson/bss/cassandra/ecaudit/logger/TestSlf4jAuditLogger.java
index 26235383..ab5cd901 100644
--- a/ecaudit/src/test/java/com/ericsson/bss/cassandra/ecaudit/logger/TestSlf4jAuditLogger.java
+++ b/ecaudit/src/test/java/com/ericsson/bss/cassandra/ecaudit/logger/TestSlf4jAuditLogger.java
@@ -64,12 +64,14 @@ public class TestSlf4jAuditLogger
     private static final Status EXPECTED_STATUS = Status.ATTEMPT;
     private static final UUID EXPECTED_BATCH_ID = UUID.fromString("12345678-aaaa-bbbb-cccc-123456789abc");
     private static final Long EXPECTED_TIMESTAMP = 42L;
+    private static final String EXPECTED_SUBJECT = "the_subject";
     private static final String CUSTOM_LOGGER_NAME = "TEST_LOGGER";
     private static final Logger LOG = LoggerFactory.getLogger(CUSTOM_LOGGER_NAME);
 
     private static AuditEntry logEntryWithAll;
     private static AuditEntry logEntryWithoutBatch;
     private static AuditEntry logEntryWithoutClientPort;
+    private static AuditEntry logEntryWithoutSubject;
 
     @Mock
     private Appender<ILoggingEvent> mockAuditAppender;
@@ -92,6 +94,7 @@ public static void setup()
                                     .status(EXPECTED_STATUS)
                                     .timestamp(EXPECTED_TIMESTAMP)
                                     .batch(EXPECTED_BATCH_ID)
+                                    .subject(EXPECTED_SUBJECT)
                                     .build();
 
         logEntryWithoutBatch = AuditEntry.newBuilder()
@@ -103,6 +106,11 @@ public static void setup()
                                               .basedOn(logEntryWithAll)
                                               .client(new InetSocketAddress(EXPECTED_CLIENT_ADDRESS, 0))
                                               .build();
+
+        logEntryWithoutSubject = AuditEntry.newBuilder()
+                                         .basedOn(logEntryWithAll)
+                                         .subject(null)
+                                         .build();
     }
 
     @Before
@@ -150,6 +158,16 @@ public void testCustomLogFormat()
         .isEqualTo("User = user, Status = {ATTEMPT}, Query = insert into ks.tbl (key, val) values (?, ?)");
     }
 
+    @Test
+    public void testCustomLogFormatWithSubject()
+    {
+        Slf4jAuditLogger logger = loggerWithConfig("User = ${USER}, Status = {${STATUS}}, Subject = ${SUBJECT}");
+        logger.log(logEntryWithAll);
+
+        assertThat(getSlf4jLogMessage())
+        .isEqualTo("User = user, Status = {ATTEMPT}, Subject = the_subject");
+    }
+
     @Test
     public void testAnchorCharactersAreEscapedWhenUsedInLogFormat()
     {
@@ -165,7 +183,7 @@ public void testAvailableFieldFunctions()
     {
         Slf4jAuditLoggerConfig configMock = mock(Slf4jAuditLoggerConfig.class);
         Map<String, Function<AuditEntry, Object>> availableFieldFunctions = Slf4jAuditLogger.getAvailableFieldFunctionMap(configMock);
-        assertThat(availableFieldFunctions).containsOnlyKeys("CLIENT_IP", "CLIENT_PORT", "COORDINATOR_IP", "USER", "BATCH_ID", "STATUS", "OPERATION", "OPERATION_NAKED", "TIMESTAMP");
+        assertThat(availableFieldFunctions).containsOnlyKeys("CLIENT_IP", "CLIENT_PORT", "COORDINATOR_IP", "USER", "BATCH_ID", "STATUS", "OPERATION", "OPERATION_NAKED", "TIMESTAMP", "SUBJECT");
 
         Function<AuditEntry, Object> clientFunction = availableFieldFunctions.get("CLIENT_IP");
         assertThat(clientFunction.apply(logEntryWithAll)).isEqualTo(EXPECTED_CLIENT_ADDRESS);
@@ -195,6 +213,10 @@ public void testAvailableFieldFunctions()
 
         Function<AuditEntry, Object> timestampFunction = availableFieldFunctions.get("TIMESTAMP");
         assertThat(timestampFunction.apply(logEntryWithAll)).isEqualTo(EXPECTED_TIMESTAMP);
+
+        Function<AuditEntry, Object> subjectFunction = availableFieldFunctions.get("SUBJECT");
+        assertThat(subjectFunction.apply(logEntryWithAll)).isEqualTo(EXPECTED_SUBJECT);
+        assertThat(subjectFunction.apply(logEntryWithoutSubject)).isEqualTo(null); // Subject is not guaranteed to be in the log entry
     }
 
     @Test
diff --git a/integration-test-standard/src/test/resources/cassandra.yaml b/integration-test-standard/src/test/resources/cassandra.yaml
index f5c77b83..de78a4bf 100644
--- a/integration-test-standard/src/test/resources/cassandra.yaml
+++ b/integration-test-standard/src/test/resources/cassandra.yaml
@@ -63,7 +63,7 @@ batchlog_replay_throttle_in_kb: 1024
 #   users. It keeps usernames and hashed passwords in system_auth.credentials table.
 #   Please increase system_auth keyspace replication factor if you use this authenticator.
 #   If using PasswordAuthenticator, CassandraRoleManager must also be used (see below)
-authenticator: com.ericsson.bss.cassandra.ecaudit.auth.AuditPasswordAuthenticator
+authenticator: com.ericsson.bss.cassandra.ecaudit.auth.WrappingAuditAuthenticator
 
 # Authorization backend, implementing IAuthorizer; used to limit access/provide permissions
 # Out of the box, Cassandra provides org.apache.cassandra.auth.{AllowAllAuthorizer,
diff --git a/test-utils/src/main/java/com/ericsson/bss/cassandra/ecaudit/test/chronicle/RecordValues.java b/test-utils/src/main/java/com/ericsson/bss/cassandra/ecaudit/test/chronicle/RecordValues.java
index 0e03121d..a9b580e5 100644
--- a/test-utils/src/main/java/com/ericsson/bss/cassandra/ecaudit/test/chronicle/RecordValues.java
+++ b/test-utils/src/main/java/com/ericsson/bss/cassandra/ecaudit/test/chronicle/RecordValues.java
@@ -22,7 +22,7 @@
 @SuppressWarnings("PMD")
 public class RecordValues
 {
-    private short version = 1;
+    private short version = 2;
     private String type = "ecaudit";
     private long timestamp = 42;
     private byte[] clientAddress;
@@ -32,6 +32,7 @@ public class RecordValues
     private UUID batchId = null;
     private String status = "ATTEMPT";
     private String operation = "Some operation";
+    private String subject = null;
 
     private RecordValues() throws UnknownHostException
     {
@@ -80,6 +81,12 @@ public RecordValues butWithStatus(String status)
         return this;
     }
 
+    public RecordValues butWithSubject(String subject)
+    {
+        this.subject = subject;
+        return this;
+    }
+
     public short getVersion()
     {
         return version;
@@ -129,4 +136,9 @@ public String getOperation()
     {
         return operation;
     }
+
+    public String getSubject()
+    {
+        return subject;
+    }
 }