Publishing Audit Events
You can publish audit events to a Kafka topic or syslog.
A failure to send an event to Kafka or syslog is logged to the Audit Server log.
Continue reading:
Publishing Audit Events to Kafka
You can publish audit events to a Kafka topic. Kafka audit event publishing does not support authorization and Cloudera does not
recommend its use in production. To configure audit logging to a Kafka topic, do the following:
- Do one of the following:
- Select .
- On the Cloudera Management Service table, click the Cloudera Management Service link. tab, in
- Click the Configuration tab.
- Locate the Navigator Audit Server Logging Advanced Configuration Snippet property by typing its name in the Search box.
- Enter:
log4j.logger.kafkaAuditStream=TRACE,KAFKA log4j.appender.KAFKA=kafka.producer.KafkaLog4jAppender log4j.additivity.com.cloudera.navigator.kafkaAuditStream=false log4j.appender.KAFKA.layout=org.apache.log4j.PatternLayout log4j.appender.KAFKA.layout.ConversionPattern=%m%n log4j.appender.KAFKA.SyncSend=false log4j.appender.KAFKA.BrokerList=broker_host:broker_port log4j.appender.KAFKA.Topic=NavigatorAuditEvents
Where broker_host and broker_port are the host and port of the Kafka service. - Click Save Changes to commit the changes.
- Restart the role.
Publishing Audit Events to Syslog
The Audit Server logs all audit records into a Log4j logger called auditStream. The log messages are logged at the TRACE level, with the attributes of the audit records. By default, the auditStream logger is inactive because the logger level is set to FATAL. It is also connected to a NullAppender, and does not forward to other appenders (additivity set to false).
To record the audit stream, configure the auditStream logger with the desired appender. For example, the standard SyslogAppender allows you to send the audit records to a remote syslog.
The Log4j SyslogAppender supports only UDP. An example syslog configuration would be:
It is also possible to attach other appenders to the auditStream to provide other integration behaviors.
$ModLoad imudp $UDPServerRun 514 # Accept everything (even DEBUG messages) local2.* /my/audit/trail.log
You can publish audit events to syslog in two formats: JSON and RSA EnVision. To configure audit logging to syslog, do the following:
- Do one of the following:
- Select .
- On the Cloudera Management Service table, click the Cloudera Management Service link. tab, in
- Click the Configuration tab.
- Locate the Navigator Audit Server Logging Advanced Configuration Snippet property by typing its name in the Search box.
- Depending on the format type, enter:
log4j.appender.SYSLOG = org.apache.log4j.net.SyslogAppender log4j.appender.SYSLOG.SyslogHost = hostname log4j.appender.SYSLOG.Facility = Local2 log4j.appender.SYSLOG.FacilityPrinting = true
To configure the specific stream type, enter:Format Property JSON log4j.logger.auditStream = TRACE,SYSLOG log4j.additivity.auditStream = false
RSA EnVision log4j.logger.auditStreamEnVision = TRACE,SYSLOG log4j.additivity.auditStreamEnVision = false
- Click Save Changes to commit the changes.
- Restart the role.
Example Log Messages
Format | Log Message Example |
---|---|
JSON |
Jul 23 11:05:15 hostname local2: {"type":"HDFS","allowed":"true","time":"1374602714758", "service":"HDFS-1", "user":"root","ip":"10.20.93.93","op":"mkdirs","src":"/audit/root","perms":"rwxr-xr-x"} |
RSA EnVision |
Cloudera|Navigator|1|type="Hive",allowed="false",time="1382551146763", service="HIVE-1",user="systest",impersonator="",ip="/10.20.190.185",op="QUERY", opText="select count(*) from sample_07",db="default",table="sample_07",path="/user/hive/warehouse/sample_07",objType="TABLE" |
Page generated July 8, 2016.
<< Configuring Service Auditing Properties | ©2016 Cloudera, Inc. All rights reserved | Cloudera Navigator Metadata Server >> |
Terms and Conditions Privacy Policy |