Reply
Highlighted
Explorer
Posts: 9
Registered: ‎04-29-2016
Accepted Solution

How to enable audit logging without Navigator

Hello, 

we have 5.11 cluster installed for testing, 2 master nodes, 4 slave nodes, and 1 management node.

now we want to enable the audit logging without using Navigator. 

 

I have some questions here

1. we have CM installed, can I use log4j.properties to enable the audit logging?

    I read some posts like this:

    https://community.cloudera.com/t5/Cloudera-Manager-Installation/What-is-the-Path-of-hdfs-site-xml-co...  it said that the actual configuration has non-standard location. So my understanding is no matter what I changed on the configruation location(e.g. /etc/hadoop/conf/.....), it won't work. And I should use the snippet to do the configuration.

 

 

2. and I read another posts here:

http://community.cloudera.com/t5/Cloudera-Manager-Installation/Audit-trail-for-HDFS-data-use/m-p/504... looks like I can use log4j.properties to do the audit logging.

 

I am a little bit confused, how can I enable audit logging without Nav?

 

Thanks in advance!

 

 

 

Cloudera Employee
Posts: 39
Registered: ‎10-07-2016

Re: How to enable audit logging without Navigator

Hi There,

 

Thanks for reaching out on the community. I'm Josh, and I'll help address this for you.

 

  1. log4j.properties:

CM is the central point of configuration for services, so the short answer is that you should adjust log4j settings using safety valves. Below is an engineering blog post with a good description of how CM works.
http://blog.cloudera.com/blog/2013/07/how-does-cloudera-manager-work/

When a CM agent for a host heart beats to Cloudera Manager, Cloudera Manager sends back processes that should be running, and the related config files, one of which is the log4j.properties, for that service and role. From here, the CM agent makes a run time directory for these config files and references those. For instance, the agent will make a directory like the one bellow for a namenode role:

/var/run/cloudera-scm-agent/process/879-hdfs-NAMENODE/

this is why editing config files in on the OS has no effect, and is not recommended. 

 

  1. Enabling audit logging:

To enable audit logging for a service without navigator, you would want to set the appropriate log4j settings in the appropriate safety valve for that service. Let's use HDFS as an example. Cloudera Manager has a configuration property for HDFS labeled "NameNode Logging Advanced Configuration Snippet (Safety Valve)". This is the one you want to put your log4j settings in. Once you've put your settings in, it will insert those into the log4j.properties it sends over to the agent in heartbeats. The specifics for enabling vanilla hadoop HDFS audit logging can be found bellow:

http://apprize.info/security/hadoop/7.html

 

Considering all of this info, bear in mind that Navigator takes care of all of this for you, as well as adding additional features. For instance, HDFS audit logs can be very bulky and cumbersome by themselves and include many operations that aren't very helpful from an auditing standpoint. Navigator is able to apply event filters to an audit log, store relevant audits, and index them for further searching. Therefore, I highly recommend enabling navigator when doing so becomes feasible.

 

Please let me know if you have any other questions.

Cheers

 

 

Explorer
Posts: 9
Registered: ‎04-29-2016

Re: How to enable audit logging without Navigator

Thank you so much Josh.It's really helpful!

Announcements