Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!
Solved Go to solution

How to enable audit logging without Navigator

Labels:
avatar
author-rank aerin
Explorer

Created ‎08-28-2017 11:51 AM

Hello, 

we have 5.11 cluster installed for testing, 2 master nodes, 4 slave nodes, and 1 management node.

now we want to enable the audit logging without using Navigator. 

 

I have some questions here

1. we have CM installed, can I use log4j.properties to enable the audit logging?

    I read some posts like this:

    https://community.cloudera.com/t5/Cloudera-Manager-Installation/What-is-the-Path-of-hdfs-site-xml-co...  it said that the actual configuration has non-standard location. So my understanding is no matter what I changed on the configruation location(e.g. /etc/hadoop/conf/.....), it won't work. And I should use the snippet to do the configuration.

 

 

2. and I read another posts here:

http://community.cloudera.com/t5/Cloudera-Manager-Installation/Audit-trail-for-HDFS-data-use/m-p/504... looks like I can use log4j.properties to do the audit logging.

 

I am a little bit confused, how can I enable audit logging without Nav?

 

Thanks in advance!

 

 

 

2,757 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank jmartin1938 author-rank
Expert Contributor

Created ‎08-30-2017 07:03 AM

Hi There,

 

Thanks for reaching out on the community. I'm Josh, and I'll help address this for you.

 

  1. log4j.properties:

CM is the central point of configuration for services, so the short answer is that you should adjust log4j settings using safety valves. Below is an engineering blog post with a good description of how CM works.
http://blog.cloudera.com/blog/2013/07/how-does-cloudera-manager-work/

When a CM agent for a host heart beats to Cloudera Manager, Cloudera Manager sends back processes that should be running, and the related config files, one of which is the log4j.properties, for that service and role. From here, the CM agent makes a run time directory for these config files and references those. For instance, the agent will make a directory like the one bellow for a namenode role:

/var/run/cloudera-scm-agent/process/879-hdfs-NAMENODE/

this is why editing config files in on the OS has no effect, and is not recommended. 

 

  1. Enabling audit logging:

To enable audit logging for a service without navigator, you would want to set the appropriate log4j settings in the appropriate safety valve for that service. Let's use HDFS as an example. Cloudera Manager has a configuration property for HDFS labeled "NameNode Logging Advanced Configuration Snippet (Safety Valve)". This is the one you want to put your log4j settings in. Once you've put your settings in, it will insert those into the log4j.properties it sends over to the agent in heartbeats. The specifics for enabling vanilla hadoop HDFS audit logging can be found bellow:

http://apprize.info/security/hadoop/7.html

 

Considering all of this info, bear in mind that Navigator takes care of all of this for you, as well as adding additional features. For instance, HDFS audit logs can be very bulky and cumbersome by themselves and include many operations that aren't very helpful from an auditing standpoint. Navigator is able to apply event filters to an audit log, store relevant audits, and index them for further searching. Therefore, I highly recommend enabling navigator when doing so becomes feasible.

 

Please let me know if you have any other questions.

Cheers

 

 

View solution in original post

2,713 Views
0 Kudos
4 REPLIES 4

avatar
author-rank jmartin1938 author-rank
Expert Contributor

Created ‎08-30-2017 07:03 AM

Hi There,

 

Thanks for reaching out on the community. I'm Josh, and I'll help address this for you.

 

  1. log4j.properties:

CM is the central point of configuration for services, so the short answer is that you should adjust log4j settings using safety valves. Below is an engineering blog post with a good description of how CM works.
http://blog.cloudera.com/blog/2013/07/how-does-cloudera-manager-work/

When a CM agent for a host heart beats to Cloudera Manager, Cloudera Manager sends back processes that should be running, and the related config files, one of which is the log4j.properties, for that service and role. From here, the CM agent makes a run time directory for these config files and references those. For instance, the agent will make a directory like the one bellow for a namenode role:

/var/run/cloudera-scm-agent/process/879-hdfs-NAMENODE/

this is why editing config files in on the OS has no effect, and is not recommended. 

 

  1. Enabling audit logging:

To enable audit logging for a service without navigator, you would want to set the appropriate log4j settings in the appropriate safety valve for that service. Let's use HDFS as an example. Cloudera Manager has a configuration property for HDFS labeled "NameNode Logging Advanced Configuration Snippet (Safety Valve)". This is the one you want to put your log4j settings in. Once you've put your settings in, it will insert those into the log4j.properties it sends over to the agent in heartbeats. The specifics for enabling vanilla hadoop HDFS audit logging can be found bellow:

http://apprize.info/security/hadoop/7.html

 

Considering all of this info, bear in mind that Navigator takes care of all of this for you, as well as adding additional features. For instance, HDFS audit logs can be very bulky and cumbersome by themselves and include many operations that aren't very helpful from an auditing standpoint. Navigator is able to apply event filters to an audit log, store relevant audits, and index them for further searching. Therefore, I highly recommend enabling navigator when doing so becomes feasible.

 

Please let me know if you have any other questions.

Cheers

 

 

2,714 Views
0 Kudos

avatar
author-rank aerin
Explorer

Created ‎08-31-2017 07:03 PM

Thank you so much Josh.It's really helpful!

2,691 Views
0 Kudos

avatar
author-rank uv
New Contributor

Created ‎12-05-2019 11:15 PM

@jmartin1938 

You'e recommended using Navigator as it applies event filters and stores relevant audits.

But, we've noticed it capturing operations which aren't executed by the users but are internally triggered due to some other operation.

For example, a single ListStatus (ls) operation results in two records listStatus and getfileinfo

Also, some of the operations captured are not really useful for auditing purposes. (Example : getEZForPath)

Is there a way to customize the event filters? If yes, could you help us with the relevant documentation?

1,406 Views
0 Kudos

avatar
author-rank lwang author-rank
Guru

Created ‎12-06-2019 02:28 PM

Hi @uv ,

 

You may want to check this public doc about Navigator Audit Filter:

https://docs.cloudera.com/documentation/enterprise/latest/topics/cn_admcfg_audit_filters.html

 

Thanks,

Li

Li Wang, Technical Solution Manager


Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

Learn more about the Cloudera Community:

Terms of Service

Community Guidelines

How to use the forum

1,400 Views
Announcements
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
Community Announcements
Celebrating 100,000 Members: A Journey of Growth and Connect...
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector for Apache Hive 2.6.2...
View More Announcements