https://community.cloudera.com/t5/Support-Questions/LogSearch-audit-logs-empty/m-p/198936#M160984 <P>hi <A rel="user" href="https://community.cloudera.com/users/12470/theyaamatti.html" nodeid="12470">@Theyaa Matti</A>,</P><P>I think you hit that issue: <A href="https://issues.apache.org/jira/browse/AMBARI-18372" target="_blank">https://issues.apache.org/jira/browse/AMBARI-18372</A></P> Tue, 18 Apr 2017 21:36:36 GMT oszabo 2017-04-18T21:36:36Z https://community.cloudera.com/t5/Support-Questions/LogSearch-audit-logs-empty/m-p/198932#M160980 <P>I am trying to use logsearch and I have already hadoop logs showing up in the ui. But I can never get the audit-logs to show up. Are those logs related to specific actions on the cluster so I can trigger them?</P> Fri, 14 Apr 2017 00:11:57 GMT https://community.cloudera.com/t5/Support-Questions/LogSearch-audit-logs-empty/m-p/198932#M160980 theyaa 2017-04-14T00:11:57Z https://community.cloudera.com/t5/Support-Questions/LogSearch-audit-logs-empty/m-p/198933#M160981 <P>Hi <A rel="user" href="https://community.cloudera.com/users/12470/theyaamatti.html" nodeid="12470">@Theyaa Matti</A>, </P><P>Depending upon the services you have deployed in your cluster, the audit logs will generally be written to for service-specific actions that occur (HDFS write, HDFS read, Ambari REST calls, etc).</P><P>Are you looking for a specific service's audit logs? Please note that not all services write audit logs. </P><P>What version of Ambari are you using? </P><P>Hope this helps,</P><P>Bob</P> Fri, 14 Apr 2017 01:35:46 GMT https://community.cloudera.com/t5/Support-Questions/LogSearch-audit-logs-empty/m-p/198933#M160981 rnettleton 2017-04-14T01:35:46Z https://community.cloudera.com/t5/Support-Questions/LogSearch-audit-logs-empty/m-p/198934#M160982 <P>Hi <A rel="user" href="https://community.cloudera.com/users/12470/theyaamatti.html" nodeid="12470">@Theyaa Matti</A>!</P><P>It processes ambari-audit or hdfs-audit log file as well, but its possible the parsing is not working properly because the grok patters that are used are not matching. (that can happen because of the date pattern, as that can change based on system language settings as well)</P><P>Which version of ambari/logsearch are you using? (if 2.5, those patterns can be changed: <A href="https://issues.apache.org/jira/browse/AMBARI-18548" target="_blank">https://issues.apache.org/jira/browse/AMBARI-18548</A> , if 2.4, then maybe you will need to check log4j settings for those services)</P><P>some pointers: for logfeeder generated input patterns and common grok patters located at /etc/ambari-logsearch-logfeeder/conf. You can try out the patterns with lines here: <A href="https://grokdebug.herokuapp.com/" target="_blank">https://grokdebug.herokuapp.com/</A></P> Fri, 14 Apr 2017 01:49:38 GMT https://community.cloudera.com/t5/Support-Questions/LogSearch-audit-logs-empty/m-p/198934#M160982 oszabo 2017-04-14T01:49:38Z https://community.cloudera.com/t5/Support-Questions/LogSearch-audit-logs-empty/m-p/198935#M160983 <P>Hi <A rel="user" href="https://community.cloudera.com/users/375/oszabo.html" nodeid="375">@oszabo</A></P><P>Thank you for your info. I tried the gork debugger and compared it with the logs I have and I found out the issue was that I had to include the INFO logging in logsearch in order to capture the audit logs for hdfs access and hive access.</P> Tue, 18 Apr 2017 20:56:05 GMT https://community.cloudera.com/t5/Support-Questions/LogSearch-audit-logs-empty/m-p/198935#M160983 theyaa 2017-04-18T20:56:05Z https://community.cloudera.com/t5/Support-Questions/LogSearch-audit-logs-empty/m-p/198936#M160984 <P>hi <A rel="user" href="https://community.cloudera.com/users/12470/theyaamatti.html" nodeid="12470">@Theyaa Matti</A>,</P><P>I think you hit that issue: <A href="https://issues.apache.org/jira/browse/AMBARI-18372" target="_blank">https://issues.apache.org/jira/browse/AMBARI-18372</A></P> Tue, 18 Apr 2017 21:36:36 GMT https://community.cloudera.com/t5/Support-Questions/LogSearch-audit-logs-empty/m-p/198936#M160984 oszabo 2017-04-18T21:36:36Z