https://community.cloudera.com/t5/Archives-of-Support-Questions/How-to-enable-audit-logging-without-Navigator/m-p/285015#M67379 <P>Hi&nbsp;<a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/71975">@uv</a>&nbsp;,</P> <P>&nbsp;</P> <P>You may want to check this public doc about Navigator Audit Filter:</P> <P><A href="https://docs.cloudera.com/documentation/enterprise/latest/topics/cn_admcfg_audit_filters.html" target="_blank">https://docs.cloudera.com/documentation/enterprise/latest/topics/cn_admcfg_audit_filters.html</A></P> <P>&nbsp;</P> <P>Thanks,</P> <P>Li</P> Fri, 06 Dec 2019 22:28:34 GMT lwang 2019-12-06T22:28:34Z https://community.cloudera.com/t5/Archives-of-Support-Questions/How-to-enable-audit-logging-without-Navigator/m-p/59329#M67375 <P>Hello,&nbsp;</P><P>we have 5.11 cluster installed for testing, 2 master nodes, 4 slave nodes, and 1 management node.</P><P>now we want to enable the audit logging without using Navigator.&nbsp;</P><P>&nbsp;</P><P>I have some questions here</P><P>1. we have CM installed, can I use log4j.properties to enable the audit logging?</P><P>&nbsp; &nbsp; I read some posts like this:</P><P>&nbsp; &nbsp;&nbsp;<A href="https://community.cloudera.com/t5/Cloudera-Manager-Installation/What-is-the-Path-of-hdfs-site-xml-core-xml/m-p/15210#M1787" target="_blank">https://community.cloudera.com/t5/Cloudera-Manager-Installation/What-is-the-Path-of-hdfs-site-xml-core-xml/m-p/15210#M1787</A> &nbsp;it said that the actual configuration has non-standard location. So my understanding is no matter what I changed on the configruation location(e.g. /etc/hadoop/conf/.....), it won't work. And I should use the snippet to do the configuration.</P><P>&nbsp;</P><P>&nbsp;</P><P>2. and I read another posts here:</P><P><A href="http://community.cloudera.com/t5/Cloudera-Manager-Installation/Audit-trail-for-HDFS-data-use/m-p/50428/highlight/true#M9405" target="_blank">http://community.cloudera.com/t5/Cloudera-Manager-Installation/Audit-trail-for-HDFS-data-use/m-p/50428/highlight/true#M9405</A> looks like I can use log4j.properties to do the audit logging.</P><P>&nbsp;</P><P>I am a little bit confused, how can I enable audit logging without Nav?</P><P>&nbsp;</P><P>Thanks in advance!</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 28 Aug 2017 18:51:58 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/How-to-enable-audit-logging-without-Navigator/m-p/59329#M67375 aerin 2017-08-28T18:51:58Z https://community.cloudera.com/t5/Archives-of-Support-Questions/How-to-enable-audit-logging-without-Navigator/m-p/59434#M67376 <P>Hi There,</P><P>&nbsp;</P><P>Thanks for reaching out on the community. I'm Josh, and I'll help address this for you.</P><P>&nbsp;</P><OL><LI>log4j.properties:</LI></OL><P>CM is&nbsp;the central point of configuration for services, so the short answer is that you should adjust log4j settings using safety valves. Below is an engineering blog post with a good description of how CM works.<BR /><A href="http://blog.cloudera.com/blog/2013/07/how-does-cloudera-manager-work/" target="_blank">http://blog.cloudera.com/blog/2013/07/how-does-cloudera-manager-work/</A></P><P>When a CM agent for a host heart beats to Cloudera Manager, Cloudera Manager sends back processes that should be running, and the related config files, one of which is the log4j.properties, for that service and role. From here, the CM agent makes a run time directory for these config files and references those. For instance, the agent will make a directory like the one bellow for a namenode role:</P><P><SPAN>/</SPAN><SPAN>var</SPAN><SPAN>/</SPAN><SPAN>run</SPAN><SPAN>/</SPAN><SPAN>cloudera</SPAN><SPAN>-</SPAN><SPAN>scm</SPAN><SPAN>-</SPAN><SPAN>agent</SPAN><SPAN>/</SPAN><SPAN>process</SPAN><SPAN>/</SPAN><SPAN>879</SPAN><SPAN>-</SPAN><SPAN>hdfs</SPAN><SPAN>-</SPAN><SPAN>NAMENODE/</SPAN></P><P>this is why editing config files in on the OS has&nbsp;no effect, and is not recommended.&nbsp;</P><P>&nbsp;</P><OL><LI>Enabling audit logging:</LI></OL><P>To enable audit logging for a service without navigator, you would want to set the appropriate log4j settings in the appropriate safety valve for that service. Let's use HDFS as an example. Cloudera Manager has a configuration property for HDFS labeled "NameNode Logging Advanced Configuration Snippet (Safety Valve)". This is the one you want to put your log4j settings in. Once you've put your settings in, it will insert those into the log4j.properties it sends over to the agent in heartbeats. The specifics for enabling vanilla hadoop HDFS audit logging can be found bellow:</P><P><A href="http://apprize.info/security/hadoop/7.html" target="_blank">http://apprize.info/security/hadoop/7.html</A></P><P>&nbsp;</P><P>Considering all of this info, bear in mind that Navigator takes care of all of this for you, as well as adding additional features. For instance, HDFS audit logs can be very bulky and cumbersome by themselves and include many operations that aren't very helpful from an auditing standpoint. Navigator is able to apply event filters to an audit log, store relevant audits, and index them for further searching. Therefore, I highly recommend enabling navigator when doing so becomes feasible.</P><P>&nbsp;</P><P>Please let me know if you have any other questions.</P><P>Cheers</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 30 Aug 2017 14:03:13 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/How-to-enable-audit-logging-without-Navigator/m-p/59434#M67376 jmartin1938 2017-08-30T14:03:13Z https://community.cloudera.com/t5/Archives-of-Support-Questions/How-to-enable-audit-logging-without-Navigator/m-p/59489#M67377 <P>Thank you so much Josh.It's really helpful!</P> Fri, 01 Sep 2017 02:03:51 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/How-to-enable-audit-logging-without-Navigator/m-p/59489#M67377 aerin 2017-09-01T02:03:51Z https://community.cloudera.com/t5/Archives-of-Support-Questions/How-to-enable-audit-logging-without-Navigator/m-p/284933#M67378 <P><a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/18996">@jmartin1938</a>&nbsp;</P><P>You'e recommended using Navigator as it applies event filters and stores relevant audits.</P><P>But, we've noticed it capturing operations which aren't executed by the users but are internally triggered due to some other operation.</P><P>For example, a single ListStatus (ls) operation results in two records listStatus and getfileinfo</P><P>Also, some of the operations captured are not really useful for auditing purposes. (Example :&nbsp;getEZForPath)</P><P>Is there a way to customize the event filters? If yes, could you help us with the relevant documentation?</P> Fri, 06 Dec 2019 07:15:33 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/How-to-enable-audit-logging-without-Navigator/m-p/284933#M67378 uv 2019-12-06T07:15:33Z https://community.cloudera.com/t5/Archives-of-Support-Questions/How-to-enable-audit-logging-without-Navigator/m-p/285015#M67379 <P>Hi&nbsp;<a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/71975">@uv</a>&nbsp;,</P> <P>&nbsp;</P> <P>You may want to check this public doc about Navigator Audit Filter:</P> <P><A href="https://docs.cloudera.com/documentation/enterprise/latest/topics/cn_admcfg_audit_filters.html" target="_blank">https://docs.cloudera.com/documentation/enterprise/latest/topics/cn_admcfg_audit_filters.html</A></P> <P>&nbsp;</P> <P>Thanks,</P> <P>Li</P> Fri, 06 Dec 2019 22:28:34 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/How-to-enable-audit-logging-without-Navigator/m-p/285015#M67379 lwang 2019-12-06T22:28:34Z