Community Articles

Find and share helpful community-sourced technical articles.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Ranger audit log event summarization

Labels (1)
Labels:
tstebbens
Contributor

Created on ‎09-27-2017 08:47 AM

Since Ranger 0.5 there has been the ability to summarize audit events that differ only by timestamp to reduce the amount of events logged in a busy system. When enabled, if a Ranger plugin logs consecutive audit events that differ only by timestamp it will coalesce all such events in to a single event and set 'event_count' to the number of events logged and 'event_dur_ms' to the time difference in milliseconds between the first and last event.

To enable this feature you must set the following properties in the Ranger plugin's configuration:

Configuration nameNotes
xasecure.audit.provider.summary.enabled
  1. To enable summarization set this property to true. This would cause audit messages to be summarized before they are sent to various sinks.
  2. By default it is set to false i.e. audit summarization is disabled.
xasecure.audit.provider.queue.size
  1. If unspecified this value defaults to 1048576, i.e. the queue is sized to store 1M (1024 * 1024) messages.
  2. Note the difference in property name that controls the size of summary queue.
xasecure.audit.provider.summary.interval.ms
  1. The max time interval at which messages would be summarized.
  2. If unspecified it defaults to 5000, i.e. 5 seconds.
Summarization Batch size
  1. Note that regardless of this time interval while summarizing at most 100k messages at a time are considered for aggregation. Thus, if more than 100k messages are logged during this interval then similar messages could show up as multiple summarized audit messages even though they are logged within the configured time interval.
  2. Currently, this value of 100k is not user configurable. It is mentioned here for better understanding of Summarization logic.

More details can be found here: Ranger 0.5 Audit log summarization

2,364 Views
Comments

Re: Ranger audit log event summarization

arturbrandys1
Explorer

Created on ‎12-29-2021 01:10 AM

I believe that in Ranger 1.2.0 the property xasecure.audit.provider.summary.enabled is called Audit provider summary enabled (checkbox to tick) in Advanced ranger-hdfs-audit in HDFS service in Ambari.

Take a Tour of the Community
Don't have an account?
Register
Your experience may be limited. Sign in to explore more.
Announcements
Product Announcements
[ANNOUNCE] CDP Private Cloud Base 7.1.7 Service Pack 2 Released
Product Announcements
[ANNOUNCE] CDP Private Cloud Data Services 1.5.0 Released
Community Announcements
January 2023 Community Highlights
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector 2.6.30 for Impala is Released
What's New @ Cloudera
Cloudera Operational Database (COD) provides a CLI option to enable HBase region canaries
View More Announcements
Version history
Last update:
‎09-27-2017 08:47 AM
Updated by:
Contributor
Contributors
Top Kudoed Authors
View Full Leaderboard