Support Questions
Find answers, ask questions, and share your expertise

Ambari audit logs are getteing fiiled up

New Contributor

Following type of logs fills up ambari-audit logs every sec.

2018-02-13T11:33:28.035Z, User(null), RemoteIp(x.x.x.x), Operation(xxxxx), Roles( ), Status(xxxxxx), Reason(Authentication required)

2 REPLIES 2

Super Mentor

@SURBHI BAKHTIYAR If we do not want to log the line which has "User(null)" in it then we can make use of StringMatchFilter feature of log4j as following:

1). Edit the "/etc/ambari-serevr/conf/log4j.properties" and add the following 3 lines in it Just below to the "audit" log appender.

#### This filter is used to skip the line that contains "User(null)" from being logged ######
log4j.appender.audit.filter.01=org.apache.log4j.varia.StringMatchFilter
log4j.appender.audit.filter.01.StringToMatch=User(null)
log4j.appender.audit.filter.01.AcceptOnMatch=false


.
Now the log4j.properties audit log appender will look like following:

# Audit logging
log4j.logger.audit=INFO,audit
log4j.additivity.audit=false
log4j.appender.audit=org.apache.log4j.rolling.RollingFileAppender
log4j.appender.audit.rollingPolicy=org.apache.log4j.rolling.FixedWindowRollingPolicy
log4j.appender.audit.rollingPolicy.ActiveFileName=${ambari.log.dir}/${ambari.audit.file}
log4j.appender.audit.rollingPolicy.FileNamePattern=${ambari.log.dir}/${ambari.audit.file}-%i.log.gz
log4j.appender.audit.rollingPolicy.maxIndex=13
log4j.appender.audit.triggeringPolicy=org.apache.log4j.rolling.SizeBasedTriggeringPolicy
log4j.appender.audit.triggeringPolicy.maxFileSize=50000000
log4j.appender.audit.layout=org.apache.log4j.PatternLayout\
log4j.appender.audit.layout.ConversionPattern=%m%n

#### This filter is used to skip the line that contains "User(null)" from being logged ###### 
log4j.appender.audit.filter.01=org.apache.log4j.varia.StringMatchFilter
log4j.appender.audit.filter.01.StringToMatch=User(null)
log4j.appender.audit.filter.01.AcceptOnMatch=false


2. Now restart ambari-server

# ambari-server restart

Please check the current timestamp in the ambari-audit log now to see that those User(null) messages will not appear in the log now.

.

New Contributor

@Jay Kumar SenSharma Thankyou..This is what i was looking for. Just one question.. When are these logs generated and what do they tell?

; ;