Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Ambari audit logs are getteing fiiled up

Ambari audit logs are getteing fiiled up

New Contributor

Following type of logs fills up ambari-audit logs every sec.

2018-02-13T11:33:28.035Z, User(null), RemoteIp(x.x.x.x), Operation(xxxxx), Roles( ), Status(xxxxxx), Reason(Authentication required)

2 REPLIES 2

Re: Ambari audit logs are getteing fiiled up

Super Mentor

@SURBHI BAKHTIYAR If we do not want to log the line which has "User(null)" in it then we can make use of StringMatchFilter feature of log4j as following:

1). Edit the "/etc/ambari-serevr/conf/log4j.properties" and add the following 3 lines in it Just below to the "audit" log appender.

#### This filter is used to skip the line that contains "User(null)" from being logged ######
log4j.appender.audit.filter.01=org.apache.log4j.varia.StringMatchFilter
log4j.appender.audit.filter.01.StringToMatch=User(null)
log4j.appender.audit.filter.01.AcceptOnMatch=false


.
Now the log4j.properties audit log appender will look like following:

# Audit logging
log4j.logger.audit=INFO,audit
log4j.additivity.audit=false
log4j.appender.audit=org.apache.log4j.rolling.RollingFileAppender
log4j.appender.audit.rollingPolicy=org.apache.log4j.rolling.FixedWindowRollingPolicy
log4j.appender.audit.rollingPolicy.ActiveFileName=${ambari.log.dir}/${ambari.audit.file}
log4j.appender.audit.rollingPolicy.FileNamePattern=${ambari.log.dir}/${ambari.audit.file}-%i.log.gz
log4j.appender.audit.rollingPolicy.maxIndex=13
log4j.appender.audit.triggeringPolicy=org.apache.log4j.rolling.SizeBasedTriggeringPolicy
log4j.appender.audit.triggeringPolicy.maxFileSize=50000000
log4j.appender.audit.layout=org.apache.log4j.PatternLayout\
log4j.appender.audit.layout.ConversionPattern=%m%n

#### This filter is used to skip the line that contains "User(null)" from being logged ###### 
log4j.appender.audit.filter.01=org.apache.log4j.varia.StringMatchFilter
log4j.appender.audit.filter.01.StringToMatch=User(null)
log4j.appender.audit.filter.01.AcceptOnMatch=false


2. Now restart ambari-server

# ambari-server restart

Please check the current timestamp in the ambari-audit log now to see that those User(null) messages will not appear in the log now.

.

Re: Ambari audit logs are getteing fiiled up

New Contributor

@Jay Kumar SenSharma Thankyou..This is what i was looking for. Just one question.. When are these logs generated and what do they tell?

Don't have an account?
Coming from Hortonworks? Activate your account here