Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Configuring Apache Ranger to send Syslog to a SIEM system via log4j Syslog appender

Highlighted

Configuring Apache Ranger to send Syslog to a SIEM system via log4j Syslog appender

New Contributor

Hi,

I've been trying to configure Ranger to send its audit logs via Syslog to our SIEM system. I'd rather avoid storing to Solr and HDFS, which then forces me to query on regular basis in a rather complex production environment. And since Syslog is most common way to transfer audit events to a SIEM system, I've been digging into Log4j Appenders and found that there is a indeed a SyslogAppender.

Been searching the Web on how to configure it. Eventually I came up with this:

In section “Custom ranger-hdfs-audit” :

xasecure.audit.destination.log4j=true 
xasecure.audit.destination.log4j.logger=xaaudit
xasecure.audit.log4j.is.enabled=true

In section “Advanced hdfs-log4j” add:

log4j.appender.SYSLOG=org.apache.log4j.net.SyslogAppender
log4j.appender.SYSLOG.SyslogHost=<SIEM syslog listener IP Address>
log4j.appender.SYSLOG.Facility=Local2
log4j.appender.SYSLOG.FacilityPrinting=true
log4j.appender.SYSLOG.layout=org.apache.log4j.PatternLayout
log4j.appender.SYSLOG.layout.ConversionPattern=%m%n
log4j.logger.xaaudit=INFO,SYSLOG

Then, restarting Ranger,

I didn't seem to get any syslog from Ranger.

Sources I've Checked:

http://sonargdocs.jsonar.com/latest/hadoop.html

https://stackoverflow.com/questions/48077643/configure-syslogappender-in-log4j-properties-in-alfresc...

Is there anything else I'm missing?

I've been trying to piece everything together on my own as I didn't find any manuals that describe how to configure log4j with SyslogAppender over Apache Ranger

UPDATE: I seem to be getting errors in the logs:

log4j:ERROR Could not instantiate appender named "Syslog".
log4j:ERROR Could not find value for key log4j.appender.Syslog
log4j:ERROR Could not instantiate appender named "Syslog"

-safemode get | grep 'Safe mode is OFF'' returned 1. log4j:ERROR Could not find value for key log4j.appender.Syslog

log4j:ERROR Could not find value for key log4j.appender.Syslog
2 REPLIES 2

Re: Configuring Apache Ranger to send Syslog to a SIEM system via log4j Syslog appender

Expert Contributor

Hello,

Did you resolve your problem? Does Ranger official support integration with Syslog?

Do you have some manual how to do that?

Re: Configuring Apache Ranger to send Syslog to a SIEM system via log4j Syslog appender

Expert Contributor

It works perfectly, thanks.