Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Configuring Apache Ranger to send Syslog to a SIEM system via log4j Syslog appender

Labels:
avatar
author-rank dikaveman
New Contributor

Created ‎07-11-2018 08:29 AM

Hi,

I've been trying to configure Ranger to send its audit logs via Syslog to our SIEM system. I'd rather avoid storing to Solr and HDFS, which then forces me to query on regular basis in a rather complex production environment. And since Syslog is most common way to transfer audit events to a SIEM system, I've been digging into Log4j Appenders and found that there is a indeed a SyslogAppender.

Been searching the Web on how to configure it. Eventually I came up with this:

In section “Custom ranger-hdfs-audit” :

xasecure.audit.destination.log4j=true 
xasecure.audit.destination.log4j.logger=xaaudit
xasecure.audit.log4j.is.enabled=true

In section “Advanced hdfs-log4j” add:

log4j.appender.SYSLOG=org.apache.log4j.net.SyslogAppender
log4j.appender.SYSLOG.SyslogHost=<SIEM syslog listener IP Address>
log4j.appender.SYSLOG.Facility=Local2
log4j.appender.SYSLOG.FacilityPrinting=true
log4j.appender.SYSLOG.layout=org.apache.log4j.PatternLayout
log4j.appender.SYSLOG.layout.ConversionPattern=%m%n
log4j.logger.xaaudit=INFO,SYSLOG

Then, restarting Ranger,

I didn't seem to get any syslog from Ranger.

Sources I've Checked:

http://sonargdocs.jsonar.com/latest/hadoop.html

https://stackoverflow.com/questions/48077643/configure-syslogappender-in-log4j-properties-in-alfresc...

Is there anything else I'm missing?

I've been trying to piece everything together on my own as I didn't find any manuals that describe how to configure log4j with SyslogAppender over Apache Ranger

UPDATE: I seem to be getting errors in the logs:

log4j:ERROR Could not instantiate appender named "Syslog".
log4j:ERROR Could not find value for key log4j.appender.Syslog
log4j:ERROR Could not instantiate appender named "Syslog"

-safemode get | grep 'Safe mode is OFF'' returned 1. log4j:ERROR Could not find value for key log4j.appender.Syslog

log4j:ERROR Could not find value for key log4j.appender.Syslog
4,917 Views
3 REPLIES 3

avatar
author-rank ururu
Rising Star

Created ‎02-01-2019 08:26 AM

Hello,

Did you resolve your problem? Does Ranger official support integration with Syslog?

Do you have some manual how to do that?

4,440 Views
0 Kudos

avatar
author-rank ururu
Rising Star

Created ‎04-09-2019 05:18 PM

It works perfectly, thanks.

4,440 Views
0 Kudos

avatar
author-rank CaptainJa
Explorer

Created ‎05-25-2021 07:05 AM

@ururu I have a similar use case but the configurations mentioned above are not giving the desired results. Did you add or modify some of the configurations?

 

E.g., I saw it being mentioned elsewhere that the hadoop.root.logger value needs to be changed as well to include SYSLOG as a value. Did you do this too?

Also, in case the external SIEM server expects a particular format, e.g., the RFC 5424 syslog format or a specific SIEM server format like Universal LEEF, what would be the best way to define this property?

3,145 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera DataFlow 2.9 now supports building GenAI pipelines ...
What's New @ Cloudera
Accelerate Data Scientist Productivity with Cloudera Copilot...
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
Community Announcements
October 2024 Community Highlights
What's New @ Cloudera
Accelerate Your AI with the Cloudera AI Inference Service wi...
View More Announcements