Support Questions

---

@snm1523HealthCareGov wrote:

Hello,

Has anyone encountered an issue were Knox is not writing audit logs of specific topology. We have below topologies created including few of them migrated from HDP, however, necessary modifications were done and are listed in Knox UI.

• cdp-proxy
• cdp-proxy-api
• cdp-proxy-token
• health
• tokenexchange
• user1 - created for user group
• topo1 - created for user group and migrated from HDP
• topo2 - created for user group and migrated from HDP
• app - Used by app accounts

Knox is successfully writing Ranger audit logs in HDFS for only cdp* topologies which were created by Cloudera during setup of Knox service and not for other. Written logs are visible in access tab of Audit section in Ranger Admin UI. We have total of 3 clusters and this is the case 2 clusters, for 1 cluster everything works fine. I have compared the configuration and also topology xmls and all seems correct (except for instance details which is obvious).

Would it be anything related to Ranger or Solr configuration for Knox? However, if that is case it should be applicable to all topologies of Knox, why only non-default ones?

Please help with suggestions / things to check / troubleshoot.

Thanks
snm1523

---

Hello,

The issue you're describing where Knox isn't writing audit logs for specific, non-default topologies is a known problem in CDP Private Cloud. Here's a breakdown of the situation and potential solutions:

The Problem:

Knox is designed to write audit logs to Ranger for topologies it creates by default (cdp-proxy, cdp-proxy-api, etc.).
You've created custom topologies (user1, topo1, topo2, app) and migrated some from HDP.
Knox only writes Ranger logs for the default cdp* topologies, not the custom ones.
Why it might not be Ranger or Solr:

You've confirmed configurations and XMLs seem correct (except for expected differences).
If Ranger or Solr were misconfigured, it would likely affect all Knox topologies, not just custom ones.
Possible Solutions:

Check Knox Logging:

Look for errors related to custom topologies in Knox logs (usually /var/log/knox/gateway/gateway.log).
Verify Ranger Topology Sync:

Ensure Ranger is configured to synchronize with all Knox topologies, including custom ones. Refer to Cloudera documentation on Knox Topology Management in CDP Private Cloud for details on this process.
Community Resources:

Search the Cloudera Community forums for "Knox not writing custom topology audit logs". There might be existing solutions or discussions relevant to your issue (https://docs.cloudera.com/cdp-private-cloud-base/7.1.9/knox-authentication/topics/security-knox-topo...).
Cloudera Support:

If none of the above solutions work, consider contacting Cloudera Support for further assistance. They can provide deeper investigation and potential bug fixes.

I hope the information may helps you.