Support Questions
Find answers, ask questions, and share your expertise

LogSearch audit-logs empty

Explorer

I am trying to use logsearch and I have already hadoop logs showing up in the ui. But I can never get the audit-logs to show up. Are those logs related to specific actions on the cluster so I can trigger them?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: LogSearch audit-logs empty

Explorer

Hi @Theyaa Matti!

It processes ambari-audit or hdfs-audit log file as well, but its possible the parsing is not working properly because the grok patters that are used are not matching. (that can happen because of the date pattern, as that can change based on system language settings as well)

Which version of ambari/logsearch are you using? (if 2.5, those patterns can be changed: https://issues.apache.org/jira/browse/AMBARI-18548 , if 2.4, then maybe you will need to check log4j settings for those services)

some pointers: for logfeeder generated input patterns and common grok patters located at /etc/ambari-logsearch-logfeeder/conf. You can try out the patterns with lines here: https://grokdebug.herokuapp.com/

View solution in original post

4 REPLIES 4

Re: LogSearch audit-logs empty

Rising Star

Hi @Theyaa Matti,

Depending upon the services you have deployed in your cluster, the audit logs will generally be written to for service-specific actions that occur (HDFS write, HDFS read, Ambari REST calls, etc).

Are you looking for a specific service's audit logs? Please note that not all services write audit logs.

What version of Ambari are you using?

Hope this helps,

Bob

Re: LogSearch audit-logs empty

Explorer

Hi @Theyaa Matti!

It processes ambari-audit or hdfs-audit log file as well, but its possible the parsing is not working properly because the grok patters that are used are not matching. (that can happen because of the date pattern, as that can change based on system language settings as well)

Which version of ambari/logsearch are you using? (if 2.5, those patterns can be changed: https://issues.apache.org/jira/browse/AMBARI-18548 , if 2.4, then maybe you will need to check log4j settings for those services)

some pointers: for logfeeder generated input patterns and common grok patters located at /etc/ambari-logsearch-logfeeder/conf. You can try out the patterns with lines here: https://grokdebug.herokuapp.com/

View solution in original post

Re: LogSearch audit-logs empty

Explorer

Hi @oszabo

Thank you for your info. I tried the gork debugger and compared it with the logs I have and I found out the issue was that I had to include the INFO logging in logsearch in order to capture the audit logs for hdfs access and hive access.

Re: LogSearch audit-logs empty

Explorer