Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

LogSearch audit-logs empty

Labels:
avatar
author-rank theyaa
Rising Star

Created ‎04-13-2017 05:11 PM

I am trying to use logsearch and I have already hadoop logs showing up in the ui. But I can never get the audit-logs to show up. Are those logs related to specific actions on the cluster so I can trigger them?

2,517 Views
1 ACCEPTED SOLUTION

avatar
author-rank oszabo author-rank
Contributor

Created ‎04-13-2017 06:49 PM

Hi @Theyaa Matti!

It processes ambari-audit or hdfs-audit log file as well, but its possible the parsing is not working properly because the grok patters that are used are not matching. (that can happen because of the date pattern, as that can change based on system language settings as well)

Which version of ambari/logsearch are you using? (if 2.5, those patterns can be changed: https://issues.apache.org/jira/browse/AMBARI-18548 , if 2.4, then maybe you will need to check log4j settings for those services)

some pointers: for logfeeder generated input patterns and common grok patters located at /etc/ambari-logsearch-logfeeder/conf. You can try out the patterns with lines here: https://grokdebug.herokuapp.com/

View solution in original post

2,218 Views
4 REPLIES 4

avatar
author-rank rnettleton author-rank
Expert Contributor

Created ‎04-13-2017 06:35 PM

Hi @Theyaa Matti,

Depending upon the services you have deployed in your cluster, the audit logs will generally be written to for service-specific actions that occur (HDFS write, HDFS read, Ambari REST calls, etc).

Are you looking for a specific service's audit logs? Please note that not all services write audit logs.

What version of Ambari are you using?

Hope this helps,

Bob

2,218 Views
0 Kudos

avatar
author-rank oszabo author-rank
Contributor

Created ‎04-13-2017 06:49 PM

Hi @Theyaa Matti!

It processes ambari-audit or hdfs-audit log file as well, but its possible the parsing is not working properly because the grok patters that are used are not matching. (that can happen because of the date pattern, as that can change based on system language settings as well)

Which version of ambari/logsearch are you using? (if 2.5, those patterns can be changed: https://issues.apache.org/jira/browse/AMBARI-18548 , if 2.4, then maybe you will need to check log4j settings for those services)

some pointers: for logfeeder generated input patterns and common grok patters located at /etc/ambari-logsearch-logfeeder/conf. You can try out the patterns with lines here: https://grokdebug.herokuapp.com/

2,219 Views

avatar
author-rank theyaa
Rising Star

Created ‎04-18-2017 01:56 PM

Hi @oszabo

Thank you for your info. I tried the gork debugger and compared it with the logs I have and I found out the issue was that I had to include the INFO logging in logsearch in order to capture the audit logs for hdfs access and hive access.

2,218 Views
0 Kudos

avatar
author-rank oszabo author-rank
Contributor

Created ‎04-18-2017 02:36 PM

hi @Theyaa Matti,

I think you hit that issue: https://issues.apache.org/jira/browse/AMBARI-18372

2,218 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera DataFlow 2.9 now supports building GenAI pipelines ...
What's New @ Cloudera
Accelerate Data Scientist Productivity with Cloudera Copilot...
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
Community Announcements
October 2024 Community Highlights
What's New @ Cloudera
Accelerate Your AI with the Cloudera AI Inference Service wi...
View More Announcements