Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

LogSearch audit-logs empty

avatar
Rising Star

I am trying to use logsearch and I have already hadoop logs showing up in the ui. But I can never get the audit-logs to show up. Are those logs related to specific actions on the cluster so I can trigger them?

1 ACCEPTED SOLUTION

avatar
Contributor

Hi @Theyaa Matti!

It processes ambari-audit or hdfs-audit log file as well, but its possible the parsing is not working properly because the grok patters that are used are not matching. (that can happen because of the date pattern, as that can change based on system language settings as well)

Which version of ambari/logsearch are you using? (if 2.5, those patterns can be changed: https://issues.apache.org/jira/browse/AMBARI-18548 , if 2.4, then maybe you will need to check log4j settings for those services)

some pointers: for logfeeder generated input patterns and common grok patters located at /etc/ambari-logsearch-logfeeder/conf. You can try out the patterns with lines here: https://grokdebug.herokuapp.com/

View solution in original post

4 REPLIES 4

avatar
Expert Contributor

Hi @Theyaa Matti,

Depending upon the services you have deployed in your cluster, the audit logs will generally be written to for service-specific actions that occur (HDFS write, HDFS read, Ambari REST calls, etc).

Are you looking for a specific service's audit logs? Please note that not all services write audit logs.

What version of Ambari are you using?

Hope this helps,

Bob

avatar
Contributor

Hi @Theyaa Matti!

It processes ambari-audit or hdfs-audit log file as well, but its possible the parsing is not working properly because the grok patters that are used are not matching. (that can happen because of the date pattern, as that can change based on system language settings as well)

Which version of ambari/logsearch are you using? (if 2.5, those patterns can be changed: https://issues.apache.org/jira/browse/AMBARI-18548 , if 2.4, then maybe you will need to check log4j settings for those services)

some pointers: for logfeeder generated input patterns and common grok patters located at /etc/ambari-logsearch-logfeeder/conf. You can try out the patterns with lines here: https://grokdebug.herokuapp.com/

avatar
Rising Star

Hi @oszabo

Thank you for your info. I tried the gork debugger and compared it with the logs I have and I found out the issue was that I had to include the INFO logging in logsearch in order to capture the audit logs for hdfs access and hive access.

avatar
Contributor