Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

LogSearch audit-logs empty

Solved Go to solution

LogSearch audit-logs empty

New Contributor

I am trying to use logsearch and I have already hadoop logs showing up in the ui. But I can never get the audit-logs to show up. Are those logs related to specific actions on the cluster so I can trigger them?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: LogSearch audit-logs empty

New Contributor

Hi @Theyaa Matti!

It processes ambari-audit or hdfs-audit log file as well, but its possible the parsing is not working properly because the grok patters that are used are not matching. (that can happen because of the date pattern, as that can change based on system language settings as well)

Which version of ambari/logsearch are you using? (if 2.5, those patterns can be changed: https://issues.apache.org/jira/browse/AMBARI-18548 , if 2.4, then maybe you will need to check log4j settings for those services)

some pointers: for logfeeder generated input patterns and common grok patters located at /etc/ambari-logsearch-logfeeder/conf. You can try out the patterns with lines here: https://grokdebug.herokuapp.com/

4 REPLIES 4

Re: LogSearch audit-logs empty

Rising Star

Hi @Theyaa Matti,

Depending upon the services you have deployed in your cluster, the audit logs will generally be written to for service-specific actions that occur (HDFS write, HDFS read, Ambari REST calls, etc).

Are you looking for a specific service's audit logs? Please note that not all services write audit logs.

What version of Ambari are you using?

Hope this helps,

Bob

Highlighted

Re: LogSearch audit-logs empty

New Contributor

Hi @Theyaa Matti!

It processes ambari-audit or hdfs-audit log file as well, but its possible the parsing is not working properly because the grok patters that are used are not matching. (that can happen because of the date pattern, as that can change based on system language settings as well)

Which version of ambari/logsearch are you using? (if 2.5, those patterns can be changed: https://issues.apache.org/jira/browse/AMBARI-18548 , if 2.4, then maybe you will need to check log4j settings for those services)

some pointers: for logfeeder generated input patterns and common grok patters located at /etc/ambari-logsearch-logfeeder/conf. You can try out the patterns with lines here: https://grokdebug.herokuapp.com/

Re: LogSearch audit-logs empty

New Contributor

Hi @oszabo

Thank you for your info. I tried the gork debugger and compared it with the logs I have and I found out the issue was that I had to include the INFO logging in logsearch in order to capture the audit logs for hdfs access and hive access.

Re: LogSearch audit-logs empty

New Contributor