Support Questions
Find answers, ask questions, and share your expertise

On-boarding Ranger Audit logs to SIEM

On-boarding Ranger Audit logs to SIEM

New Contributor

Hello,

 

We are in the process of setting up our Cloudera and would like to request you to provide the steps to Integrate Audit logs from Ranger to SIEM (splunk) systems. Request you to let us know if there are any other services needed on the cluster to get this Integration(other than Ranger). 

 

Thanks a lot.

 

Regards,

Madhuri

1 REPLY 1

Re: On-boarding Ranger Audit logs to SIEM

Cloudera Employee

Hi Madhuri,

 

Streaming Ranger audits to third-party services (other than HDFS, Solr) is still not officially supported. I found this article though, can you check if that helps:
https://my.cloudera.com/knowledge/How-to-send-Ranger-audit-logs-to-log4j-appenders?id=276802

Also, there's a Github page to enable streaming Ranger audits to Kafka topics:

https://github.com/Raghav-Guru/kafka-ranger-audit

Here's an Apache document on steps to enable Audits to a component that has log4j appender:

https://cwiki.apache.org/confluence/display/RANGER/Ranger+0.5+Audit+Configuration#Ranger0.5AuditConf...