Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Ranger Audit Logs to SIEM

Highlighted

Ranger Audit Logs to SIEM

Per https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.0/bk_Ranger_Install_Guide/content/ch_install_...

"It is recommended that Ranger audits be written to both Solr and HDFS. Audits to Solr are primarily used to enable search queries from the Ranger Admin UI. HDFS is a long-term destination for audits -- audits stored in HDFS can be exported to any SIEM system, or to another audit store".

Can anyone clarify the "any SIEM system" statement? Are Ranger logs conforming to a standard that makes them useable AS-IS by any SIEM without any transformation? What is that standard and where is documented?

2 REPLIES 2
Highlighted

Re: Ranger Audit Logs to SIEM

I'm not sure if there is a particular standard for use by SIEM systems - I can't imagine the systems themselves conform to a single standard, however the audits are in standard JSON format and the schema is documented here: https://cwiki.apache.org/confluence/display/RANGER/Ranger+Audit+Schema

Highlighted

Re: Ranger Audit Logs to SIEM

Only requirement is that the target system accept JSON format (which Ranger audit logs use)

Don't have an account?
Coming from Hortonworks? Activate your account here