"It is recommended that Ranger audits be written to both Solr and HDFS. Audits to Solr are primarily used to enable search queries from the Ranger Admin UI. HDFS is a long-term destination for audits -- audits stored in HDFS can be exported to any SIEM system, or to another audit store".
Can anyone clarify the "any SIEM system" statement? Are Ranger logs conforming to a standard that makes them useable AS-IS by any SIEM without any transformation? What is that standard and where is documented?
I'm not sure if there is a particular standard for use by SIEM systems - I can't imagine the systems themselves conform to a single standard, however the audits are in standard JSON format and the schema is documented here: https://cwiki.apache.org/confluence/display/RANGER/Ranger+Audit+Schema