Support Questions
Find answers, ask questions, and share your expertise

Ranger audit to HDFS , path issue

Guru

Hello,

I am wondering how the final HDFS path for storing Ranger audits is being generated, because it doesn't match the configured property via Ambari.

Configuration looks like:

9934-ambari-config-ranger-audit-hdfs-path.png

checked via /etc/hadoop/conf/ranger-hdfs-audit.xml :

9935-ambari-config-ranger-audit-hdfs-path-in-xml-file.png

But the created folder in HDFS is:

9936-ambari-config-ranger-audit-hdfs-path-created-in-hd.png

I expected having the audit-log-files under "hdfs://.../ranger/audit/20161130" directly.

Why is there the subfolder "hdfs" and an additional subfolder with the yyyyMMdd again ?!?!

Maybe a known bug/issue in the version in use: HDP 2.3.4.7, Ambari 2.2.1.1 ?!?!

Thanks for any feedback...

4 REPLIES 4

Contributor

@Gerd Koenig xasecure.audit.destination.hdfs.dir should be the base path for all audit logs for all plugins. The plugins themselves add their own name - 'hdfs' in this case, Hiveserver2 adds 'hiveserver2', Hbase adds 'hbase', etc - and a daily datestamp automatically. This behaviour is fixed and I don't think there's any way to change it. You should just set it to 'hdfs://<Nameservice ID>/ranger/audit'

Guru

Thanks @Terry Stebbens for clarification that this behaviour is fixed.

Do you know starting with which version (HDP/Ranger/Ambari) it is fixed ?

Some part of hdfs audit destination is controllable since RANGER-397.

For example below change the destination file to hdfs://sandbox.hortonworks.com:8020/ranger/audit/hdfs/hdfs_ranger_audit_sandbox.hortonworks.com_20170801.log:

<name>xasecure.audit.destination.hdfs.filename.format</name>
<value>%app-type%_ranger_audit_%hostname%_%time:yyyyMMdd%.log</value>
<name>xasecure.audit.destination.hdfs.subdir</name>
<value>%app-type%</value>

Explorer

can we delete those logs ?