Ranger plugins could send audit logs up to Solr and HDFS storages.
About Solr storage: I except any produced audit log to be sent ASAP up to Solr for storage (so, losing a log looks like here a non-issue).
===> Is it correct ?
About HDFS storage, I have read the following within the HortonWorks docs:
* section "Enabling Audit Logging in Non-Ambari Clusters" => a property "XAAUDIT.HDFS.LOCAL_BUFFER_DIRECTORY" is mentioned, and it is related to "Set the Audit to HDFS caches logs in the local directory"
So, I conclude logs are stored on the plugin host (for a short period of time, as written into the docs) and then, if the plugin host disk crashs, then logs could be lost, couldn't they ?
The doc mentions no info about the period of time after which the logs are sent to HDFS.
===> Does anyone have any hint about this stuff ?
* section "Manually Updating HDFS Audit Settings (for Ambari installs)" => no property
===> What does that mean ? Is there - as above - some log retention on the plugin host for some time ?
How does it work ?