@ururu I have a similar use case but the configurations mentioned above are not giving the desired results. Did you add or modify some of the configurations?   E.g., I saw it being mentioned elsewhere that the hadoop.root.logger value needs to be changed as well to include SYSLOG as a value. Did you do this too? Also, in case the external SIEM server expects a particular format, e.g., the RFC 5424 syslog format or a specific SIEM server format like Universal LEEF, what would be the best way to define this property? ... View more

Hello @CaptainJa    Thanks for your Update. Based on your review, the "hadoop-acl" enforcer is being delayed to be tracked via Ranger Audit UI while other Audits are likely appearing immediately. As far as I know, the Audit Framework from any Service to Solr is same, likely indicating the suspicions raised by you i.e. the "hadoop-acl" events are being buffered prior to being sent to Solr for Indexing.   Currently, I am unfamiliar with any Configuration controlling the same yet wish to confirm if the HDFS Audit Logs or InfraSolr Logs are reporting any issues, which may point to any concerns. I was under the impression that Solr may be the Bottleneck for RangerAudit Lagging yet the synopsis appears to be impacting the "hadoop-acl" alone.   - Smarak ... View more

Hello @Madhur Thanks a lot for the reply. I can confirm that the operating system is rhel7. The base url used was a configuration setting passed down but we have used it for other clusters without issues. I will nonetheless check with the client to make sure it is correct.   Concerning the link to the bug report, the upgrade was done for Ambari 2.6.2.2 while the mentioned bug was fixed in version 2.6.0.0. Also, the scenarios presented in the bug are a bit different in our case.   Thanks a lot for the help ... View more