Audit Event Logs

In Cloudera Manager audit event logs display service and role life cycle events recorded by Cloudera Manager management services and service access events recorded by Cloudera Navigator. For information on the former, see Viewing and Filtering Audit Events in Cloudera Manager Monitoring and Diagnostics Guide.

Viewing Audit Event Logs

You can view audit event logs for all services or for a specific service.

To view the audit event log for all services:

  1. Click Audits in the banner.

To view the audit event log for a service:

  1. Click an HDFS, HBase, Hive, or Hue service.
  2. Click the Audits tab.
  Note:
  • When you mouse over a Hive or Hue service event, a pop-up will display the query that generated the event.
  • Events that represent denied access are labeled Denied and have a pink background.

Filtering Events

You filter events by adding filters or selecting a time range.

Adding Filters

Do one of the following:

  • Click the icon that displays next to a property when you hover in one of the event entries. A filter containing the property and its value is added to the list of filters at the left and Cloudera Manager redisplays all events that match the filter.
  • Click the Add Filter to the left of the log. A filter control is added to the list of filters.
    1. Choose an event property in the property drop-down list.
    2. Choose an operator in the operator drop-down list.
    3. Type an event property value in the value text field. If you use the LIKE operator, specify combinations of literal strings and '%' in the value field. For example, the value 'THE%S' matches THEMOVIES and THEUSERS.
    4. Do one of the following:
      • Click Search. A filter containing the property, operation, and value is added to the list of filters at the left and the audit log redisplays all events that match the filter.

      • Click Add Another. A filter containing the property and its value is added to the list of filters at the left, the audit log redisplays all events that match the filter, and another filter control is added to the list of filters.

Selecting a Time Range

Do one of the following:

The audit log redisplays all events that match the time range.

Removing Filters

Click the at the right of the filter. The filter is removed and the audit log redisplays all audit events that match the remaining filters. If there are no filters, the audit log displays all events.

Modifying Filters

  1. Click the filter. The filter expands into separate property, operator, and value fields.
  2. Modify the value of one or more fields.
  3. Click Search. A filter containing the property, operation, and value is added to the list of filters at the left and the audit log redisplays all events that match the filter.

Downloading Audit Event Logs

  1. Specify desired filters and time range.
  2. Click the Download CSV button to the left of the audit log. A file with the following fields is downloaded: service, username, command, ipAddress, resource, allowed, timestamp. The structure of the resource field depends on the type of the service as follows:
    • HDFS - A file path.
    • Hive and Hue - <database>:<tablename>
    • HBase - <table> <famil>:<qualifier>
    • Here is an example of an HDFS service audit log:
      service,username,command,ipAddress,resource,allowed,timestamp
      hdfs1,cloudera,setPermission,10.20.187.242,/user/hive,false,"2013-02-09T00:59:34.430Z"
      hdfs1,cloudera,getfileinfo,10.20.187.242,/user/cloudera,true,"2013-02-09T00:59:22.667Z"
      hdfs1,cloudera,getfileinfo,10.20.187.242,/,true,"2013-02-09T00:59:22.658Z"

      In this example, the first event access was denied, and therefore the "allowed" property has the value "false".