Publishing Audit Events

Minimum Required Role: Navigator Administrator (also provided by Full Administrator)

You can publish audit events to a Kafka topic or syslog.

A failure to send an event to Kafka or syslog is logged to the Audit Server log.

Publishing Audit Events to Kafka

You can publish audit events to a Kafka topic. To configure audit logging to a Kafka topic, do the following:
  1. Do one of the following:
    • Select Clusters > Cloudera Management Service.
    • On the Home > Status tab, in Cloudera Management Service table, click the Cloudera Management Service link.
  2. Click the Configuration tab.
  3. Type "kafka" in the Search box to display the configurable settings.
  4. For the Kafka Service property, select the Kafka service to which Cloudera Navigator will publish audit events.
  5. For the Kafka Topic property, enter the name of the default group to which Cloudera Navigator will publish the audit events.
  6. Click Save Changes.
  7. Restart the role.

Publishing Audit Events to Syslog

The Audit Server logs all audit records into a Log4j logger called auditStream. The log messages are logged at the TRACE level, with the attributes of the audit records. By default, the auditStream logger is inactive because the logger level is set to FATAL. It is also connected to a NullAppender, and does not forward to other appenders (additivity set to false).

To record the audit stream, configure the auditStream logger with the desired appender. For example, the standard SyslogAppender allows you to send the audit records to a remote syslog.

The Log4j SyslogAppender supports only UDP. An example syslog configuration would be:
$ModLoad imudp
$UDPServerRun 514 
# Accept everything (even DEBUG messages)
local2.* /my/audit/trail.log
It is also possible to attach other appenders to the auditStream to provide other integration behaviors.
You can publish audit events to syslog in two formats: JSON and RSA EnVision. To configure audit logging to syslog, do the following:
  1. Do one of the following:
    • Select Clusters > Cloudera Management Service.
    • On the Home > Status tab, in Cloudera Management Service table, click the Cloudera Management Service link.
  2. Click the Configuration tab.
  3. Locate the Navigator Audit Server Logging Advanced Configuration Snippet property by typing its name in the Search box.
  4. Depending on the format type, enter:
    log4j.appender.SYSLOG = org.apache.log4j.net.SyslogAppender
    log4j.appender.SYSLOG.SyslogHost = hostname
    log4j.appender.SYSLOG.Facility = Local2
    log4j.appender.SYSLOG.FacilityPrinting = true
    To configure the specific stream type, enter:
    Format Property
    JSON
    log4j.logger.auditStream = TRACE,SYSLOG
    log4j.additivity.auditStream = false
    RSA EnVision
    log4j.logger.auditStreamEnVision = TRACE,SYSLOG
    log4j.additivity.auditStreamEnVision = false
  5. Click Save Changes to commit the changes.
  6. Restart the role.

Example Log Messages

Format Log Message Example
JSON
Jul 23 11:05:15 hostname local2:
{"type":"HDFS","allowed":"true","time":"1374602714758",
"service":"HDFS-1",
"user":"root","ip":"10.20.93.93","op":"mkdirs","src":"/audit/root","perms":"rwxr-xr-x"}
RSA EnVision
Cloudera|Navigator|1|type="Hive",allowed="false",time="1382551146763",
service="HIVE-1",user="systest",impersonator="",ip="/10.20.190.185",op="QUERY",
opText="select count(*) from sample_07",db="default",table="sample_07",path="/user/hive/warehouse/sample_07",objType="TABLE"
If a particular field is not applicable for that audit event, it is omitted from the message.