Cloudera Navigator Audit Event Reports

Required Role: Auditing Viewer (or Full Administrator)

Cloudera Navigator provides two default reports for audit events (Recent Denied Accesses, for example) but you can create new reports, apply various filters to fine tune the results displayed, save the filtered report specification for future use, and export (download) any report (CSV, JSON file format). Metadata about the audit reports you create and save is recorded in the Cloudera Navigator Metadata Server.

Continue reading:

Creating Audit Event Reports

Selecting the Audit menu in the Cloudera Navigator console displays the Audit Events report. This report displays all audit events captured in the last 1 hour. You can modify the filters configured for this report and save it, giving it a new name, as follows.

  1. To save a filtered version of the Audit Events report:
    1. Optionally specify filters.
    2. Click Save As Report.
    • Create a new report by clicking New Report.



  2. Enter a report name.
  3. In the Default time range field, specify a relative time range. If you had specified a custom absolute time range before selecting Save As Report, the custom absolute time range is discarded.
  4. Optionally add filters.
  5. Click Save.

Editing Audit Event Reports

  1. In the left pane, click a report name.
  2. Click Edit Report.
  3. In the Default time range field, specify a relative time range. If you had specified a custom absolute time range before selecting Save As Report, the custom absolute time range is discarded.
  4. Optionally add filters.
  5. Click Save.

Downloading Audit Event Reports

You can download audit event reports in the Cloudera Navigator console or using in CSV and JSON formats. An audit event contains the following fields:
  • timestamp
  • service
  • username
  • ipAddress
  • command
  • resource
  • allowed
  • [operationText]
  • serviceValues
The values for resource and serviceValues fields depend on the type of the service. In addition, Hive, Hue, Impala, and Sentry events have the operationText field, which contains the operation string. See Service Audit Events.

In addition to downloading audit events, you can configure the Navigator Audit Server to publish audit events to a Kafka topic or syslog. See Publishing Audit Events.

Downloading Audit Event Reports from

  1. Do one of the following:
    • Add filters.
    • In the left pane, click a report name.
  2. Select Export > format, where format is CSV or JSON.

Downloading Audit Events Using the Audit API

You can filter and download audit events using the Cloudera Navigator APIs.

Hive Audit Events Using the Audit API

To use the API to download the audits events for a service named hive, use the audits endpoint with the GET method:

http://fqdn-n.example.com:port/api/APIversion/audits/?parameters
where fqdn-n.example.com is the host running the Navigator Metadata Server role instance listening for HTTP connections at the specified port number (7187 is the default port number). APIversion is the running version of the API as indicated in the footer of the API documentation (available from the Help menu in the Navigator console) or by calling http://fqdn-n.example.com:port/api/version.

For example:

curl http://node1.example.com:7187/api/v12/audits/?query=service%3D%3Dhive\
&startTime=1431025200000&endTime=1431032400000&limit=5&offset=0&format=JSON&attachment=false\
-X GET -u username:password
The startTime and endTime parameters are required and must be specified in epoch time in milliseconds.

The request could return the following JSON items:

[ {
  "timestamp" : "2015-05-07T20:34:39.923Z",
  "service" : "hive",
  "username" : "hdfs",
  "ipAddress" : "12.20.199.170",
  "command" : "QUERY",
  "resource" : "default:sample_08",
  "operationText" : "INSERT OVERWRITE \n  TABLE sample_09 \nSELECT \n  sample_07.code,sample_08.description \n  FROM sample_07 \n  JOIN sample_08 \n  WHERE sample_08.code = sample_07.code",
  "allowed" : true,
  "serviceValues" : {
    "object_type" : "TABLE",
    "database_name" : "default",
    "operation_text" : "INSERT OVERWRITE \n  TABLE sample_09 \nSELECT \n  sample_07.code,sample_08.description \n  FROM sample_07 \n  JOIN sample_08 \n  WHERE sample_08.code = sample_07.code",
    "resource_path" : "/user/hive/warehouse/sample_08",
    "table_name" : "sample_08"
  }
}, {
  "timestamp" : "2015-05-07T20:33:50.287Z",
  "service" : "hive",
  "username" : "hdfs",
  "ipAddress" : "12.20.199.170",
  "command" : "SWITCHDATABASE",
  "resource" : "default:",
  "operationText" : "USE default",
  "allowed" : true,
  "serviceValues" : {
    "object_type" : "DATABASE",
    "database_name" : "default",
    "operation_text" : "USE default",
    "resource_path" : "/user/hive/warehouse",
    "table_name" : ""
  }
}, {
  "timestamp" : "2015-05-07T20:33:23.792Z",
  "service" : "hive",
  "username" : "hdfs",
  "ipAddress" : "12.20.199.170",
  "command" : "CREATETABLE",
  "resource" : "default:",
  "operationText" : "CREATE TABLE sample_09 (code string,description string) ROW FORMAT DELIMITED FIELDS TERMINATED BY '\\t' STORED AS TextFile",
  "allowed" : true,
  "serviceValues" : {
    "object_type" : "DATABASE",
    "database_name" : "default",
    "operation_text" : "CREATE TABLE sample_09 (code string,description string) ROW FORMAT DELIMITED FIELDS TERMINATED BY '\\t' STORED AS TextFile",
    "resource_path" : "/user/hive/warehouse",
    "table_name" : ""
  }
} ]