Cloudera Navigator Audit Server

Describes how to add and configure the Navigator Audit Server role.

Adding the Navigator Audit Server Role

Minimum Required Role: Navigator Administrator (also provided by Full Administrator)

Before adding the Navigator Audit Server role, configure the database where audit events are stored.
  1. Do one of the following:
    • Select Clusters > Cloudera Management Service > Cloudera Management Service.
    • On the Status tab of the Home page, in Cloudera Management Service table, click the Cloudera Management Service link.
  2. Click the Instances tab.
  3. Click the Add Role Instances button. The Customize Role Assignments page displays.
  4. Assign the Navigator role to a host.
    1. Customize the assignment of role instances to hosts. The wizard evaluates the hardware configurations of the hosts to determine the best hosts for each role. The wizard assigns all worker roles to the same set of hosts to which the HDFS DataNode role is assigned. These assignments are typically acceptable, but you can reassign them if necessary.

      Click a field below a role to display a dialog containing a list of hosts. If you click a field containing multiple hosts, you can also select All Hosts to assign the role to all hosts or Custom to display the pageable hosts dialog.

      The following shortcuts for specifying hostname patterns are supported:
      • Range of hostnames (without the domain portion)
        Range Definition Matching Hosts
        10.1.1.[1-4] 10.1.1.1, 10.1.1.2, 10.1.1.3, 10.1.1.4
        host[1-3].company.com host1.company.com, host2.company.com, host3.company.com
        host[07-10].company.com host07.company.com, host08.company.com, host09.company.com, host10.company.com
      • IP addresses
      • Rack name

      Click the View By Host button for an overview of the role assignment by hostname ranges.

  5. When you are satisfied with the assignments, click Continue. The Database Setup screen displays.
  6. Configure database settings:
    1. Choose the database type:
      • Leave the default setting of Use Embedded Database to have Cloudera Manager create and configure required databases. Make a note of the auto-generated passwords.

      • Select Use Custom Databases to specify external databases.
        1. Enter the database host, database type, database name, username, and password for the database that you created when you set up the database.
    2. Click Test Connection to confirm that Cloudera Manager can communicate with the database using the information you have supplied. If the test succeeds in all cases, click Continue; otherwise check and correct the information you have provided for the database and then try the test again. (For some servers, if you are using the embedded database, you will see a message saying the database will be created at a later step in the installation process.) The Review Changes screen displays.
  7. Click Finish.

Starting, Stopping, and Restarting the Navigator Audit Server

  1. Do one of the following:
    • Select Clusters > Cloudera Management Service > Cloudera Management Service.
    • On the Status tab of the Home page, in Cloudera Management Service table, click the Cloudera Management Service link.
  2. Click the Instances tab.
  3. Do one of the following depending on your role:
    • Minimum Required Role: Full Administrator

      1. Check the checkbox next to the Navigator Audit Server role.
      2. Select Actions for Selected > Action. Click Action to confirm the action, where Action is Start, Stop, or Restart.
    • Minimum Required Role: Navigator Administrator (also provided by Full Administrator)

      1. Click the Navigator Audit Server role link.
      2. Select Actions > Action this Navigator Audit Server. Click Action this Navigator Audit Server, where Action is Start, Stop, or Restart, to confirm the action.

Configuring the Navigator Audit Server Log Directory

Minimum Required Role: Navigator Administrator (also provided by Full Administrator)

  1. Do one of the following:
    • Select Clusters > Cloudera Management Service > Cloudera Management Service.
    • On the Status tab of the Home page, in Cloudera Management Service table, click the Cloudera Management Service link.
  2. Click the Configuration tab.
  3. Expand the Navigator Audit Server Default Group category.
  4. Set the Navigator Audit Server Log Directory property.
  5. Click Save Changes.
  6. Click the Instances tab.
  7. Check the checkbox next to the Navigator Audit Server role.
  8. Select Actions for Selected > Restart.

Configuring the Navigator Audit Server Data Expiration Period

Minimum Required Role: Navigator Administrator (also provided by Full Administrator)

You can configure the number of hours of audit events to keep in the Navigator Audit Server database as follows:
  1. Do one of the following:
    • Select Clusters > Cloudera Management Service > Cloudera Management Service.
    • On the Status tab of the Home page, in Cloudera Management Service table, click the Cloudera Management Service link.
  2. Click the Configuration tab.
  3. Expand the Navigator Audit Server Default Group category.
  4. Set the Navigator Audit Server Data Expiration Period property.
  5. Click Save Changes.
  6. Click the Instances tab.
  7. Check the checkbox next to the Navigator Audit Server role.
  8. Select Actions for Selected > Restart.

Configuring the Audit Server to Mask Personally Identifiable Information

Minimum Required Role: Navigator Administrator (also provided by Full Administrator)

Personally identifiable information (PII) is information that can be used on its own or with other information to identify or locate a single person, or to identify an individual in context. The PII masking feature allows you to specify credit card number patterns (from major credit issuers) that are masked in audit events, in the properties of entities displayed in lineage diagrams, and in information retrieved from the Audit Server database and the Metadata Server persistent storage.
  1. Do one of the following:
    • Select Clusters > Cloudera Management Service > Cloudera Management Service.
    • On the Status tab of the Home page, in Cloudera Management Service table, click the Cloudera Management Service link.
  2. Click the Configuration tab.
  3. Expand the Navigator Audit Server Default Group category.
  4. Click the Advanced category.
  5. Configure the PII Masking Regular Expression property with a regular expression that matches the credit card number formats to be masked. The default expression is:
    (4[0-9]{12}(?:[0-9]{3})?)|(5[1-5][0-9]{14})|(3[47][0-9]{13})
    |(3(?:0[0-5]|[68][0-9])[0-9]{11})|(6(?:011|5[0-9]{2})[0-9]{12})|((?:2131|1800|35\\d{3})\\d{11})
    which is constructed from the following subexpressions:
    • Visa - (4[0-9]{12}(?:[0-9]{3})?)
    • MasterCard - (5[1-5][0-9]{14})
    • American Express - (3[47][0-9]{13})
    • Diners Club - (3(?:0[0-5]|[68][0-9])[0-9]{11})
    • Discover - (6(?:011|5[0-9]{2})[0-9]{12})
    • JCB - ((?:2131|1800|35\\d{3})\\d{11})
    If the property is left blank, PII information is not masked.
  6. Click Save Changes to commit the changes.