Cloudera Navigator Audit Event Reports

Minimum Required Role: Auditing Viewer (also provided by Full Administrator)

An audit report is a collection of audit events that satisfy a set of filters. Audit report metadata is recorded by the Cloudera Navigator Metadata Server.

Creating Audit Event Reports

  1. Start and log into the Cloudera Navigator data management component UI.
  2. Click the Audits tab. The Audit Events report displays all audit events that occurred during the last hour.
  3. Do one of the following:
    • Save a filtered version of the Audit Events report:
      1. Optionally specify filters.
      2. Click Save As Report.
    • Create a new report:
      1. Click Create New Report.
  4. Enter a report name.
  5. In the Default time range field, specify a relative time range. If you had specified a custom absolute time range before selecting Save As Report, the custom absolute time range is discarded.
  6. Optionally add filters.
  7. Click Save.

Editing Audit Event Reports

  1. Start and log into the Cloudera Navigator data management component UI.
  2. Click the Audits tab. The Audit Events report displays all audit events that occurred during the last hour.
  3. In the left pane, click a report name.
  4. Click Edit Report.
  5. In the Default time range field, specify a relative time range. If you had specified a custom absolute time range before selecting Save As Report, the custom absolute time range is discarded.
  6. Optionally add filters.
  7. Click Save.

Downloading Audit Event Reports

You can download audit event reports in the Audit UI or using the Audit API in CSV and JSON formats. An audit event contains the following fields: timestamp, service, username, ipAddress, command, resource, allowed, [operationText], serviceValues. The contents of the resource and serviceValues fields depends on the type of the service. In addition, Hive, Hue, Impala, and Sentry events have the operationText field, which contains the operation string. See Service Audit Event Fields.

In addition to downloading audit events, you can configure the Navigator Audit Server to publish audit events to a Kafka topic or syslog. See Publishing Audit Events.

Downloading Audit Event Reports Using the Audit UI

  1. Start and log into the Cloudera Navigator data management component UI.
  2. Click the Audits tab. The Audit Events report displays all audit events that occurred during the last hour.
  3. Do one of the following:
    • Add filters.
    • In the left pane, click a report name.
  4. Select Export > format, where format is CSV or JSON.

Downloading Audit Events Using the Audit API

You can filter and download audit events using the Cloudera Navigator Data Management API.

Hive Audit Events Using the Audit API

To download the audits events for a service named hive using the API, issue the request
curl http://Navigator_Metadata_Server_host:port/api/v9/audits/?query=service%3D%3Dhive&startTime=1431025200000&endTime=1431032400000\
&limit=5&offset=0&format=JSON&attachment=false -X GET -u username:password
The startTime and endTime parameters are required and must be specified in epoch time in milliseconds.

The request could return the following JSON items:

[ {
  "timestamp" : "2015-05-07T20:34:39.923Z",
  "service" : "hive",
  "username" : "hdfs",
  "ipAddress" : "12.20.199.170",
  "command" : "QUERY",
  "resource" : "default:sample_08",
  "operationText" : "INSERT OVERWRITE \n  TABLE sample_09 \nSELECT \n  sample_07.code,sample_08.description \n  FROM sample_07 \n  JOIN sample_08 \n  WHERE sample_08.code = sample_07.code",
  "allowed" : true,
  "serviceValues" : {
    "object_type" : "TABLE",
    "database_name" : "default",
    "operation_text" : "INSERT OVERWRITE \n  TABLE sample_09 \nSELECT \n  sample_07.code,sample_08.description \n  FROM sample_07 \n  JOIN sample_08 \n  WHERE sample_08.code = sample_07.code",
    "resource_path" : "/user/hive/warehouse/sample_08",
    "table_name" : "sample_08"
  }
}, {
  "timestamp" : "2015-05-07T20:33:50.287Z",
  "service" : "hive",
  "username" : "hdfs",
  "ipAddress" : "12.20.199.170",
  "command" : "SWITCHDATABASE",
  "resource" : "default:",
  "operationText" : "USE default",
  "allowed" : true,
  "serviceValues" : {
    "object_type" : "DATABASE",
    "database_name" : "default",
    "operation_text" : "USE default",
    "resource_path" : "/user/hive/warehouse",
    "table_name" : ""
  }
}, {
  "timestamp" : "2015-05-07T20:33:23.792Z",
  "service" : "hive",
  "username" : "hdfs",
  "ipAddress" : "12.20.199.170",
  "command" : "CREATETABLE",
  "resource" : "default:",
  "operationText" : "CREATE TABLE sample_09 (code string,description string) ROW FORMAT DELIMITED FIELDS TERMINATED BY '\\t' STORED AS TextFile",
  "allowed" : true,
  "serviceValues" : {
    "object_type" : "DATABASE",
    "database_name" : "default",
    "operation_text" : "CREATE TABLE sample_09 (code string,description string) ROW FORMAT DELIMITED FIELDS TERMINATED BY '\\t' STORED AS TextFile",
    "resource_path" : "/user/hive/warehouse",
    "table_name" : ""
  }
} ]