Cloudera Enterprise 5.15.x | Other versions

Publishing Audit Events

Minimum Required Role: Navigator Administrator (also provided by Full Administrator)

Audit events can be published to a Kafka topic or to the system log (syslog). After configuring Cloudera Navigator to send audit events, failures to send events are logged to the Audit Server log.

Continue reading:

Publishing Audit Events to Kafka

To publish audit event logging to Kafka topics, configure the Cloudera Management Service as follows:
  1. Log in to Cloudera Manager Admin Console using either Navigator Administrator or Full Administator privileged account.
  2. Select Clusters > Cloudera Management Service.
  3. Click the Configuration tab.
  4. In the Search field, type "kafka" to display the configurable settings.
  5. For the Kafka Service property, select the Kafka service to which Cloudera Navigator will publish audit events.
  6. For the Kafka Topic property, enter the name of the default group to which Cloudera Navigator will publish the audit events.
  7. Click Save Changes.
  8. Restart the role.

Publishing Audit Events to Syslog

The Audit Server logs all audit records into a Log4j logger called auditStream. The log messages are logged at the TRACE level, with the attributes of the audit records. By default, the auditStream logger is inactive because the logger level is set to FATAL. It is also connected to a NullAppender, and does not forward to other appenders (additivity set to false).

To record the audit stream, configure the auditStream logger with the desired appender. For example, the standard SyslogAppender allows you to send the audit records to a remote syslog.

The Log4j SyslogAppender supports only UDP. An example syslog configuration would be: 
$ModLoad imudp
$UDPServerRun 514 
# Accept everything (even DEBUG messages)
local2.* /my/audit/trail.log
Other appenders can be attached to the auditStream to implement other integration behaviors.
Audit events published to syslog can be formatted as JSON or RSA EnVision. To configure audit logging to syslog:
  1. Log in to Cloudera Manager Admin Console using either Navigator Administrator or Full Administator privileged account.
  2. Select Clusters > Cloudera Management Service.
  3. Click the Configuration tab.
  4. Locate the Navigator Audit Server Logging Advanced Configuration Snippet property by typing its name in the Search box.
  5. Depending on the format type, enter: 
    log4j.appender.SYSLOG = org.apache.log4j.net.SyslogAppender
log4j.appender.SYSLOG.SyslogHost = hostname
log4j.appender.SYSLOG.Facility = Local2
log4j.appender.SYSLOG.FacilityPrinting = true
    To configure the specific stream type, enter:
    Format Property
    JSON 
    log4j.logger.auditStream = TRACE,SYSLOG
log4j.additivity.auditStream = false
    RSA EnVision 
    log4j.logger.auditStreamEnVision = TRACE,SYSLOG
log4j.additivity.auditStreamEnVision = false
  6. Click Save Changes.
  7. Restart the role.
Page generated May 18, 2018.