1. Audit Log Fields

Auditing events on the gateway are informational, the default auditing level is informational (INFO) and it cannot be changed.

The Audit logs located at C:/hadoop/logs/knox/gateway-audit.log have the following structure:

EVENT_PUBLISHING_TIMEROOT_REQUEST_ID | PARENT_REQUEST_ID | REQUEST_ID | LOGGER_NAME | TARGET_SERVICE_NAME | USER_NAME | PROXY_USER_NAME | SYSTEM_USER_NAME | ACTION | RESOURCE_TYPE | RESOURCE_NAME | OUTCOME | LOGGING_MESSAGE

where:

  • EVENT_PUBLISHING_TIME : contains the timestamp when record was written.

  • ROOT_REQUEST_ID : Reserved, the field is empty.

  • PARENT_REQUEST_ID : Reserved, the field is empty.

  • REQUEST_ID : contains a unique value representing the request.

  • LOGGER_NAME : contains the logger name. For example audit.

  • TARGET_SERVICE_NAME : contains the name of Hadoop service. Empty indicates that the audit record is not linked to a Hadoop service. For example, an audit record for topology deployment.

  • USER_NAME : contains the ID of the user who initiated session with Knox Gateway.

  • PROXY_USER_NAME : contains the authenticated user name.

  • SYSTEM_USER_NAME : Reserved, field is empty.

  • ACTION : contains the executed action type. The value is either authentication, authorization, redeploy, deploy, undeploy, identity-mapping, dispatch, or access.

  • RESOURCE_TYPE contains the resource type of the action. The value is either uri, topology, or principal.

  • RESOURCE_NAME : contains the process name of the resource. For example, topology shows the inbound or dispatch request path and principal shows the name of mapped user.

  • OUTCOME contains the action results, success, failure, or unavailable.

  • LOGGING_MESSAGE contains additional tracking information, such as the HTTP status code.


loading table of contents...