Hadoop Security Guide
Also available as:
PDF
loading table of contents...

Audit Log Fields

Auditing events on the gateway are informational, the default auditing level is informational (INFO) and it cannot be changed.

The Audit logs located at C:/hadoop/logs/knox/gateway-audit.log have the following structure:

EVENT_PUBLISHING_TIMEROOT_REQUEST_ID | PARENT_REQUEST_ID | REQUEST_ID | LOGGER_NAME | TARGET_SERVICE_NAME | USER_NAME | PROXY_USER_NAME | SYSTEM_USER_NAME | ACTION | RESOURCE_TYPE | RESOURCE_NAME | OUTCOME | LOGGING_MESSAGE

where:

  • EVENT_PUBLISHING_TIME : contains the timestamp when record was written.

  • ROOT_REQUEST_ID : Reserved, the field is empty.

  • PARENT_REQUEST_ID : Reserved, the field is empty.

  • REQUEST_ID : contains a unique value representing the request.

  • LOGGER_NAME : contains the logger name. For example audit.

  • TARGET_SERVICE_NAME : contains the name of Hadoop service. Empty indicates that the audit record is not linked to a Hadoop service. For example, an audit record for topology deployment.

  • USER_NAME : contains the ID of the user who initiated session with Knox Gateway.

  • PROXY_USER_NAME : contains the authenticated user name.

  • SYSTEM_USER_NAME : Reserved, field is empty.

  • ACTION : contains the executed action type. The value is either authentication, authorization, redeploy, deploy, undeploy, identity-mapping, dispatch, or access.

  • RESOURCE_TYPE contains the resource type of the action. The value is either uri, topology, or principal.

  • RESOURCE_NAME : contains the process name of the resource. For example, topology shows the inbound or dispatch request path and principal shows the name of mapped user.

  • OUTCOME contains the action results, success, failure, or unavailable.

  • LOGGING_MESSAGE contains additional tracking information, such as the HTTP status code.