Audit Log Fields
Auditing events on the gateway are informational, the default auditing level is informational (INFO) and it cannot be changed.
The Audit logs located at C:/hadoop/logs/knox/gateway-audit.log
have the following structure:
EVENT_PUBLISHING_TIMEROOT_REQUEST_ID | PARENT_REQUEST_ID | REQUEST_ID | LOGGER_NAME | TARGET_SERVICE_NAME | USER_NAME | PROXY_USER_NAME | SYSTEM_USER_NAME | ACTION | RESOURCE_TYPE | RESOURCE_NAME | OUTCOME | LOGGING_MESSAGE
where:
EVENT_PUBLISHING_TIME : contains the timestamp when record was written.
ROOT_REQUEST_ID : Reserved, the field is empty.
PARENT_REQUEST_ID : Reserved, the field is empty.
REQUEST_ID : contains a unique value representing the request.
LOGGER_NAME : contains the logger name. For example
audit
.TARGET_SERVICE_NAME : contains the name of Hadoop service. Empty indicates that the audit record is not linked to a Hadoop service. For example, an audit record for topology deployment.
USER_NAME : contains the ID of the user who initiated session with Knox Gateway.
PROXY_USER_NAME : contains the authenticated user name.
SYSTEM_USER_NAME : Reserved, field is empty.
ACTION : contains the executed action type. The value is either authentication, authorization, redeploy, deploy, undeploy, identity-mapping, dispatch, or access.
RESOURCE_TYPE contains the resource type of the action. The value is either
uri
,topology
, orprincipal
.RESOURCE_NAME : contains the process name of the resource. For example,
topology
shows the inbound or dispatch request path andprincipal
shows the name of mapped user.OUTCOME contains the action results,
success
,failure
, orunavailable
.LOGGING_MESSAGE contains additional tracking information, such as the HTTP status code.