Configuring Ranger audit log storage to a local file

How to configure a service to write Ranger audit log records to a local file, in addition to the default Solr and HDFS locations.

The Solr and HDFS audit destinations are intended to store short- and long-term audit records respectively, by default. You can configure whether a service also stores Ranger audit records in a local file destination. You may also further configure a service by appending additional, service-specific configuration properties. To do this, first modify ranger-<service_name>-audit.xml file, using Cloudera Manager. Then, add additional appenders to the configuration. This topic shows how to add appenders to the Hive service, for example.

Table 1. Ranger Audit Destination Configuration Parameters for services
Parameter Name Description Default Setting Units
xasecure.audit.destination.log4j

controls whether Ranger writes audit records to a service

true T/F
xasecure.audit.destination.log4j.logger location at which you can access audit records written to HDFS rangerauditlogger string
  1. Configure Ranger Log4JAuditDestination.
    1. From Cloudera Manager choose <service_name> > Configuration.
    2. In Search, type ranger-<service_name>-audit, then press Return.
    3. In Hive Service Advanced Configuration Snippet (Safety Valve) for ranger-hive-audit.xml, click +.
    4. Add the following property/value:
      Name
      xasecure.audit.destination.log4j
      Value
      true
    5. Click Save Changes (CTRL+S).
    6. In Hive Service Advanced Configuration Snippet (Safety Valve) for ranger-hive-audit.xml, click +.
    7. Add the following property/value
      Name
      xasecure.audit.destination.log4j.logger
      Value
      rangerauditlogger
    8. Click Save Changes (CTRL+S).
  2. Configure HIVE log4 for ranger audit log appender.
    Add the following properties to the configuration: (?? HiveServer2 Logging Advanced Configuration Snippet (Safety Valve) ??)
    appenders=console, DRFA, redactorForRootLogger, RANGERAUDIT
    appenders=console, DRFA, redactorForRootLogger, RANGERAUDIT
    appender.RANGERAUDIT.type=RollingRandomAccessFile
    appender.RANGERAUDIT.name=RANGERAUDIT
    appender.RANGERAUDIT.fileName=${log.dir}/hive-ranger-audit.log
    appender.RANGERAUDIT.filePattern=${log.dir}/hive-ranger-audit.log.%d{yyyy-MM-dd}-%i
    appender.RANGERAUDIT.filePermissions=rwxr--r--
    appender.RANGERAUDIT.layout.type=PatternLayout
    appender.RANGERAUDIT.layout.pattern=%d{ISO8601} %q %5p [%t] %c{2} (%F:%M(%L)) - %m%n
    appender.RANGERAUDIT.policies.type=Policies
    appender.RANGERAUDIT.policies.size.type=SizeBasedTriggeringPolicy
    appender.RANGERAUDIT.policies.size.size=250MB
    appender.RANGERAUDIT.strategy.type=DefaultRolloverStrategy
    appender.RANGERAUDIT.strategy.max=10
    appender.RANGERAUDIT.strategy.action.type=DELETE
    appender.RANGERAUDIT.strategy.action.basepath=${log.dir}
    appender.RANGERAUDIT.strategy.action.maxdepth=1
    appender.RANGERAUDIT.strategy.action.PathConditions.glob=hive-ranger-audit.*
    appender.RANGERAUDIT.strategy.action.PathConditions.type=IfFileName
    appender.RANGERAUDIT.strategy.action.PathConditions.nestedConditions.type=IfAccumulatedFileCount
    appender.RANGERAUDIT.strategy.action.PathConditions.nestedConditions.exceeds=2GB
    loggers=Ranger
    logger.Ranger.name=rangerauditlogger
    logger.Ranger.level=INFO
    logger.Ranger.appenderRefs=RANGERAUDIT
    logger.Ranger.appenderRef.RANGERAUDIT.ref=RANGERAUDIT
    
  3. Restart the service to refresh the configuration.
    The result will be hive-ranger-audit.log getting created in the configured folder. Ranger audit logs for hive operations will be appended.