Cloudera Docs

Triggering HDFS audit files rollover

How to configure when HDFS audit files close for each service.

By default, the Ranger Audit framework closes audit files created in HDFS or other cloud storage inline with audit event triggers. In other words, when an audit event occurs, Ranger checks the configured rollout time and then closes the file if the threshold has reached. Default audit rollout time is 24 hours. If no audit event occurs in a 24 hour period, files remain open beyond the 24 hour period. In some environments, audit log analysis that encounter an audit file open beyond the current date can cause system exceptions. If you want the files to be closed every day, so that the audit log file will have only that day's log and the next day’s log will be in the next day's file, you can configure the audit framework to close files every day. To do this, you must add several configuration parameters to the ranger-<service_name>-audit.xml (safety valve) file for each service, using Cloudera Manager.

  1. From Cloudera Manager choose <service_name> > Configuration.
  2. In <service_name> > Configuration > Search, type ranger-<service_name>, then press Return.
  3. In <service_name> Server Advanced Configuration Snippet (Safety Valve) for ranger-<service_name>-audit.xml, do the following steps:
    1. Click + (Add).
    2. In Name, type xasecure.audit.destination.hdfs.file.rollover.enable.periodic.rollover
    3. In Value, type true.

      When this is enabled Ranger Audit Framework will spawn a Scheduler thread which monitors the occurrence of closing threshold and closes the file. By default every night the file gets closed.

    4. Click + (Add another).
    5. In Name, type xasecure.audit.destination.hdfs.file.rollover.sec
    6. In Value, type an integer value in seconds.
      This is the time in seconds when the file has to be closed. The default value is 86400 sec (1 day) which triggers the file to be closed at midnight and opens a new audit log for the next day. You can override the default value can be overridden by setting this parameter. For example, if you set the value 3600 (1 hr), the file gets closed every hour.
    7. Click + (Add another).
    8. In Name, type xasecure.audit.destination.hdfs.file.rollover.periodic.rollover.check.sec
    9. In Value, type an integer value in seconds.

      This is the time frequency of the check to be done whether the threshold time for rollover has occurred. By default the check is done every 60 secs. You can configure this parameter to delay the check time.

      Figure 1. Example: Hive service configured to trigger rollover of hdfs audit files
      Example: Hive service configured to trigger rollover of hdfs audit files
    10. Click Save Changes (CTRL+S).
  4. Repeat steps 1-3 for each service.
  5. Restart the service.