Triggering HDFS audit files rollover
How to configure when HDFS audit files close for each service.
By default, the Ranger Audit framework closes audit files created in HDFS or other cloud storage inline with audit event triggers. In other words, when an audit event occurs, Ranger checks the configured rollout time and then closes the file if the threshold has reached. Default audit rollout time is 24 hours. If no audit event occurs in a 24 hour period, files remain open beyond the 24 hour period. In some environments, audit log analysis that encounter an audit file open beyond the current date can cause system exceptions. If you want the files to be closed every day, so that the audit log file will have only that day's log and the next day’s log will be in the next day's file, you can configure the audit framework to close files every day. To do this, you must add several configuration parameters to the ranger-<service_name>-audit.xml (safety valve) file for each service, using Cloudera Manager.
- From Cloudera Manager choose .
- In Return. , type ranger-<service_name>, then press
-
In <service_name> Server Advanced Configuration Snippet (Safety
Valve) for ranger-<service_name>-audit.xml, do the following
steps:
- Repeat steps 1-3 for each service.
- Restart the service.