Cloudera Navigator Audit Event Reports

Required Role: Auditing Viewer (or Full Administrator)

Cloudera Navigator console provides two default reports for display by default:
  • Audit Events listing, which displays all recent events in reverse chronological order
  • Recent Denied Accesses, which displays all accesses within the cluster and highlights denied access attempts in red, for easy identification.

These two default reports are starting points. Use the Audit Report and define filters to create new reports can be created by defining and applying filters to fine-tune the selected results. Give the filtered report specifications for future use, and export (download) any report to CSV and JSON file formats.

In addition, the metadata about the audit reports you create and save is recorded by the Navigator Metadata Server.

This section shows you how to use the Cloudera Navigator console to create audit reports.

Creating Audit Event Reports

Selecting the Audit menu in the Cloudera Navigator console displays the Audit Events report. This report displays all audit events captured in the last 1 hour. You can modify the filters configured for this report and save it, giving it a new name, as follows.

  1. To save a filtered version of the Audit Events report:
    1. Optionally specify filters (seeFiltering Audit Events) .
    2. Click Save As Report.
    • Create a new report by clicking New Report.



  2. Enter a report name.
  3. In the Default time range field, specify a relative time range. If you had specified a custom absolute time range before selecting Save As Report, the custom absolute time range is discarded.
  4. Optionally add filters (seeFiltering Audit Events).
  5. Click Save.

Editing Audit Event Reports

  1. In the left pane, click a report name.
  2. Click Edit Report.
  3. In the Default time range field, specify a relative time range. If you had specified a custom absolute time range before selecting Save As Report, the custom absolute time range is discarded.
  4. Optionally add filters (seeFiltering Audit Events).
  5. Click Save.

Downloading Audit Event Reports

You can download audit event reports in the Cloudera Navigator console or using in CSV and JSON formats. An audit event contains the following fields:
  • timestamp
  • service
  • username
  • ipAddress
  • command
  • resource
  • allowed
  • [operationText]
  • serviceValues
The values for resource and serviceValues fields depend on the type of the service. In addition, Hive, Hue, Impala, and Sentry events have the operationText field, which contains the operation string. See Service Audit Events for details.

In addition to downloading audit events, you can configure the Navigator Audit Server to publish audit events to a Kafka topic or syslog. See Publishing Audit Events.

Downloading Audit Event Reports from

  1. Do one of the following:
  2. Select Export > format, where format is CSV or JSON.

Downloading Audit Events Using the Audit API

You can filter and download audit events using the Cloudera Navigator APIs.

Hive Audit Events Using the Audit API

To use the API to download the audits events for a service named hive, use the audits endpoint with the GET method:

http://fqdn-n.example.com:port/api/APIversion/audits/?parameters
where fqdn-n.example.com is the host running the Navigator Metadata Server role instance listening for HTTP connections at the specified port number (7187 is the default port number). APIversion is the running version of the API as indicated in the footer of the API documentation (available from the Help menu in the Navigator console) or by calling http://fqdn-n.example.com:port/api/version.

For example:

curl http://node1.example.com:7187/api/v13/audits/?query=service%3D%3Dhive\
&startTime=1431025200000&endTime=1431032400000&limit=5&offset=0&format=JSON&attachment=false\
-X GET -u username:password
          

The startTime and endTime parameters are required and must be specified in epoch time in milliseconds.

The request could return the following JSON items:

[ {
  "timestamp" : "2015-05-07T20:34:39.923Z",
  "service" : "hive",
  "username" : "hdfs",
  "ipAddress" : "12.20.199.170",
  "command" : "QUERY",
  "resource" : "default:sample_08",
  "operationText" : "INSERT OVERWRITE \n  TABLE sample_09 \nSELECT \n  sample_07.code,sample_08.description \n  FROM sample_07 \n  JOIN sample_08 \n  WHERE sample_08.code = sample_07.code",
  "allowed" : true,
  "serviceValues" : {
    "object_type" : "TABLE",
    "database_name" : "default",
    "operation_text" : "INSERT OVERWRITE \n  TABLE sample_09 \nSELECT \n  sample_07.code,sample_08.description \n  FROM sample_07 \n  JOIN sample_08 \n  WHERE sample_08.code = sample_07.code",
    "resource_path" : "/user/hive/warehouse/sample_08",
    "table_name" : "sample_08"
  }
}, {
  "timestamp" : "2015-05-07T20:33:50.287Z",
  "service" : "hive",
  "username" : "hdfs",
  "ipAddress" : "12.20.199.170",
  "command" : "SWITCHDATABASE",
  "resource" : "default:",
  "operationText" : "USE default",
  "allowed" : true,
  "serviceValues" : {
    "object_type" : "DATABASE",
    "database_name" : "default",
    "operation_text" : "USE default",
    "resource_path" : "/user/hive/warehouse",
    "table_name" : ""
  }
}, {
  "timestamp" : "2015-05-07T20:33:23.792Z",
  "service" : "hive",
  "username" : "hdfs",
  "ipAddress" : "12.20.199.170",
  "command" : "CREATETABLE",
  "resource" : "default:",
  "operationText" : "CREATE TABLE sample_09 (code string,description string) ROW FORMAT DELIMITED FIELDS TERMINATED BY '\\t' STORED AS TextFile",
  "allowed" : true,
  "serviceValues" : {
    "object_type" : "DATABASE",
    "database_name" : "default",
    "operation_text" : "CREATE TABLE sample_09 (code string,description string) ROW FORMAT DELIMITED FIELDS TERMINATED BY '\\t' STORED AS TextFile",
    "resource_path" : "/user/hive/warehouse",
    "table_name" : ""
  }
} ]