Audit Events

Minimum Required Role: Auditor (also provided by Full Administrator)

An audit event is an event that describes an action that has been taken for a service, role, or host instance. In Cloudera Manager, audit event logs display service, role, and host life cycle (create, delete, start, stop, and so on) and security-related (add and delete user) events recorded by Cloudera Manager management services and service access events recorded by Cloudera Navigator. For information on the latter, see Audit Events.

The audit log does not track the progress or results of commands (such as starting or stopping a service or creating a directory for a service), it just notes the command that was executed and the user who executed it. To view the progress or results of a command, follow the procedures in Viewing Running and Recent Commands.

Viewing Audit Events

You can view audit events for a cluster, service, role, or host instance.
Object Procedure

Cluster

  1. Click the Audits tab on the top navigation bar.

Service

  1. Click the Clusters tab on the top navigation bar.
  2. Select a service.
  3. Click the Audits tab on the service navigation bar.

Role

  1. Click the Clusters tab on the top navigation bar.
  2. Select a service.
  3. Click the Instances tab on the Services navigation bar.
  4. Select a role.
  5. Click the Audits tab on the role navigation bar.

Host

  1. Click the Hosts tab on the top navigation bar.
  2. Select a host.
  3. Click the Audits tab on the host navigation bar.

Audit event entries are ordered with the most recent at the top.

Audit Event Properties

The following properties can appear in an audit event entry:
  • Date - Date and time the action was performed.
  • Command - The action performed.
  • Source - The object affected by the action.
  • User - The name of the user that performed the action.
  • IP Address - The IP address of the client that initiated the action.
  • Host IP Address - The IP address of the host on which the action was performed.
  • Service - The name of the service on which the action was performed.
  • Role - The name of the role on which the action was performed.

Filtering Audit Events

You filter audit events by selecting a time range and adding filters.

You can use the Time Range Selector or a duration link ( ) to set the time range. (See Time Line for details). When you select the time range, the log displays all events in that range. The time it takes to perform a search will typically increase for a longer time range, as the number of events to be searched will be larger.

Adding a Filter

To add a filter, do one of the following:
  • Click the icon that displays next to a property when you hover in one of the event entries. A filter containing the property, operator, and its value is added to the list of filters at the left and Cloudera Manager redisplays all events that match the filter.
  • Click the Add a filter link. A filter control is added to the list of filters.
    1. Choose a property in the drop-down list. You can search by properties such as Username, Service, Command, or Role. The properties vary depending on the service or role.
    2. If the property allows it, choose an operator in the operator drop-down list.
    3. Type a property value in the value text field. To match a substring, use the like operator and specify % around the string. For example, to see all the audit events for files created in the folder /user/joe/out specify Source like %/user/joe/out%.
    4. Click Search. The log displays all events that match the filter criteria.
    5. Click to add more filters and repeat steps 1 through 4.

Removing a Filter

  1. Click the at the right of the filter. The filter is removed.
  2. Click Search. The log displays all events that match the filter criteria.

Downloading Audit Event Logs

  1. Specify desired filters and time range.
  2. Click the Download CSV button. A file with the following fields is downloaded: service, username, command, ipAddress, resource, allowed, timestamp, operationText. The structure of the resource field depends on the type of the service:
    • HDFS - A file path
    • Hive, Hue, and Cloudera Impala - database:tablename
    • HBase - table family:qualifier
    For Hive, Hue, and Cloudera Impala query and load commands, operationText is the query string.

HDFS Service Audit Log

service,username,command,ipAddress,resource,allowed,timestamp
hdfs1,cloudera,setPermission,10.20.187.242,/user/hive,false,"2013-02-09T00:59:34.430Z"
hdfs1,cloudera,getfileinfo,10.20.187.242,/user/cloudera,true,"2013-02-09T00:59:22.667Z"
hdfs1,cloudera,getfileinfo,10.20.187.242,/,true,"2013-02-09T00:59:22.658Z"

In this example, the first event access was denied, and therefore the allowed field has the value false.