Configuring Service Audit Collection and Log Properties

Minimum Required Role: Navigator Administrator (also provided by Full Administrator)

To configure service auditing, you must enable audit collection and log properties. You can also configure which events are logged for each service by following the procedures in Configuring Service Auditing Properties.

Enabling Audit Collection

The service or role Enable Audit Collection property controls whether the Cloudera Manager Agent tracks a service or role's audit log file.

  1. Do one of the following:
    • Go to a supported service.
    • Navigator Metadata Server
      • Do one of the following:
        • Select Clusters > Cloudera Management Service > Cloudera Management Service.
        • On the Home > Status tab, in Cloudera Management Service table, click the Cloudera Management Service link.
  2. Click the Configuration tab.
  3. Select the scope according to the service:
    • Service - Scope > ServiceName (Service-Wide)
    • Navigator Metadata Server - Scope > Navigator Metadata Server
  4. Select Category > Cloudera Navigator.
  5. Select the Enable Audit Collection checkbox.
  6. Click Save Changes to commit the changes.
  7. Restart the service.

Configuring Impala Daemon Logging

To control whether the Impala Daemon role logs to the audit log:
  1. Click the Impala service.
  2. Click the Configuration tab.
  3. Select Scope > Impala Daemon.
  4. Select Category > Logs.
  5. Edit the Enable Impala Audit Event Generation.
  6. Click Save Changes to commit the changes.
  7. Restart the service.
To set the log file size:
  1. Click the Impala service.
  2. Select Scope > Impala Daemon.
  3. Select Category > Logs.
  4. Set the Impala Daemon Maximum Audit Log File Size property.
  5. Click Save Changes to commit the changes.
  6. Restart the service.

Enabling Solr Auditing

Solr auditing is disabled by default. To enable auditing:
  1. Enable Sentry authorization for Solr following the procedure in Enabling Sentry Policy File Authorization for Solr.
  2. Go to the Solr service.
  3. Click the Configuration tab.
  4. Select Scope > Solr Service (Service-Wide)
  5. Select Category > Policy File Based Sentry category.
  6. Select or clear the Enable Sentry Authorization checkbox.
  7. Select Category > Cloudera Navigator category.
  8. Select or clear the Enable Audit Collection checkbox. See Configuring Service Audit Collection and Log Properties.
  9. Click Save Changes to commit the changes.
  10. Restart the service.

Configuring Audit Logs

The following properties apply to an audit log file:
  • Audit Log Directory - The directory in which audit log files are written. By default, this property is not set if Cloudera Navigator is not installed.

    A validation check is performed for all lifecycle actions (stop/start/restart). If the Enable Collection flag is selected and the Audit Log Directory property is not set, the validator displays a message that says that the Audit Log Directory property must be set to enable auditing.

    If the value of this property is changed, and service is restarted, then the Cloudera Manager Agent will start monitoring the new log directory for audit events. In this case it is possible that not all events are published from the old audit log directory. To avoid loss of audit events, when this property is changed, perform the following steps:

    1. Stop the service.
    2. Copy audit log files and (for Impala only) the impalad_audit_wal file from the old audit log directory to the new audit log directory. This needs to be done on all the hosts where Impala Daemons are running.
    3. Start the service.
  • Maximum Audit Log File Size - The maximum size of the audit log file before a new file is created. The unit of the file size is service dependent:
    • HDFS, HBase, Hive, Hue, Navigator Metadata Server, Sentry, Solr - MiB
    • Impala - lines (queries)
  • Number of Audit Logs to Retain - Maximum number of rolled over audit logs to retain. The logs will not be deleted if they contain audit events that have not yet been propagated to the Audit Server.
To configure audit logs do the following:
  1. Do one of the following:
    • Service - Go to a supported service.
    • Navigator Metadata Server
      • Do one of the following:
        • Select Clusters > Cloudera Management Service > Cloudera Management Service.
        • On the Home > Status tab, in Cloudera Management Service table, click the Cloudera Management Service link.
  2. Click the Configuration tab.
  3. Select the scope according to the service:
    • All services except Impala - Scope > ServiceName (Service-Wide).
    • Impala - Scope > Impala Daemon.
    • Navigator Metadata Server - Scope > Navigator Metadata Server.
  4. Select Category > Logs.
  5. Configure the log properties. For Impala, preface each log property with Impala Daemon.
  6. Click Save Changes to commit the changes.
  7. Restart the service.