Cloudera Navigator Auditing Use Cases

The Navigator Audit Server tracks the actions performed on the data in a Hadoop cluster. By applying filters on these actions, you can use Cloudera Navigator auditing to view specific information and answer a variety of questions about data and user actions; for example:
  • What was a specific user doing on a specific day?
  • Who deleted a particular directory?
  • What happened to data in a production database, and why is it no longer available?
To answer these questions using Navigator auditing, you begin by logging into the Cloudera Navigator data management UI and clicking the Audits tab. Cloudera Navigator displays a list of all audit events for the last hour. The following use cases describe how Navigator can answer some specific questions about data and users.

What Did a User Do on a Specific Day?

In some cases, you may want to identify actions that a specific user performed during a period of time. To determine a user's actions for a time period, you use filters to first specify the user and then define the time period.

The following example identifies the actions of the user named navigator_user on June 9, 2016:
  1. Filter the list of events for a specific user:
    1. Click Filters.
    2. Select Select Property... > Username.
    3. In the field to the right of =, type the username and click Apply. The username filter is added to the list of filters, and the list of events is filtered and reloaded. This filter specifies the user navigator_user.

  2. Filter the list of events for a specific date and time:
    1. Click the date-time field at the top right of the Audit Events page. A set of links display with relative time periods (Last hour, Last 2 hours, and so on) and a Custom Range link that you can use to specify an absolute time range. The Selected Range field displays the currently selected range, which by default is the last hour of the current day.
    2. To choose a specific day, click Custom Range. The Selected Range field is enabled for input.
    3. Use the field controls to choose specific dates and times. The following figure shows the selections for June 9, 2016 12:00 a/m/ to June 10, 2016 12:00 a.m.

    4. Click Apply.

The following figure shows the first page of the filter results: audit events for the user navigator_user during the 24 hour period from June 9, 2016 12:00 a.m. to June 10, 2016 12:00 a.m.


Who Deleted Files from the Hive Warehouse Directory?

The Hive warehouse directory is usually set to /user/hive/warehouse. In this example, files have been deleted from the directory and you want to identify who removed them.

To determine who deleted files from this directory, use filters in Cloudera Manager to do the following:
  1. Filter the list of events for the source /user/hive/warehouse:
    1. Click Filters.
    2. Select Select Property... > Source.
    3. In the operator field, select like.
    4. In the empty field to the right of like, type /user/hive/warehouse and click Apply. The source filter is added to the list of filters and the list of events is filtered and reloaded.
  2. Filter the list of events for the delete operation:
    1. Click Add New Filter.
    2. Select Select Property... > Operation.
    3. In the operator field, select =.
    4. In the empty field to the right of =, type delete and click Apply. The operation filter is added to the list of filters and the list of events is filtered and reloaded.

The following figure shows the resulting filters.


The following figure shows the results of the filters: navigator_user deleted or attempted to delete (indicated by the red text) the displayed resources from the Hive warehouse directory during the 30-day period from May 28, 2016 to June 27, 2016.



What Happened to Data in the Database?

Typically, data in the database is partitioned into folders or files labeled by date. In this example, data from 2015 is missing from the production database, and you want to find out what happened to it. You can use Cloudera Navigator to determine what happened to data that was created during this period of time.

Data created in 2015 has the string "2015" in the filename. To determine what happened to the data stored in folders and files in the year 2015, do the following:
  1. Filter the list of events for sources containing the string "2015":
    1. Click Filters.
    2. Select Select Property... > Source to specify the path of an HDFS file or directory.
    3. In the operator field, select like.
    4. In the empty field to the right of like, type 2015 and click Apply. The source filter is added to the list of filters, and the list of events is filtered and reloaded.
  2. Filter the list of events for the delete operation:
    1. Click Add New Filter.
    2. Select Select Property... > Operation.
    3. In the operator field, select =.
    4. In the empty field to the right of =, type delete and click Apply. The operation filter is added to the list of filters and the list of events is filtered and reloaded.
  3. Set the date range to one year:
    1. Click the date-time field at the top right of the Audit Events page.
    2. To set the range to be the last year, click Custom Range. The Selected Range field is enabled for input.
    3. In the left date field, use the field controls to specify a date one year ago.
    4. Click Apply.

The following figure shows the resulting filters.


The following figure shows the results of the filter application. During the last year, the user hdfs deleted the directories with names that contain "2015":