Configuring audit event archiving through the UI

To configure audit event archiving for Azure through the Cloudera UI, create a new audit archiving credential and then configure the audit data storage and location.

The process of creating an audit archiving credential is largely the same as creating a credential for an Azure environment, however, this credential is a unique credential used solely for audit event archiving.
You must have an Azure resource group as well as an Azure storage account and a container that will be used to store the audit archive logs. You can use an existing resource group, storage account, and container, but Cloudera recommends creating a new storage account and container dedicated to audit archiving. See the topic Creating ADLS Gen2 storage account and container.

Required Role: PowerUser

  1. In the left-side navigation menu, click Global Settings > Audit Data Configuration and then click Create.
  2. Select the Azure icon.
  3. Use the provided command in an Azure shell to identify your subscription ID and tenant ID:
    az account list|jq '.[]|{"name": .name, "subscriptionId": .id, "tenantId": .tenantId, "state": .state}'
  4. In the corresponding fields, enter the Subscription ID and Tenant ID that are returned by the command.
  5. Use the provided command in an Azure shell to register a new application in Azure. Substitute your application name (whatever you chose to give it), subscription ID, resource group name, storage account name, and container name where indicated:
    az ad sp create-for-rbac \    --name http://{app-name} \    --role "Storage Blob Data Contributor" \    --scopes /subscriptions/{subscriptionId}/resourceGroups/{resource-group-name}/providers/Microsoft.Storage/storageAccounts/{storage-account-name}/blobServices/default/containers/{container-name}

    Save the App ID and password from the command output to enter in the Audit Data Configuration Credential screen.

    Alternatively, you can follow steps 1-8 the in topic Create an app-based credential to register the new app through the Azure portal. When you add a role assignment, use the more limited "Storage Blob Data Contributor" role.

  6. Back in the Cloudera Audit Data Configuration screen, enter the App Id and Password in the corresponding fields and click Create.
  7. Configure the audit data location with the path to the ADLS container that you designated as the audit archive container. Use the following format:
    https://<storage-account-name>.blob.core.windows.net/<container-name>
  8. Select the region where storage services should be accessed.
  9. Use the toggle button to enable or disable audit log export to the configured storage location.
  10. Click Save.
Audit event archiving configuration is complete.