Configuring Ranger audit properties for Solr

How to change the default time settings that control how long Ranger keeps audit data collected by Solr.

The Solr audit destination is intended to store short term audit records .You can configure parameters that control how much data collected by Solr that Ranger will store for auditing purposes.

Table 1. Ranger Audit Configuration Parameters for Solr
Parameter Name	Description	Default Setting	Units
ranger.audit.solr.config.ttl	Time To Live for Solr Collection of Ranger Audits note "Time To Live for Solr Collection of Ranger Audits" is also known as the Max Retention Days attribute.	90	days
ranger.audit.solr.config.delete.trigger	Auto Delete Period in seconds for Solr Collection of Ranger Audits for expired documents	1	days (configurable)

From Cloudera Manager choose Ranger > Configuration.
In Search, type ranger.audit.solr.config, then press Return.
In ranger.audit.solr.config.ttl, set the the number of days to keep audit data.
In ranger.audit.solr.config.delete.trigger set the number and units (days, minutes, hours, or seconds) to keep data for expired documents
Refresh the configuration:
1. Click Refresh Configuration, as prompted.
2. In Actions, click Update Solr config-set for Ranger, then confirm.

Limiting Solr spool directory growth

Ranger audit Solr spool files are generated when the Ranger plugin within the master service is unable to send audit logs to Solr. These spool files are stored in the master service that hosts the Ranger plugin. After Solr becomes available to accept new audit logs, the spool files are processed, sent to Solr, and subsequently moved to the archive subfolder.

Under normal circumstances, there should be no spool logs, or only a minimal amount (a few megabytes) during periods of high cluster load or Solr unavailability.

To manage the storage of spool audit logs, you can configure a maximum size limit for the Solr spool directory for each service.

Manually delete the logs under the archive path for the service.
Set the log retention value of the archive path from default 100 to 1.
1. Go to Cloudera Manager > <service_name> > Configuration > <service_name> Service Advanced Configuration Snippet (Safety Valve) for ranger-<service_name>-audit.xml.
2. Click +.
3. Add the following parameter:
  
  xasecure.audit.destination.solr.batch.filespool.archive.max.files=1
Set the spool logs per day value to spool logs per hour.
1. Go to Cloudera Manager > <service_name> > Configuration > <service_name> Service Advanced Configuration Snippet (Safety Valve) for ranger-<service_name>-audit.xml.
2. Click +.
3. Add the following parameter:
  xasecure.audit.destination.solr.batch.file.rollover.sec=3600
Restart the service.