Enabling Audit and Log Collection for Services
Cloudera Manager Required Role: Navigator Administrator (or Full Administrator)
Auditing of every service and role in the cluster may not be necessary and may degrade performance, which is why auditing is not always enabled by default. In addition, auditing can be configured to capture only specific events, as detailed in Configuring Service Auditing Properties.
Enabling Audit Collection
Any service or role instance that can be audited by Cloudera Navigator has an Enable Audit Collection property. When enabled, the Cloudera Manager Agent process on the node monitors the audit log file (or files) and sends collected audit records to the Navigator Audit Server.
- Log in to Cloudera Manager Admin Console
- Select .
- Click the Configuration tab.
- Select ServiceName (Service-Wide) for the Scope filter.
- Select Navigator Metadata Server for the Category filter.
- Click the Enable Audit Collection checkbox to activate auditing for the service.
- Click Save Changes.
- Restart the service.
Configuring Impala Daemon Logging
- Log in to Cloudera Manager Admin Console
- Select .
- Click the Configuration tab.
- Select Impala Daemon for the Scope filter.
- Select Logs for the Category filter.
- Edit the Enable Impala Audit Event Generation.
- Click Save Changes.
- Restart the Impala daemon.
- Click the Impala service.
- Select .
- Select .
- Set the Impala Daemon Maximum Audit Log File Size property.
- Click Save Changes.
- Restart the Impala service.
Enabling Solr Auditing
- Enable Sentry authorization for Solr following the procedure in Enabling Sentry Policy File Authorization for Solr.
- Go to the Solr service.
- Click the Configuration tab.
- Select
- Select category.
- Select or clear the Enable Sentry Authorization checkbox.
- Select category.
- Select or clear the Enable Audit Collection checkbox. See Configuring Service Audit Collection and Log Properties.
- Click Save Changes to commit the changes.
- Restart the service.
Configuring Audit Logs
- Audit Log Directory - The directory in which audit log files are written. By default, this property is not set if
Cloudera Navigator is not installed.
A validation check is performed for all lifecycle actions (stop/start/restart). If the Enable Collection flag is selected and the Audit Log Directory property is not set, the validator displays a message that says that the Audit Log Directory property must be set to enable auditing.
If the value of this property is changed, and service is restarted, then the Cloudera Manager Agent will start monitoring the new log directory for audit events. In this case it is possible that not all events are published from the old audit log directory. To avoid loss of audit events, when this property is changed, perform the following steps:
- Stop the service.
- Copy audit log files and (for Impala only) the impalad_audit_wal file from the old audit log directory to the new audit log directory. This needs to be done on all the hosts where Impala Daemons are running.
- Start the service.
- Maximum Audit Log File Size - The maximum size of the audit log file before a new file is created. The unit of the file size is service dependent:
- HDFS, HBase, Hive, Hue, Navigator Metadata Server, Sentry, Solr - MiB
- Impala - lines (queries)
- Number of Audit Logs to Retain - Maximum number of rolled over audit logs to retain. The logs will not be deleted if they contain audit events that have not yet been propagated to the Audit Server.
- Do one of the following:
- Service - Go to a supported service.
- Navigator Metadata Server
- Do one of the following:
- Select .
- On the Cloudera Management Service table, click the Cloudera Management Service link. tab, in
- Do one of the following:
- Click the Configuration tab.
- Select the scope according to the service:
- All services except Impala - .
- Impala - .
- Navigator Metadata Server - .
- Select .
- Configure the log properties. For Impala, preface each log property with Impala Daemon.
- Click Save Changes.
- Restart the service.