Viewing Audit Logs for Cluster Administration

Describes where audit records of cluster administration operations are stored and how to view them.

Entries for audit logs are initially held in memory until 128 operations have been logged or 10 seconds have elapsed, whichever happens first. At that point, the new log entries are flushed to disk.

Audit logs are in JSON format, so they can be queried by Drill or processed by other third-party tools or your own scripts.

Audit logs are readable only by the mapr and root users on the cluster where the logs are located. These users can also copy and delete audit logs.

The status field in every log entry shows the status of the attempted operation. The status codes are taken from the Linux errno.h file. For a list of these codes, see Status Codes That Can Appear in Audit Logs.

Audit logs use Coordinated Universal Time (UTC) in the records of audited operations.

The cleanup of old audit log files is handled by Warden either when they are older than 10 days (the default retention time) or when they are older than the number of days set for the log.retention.time parameter in the /opt/mapr/conf/warden.conf file. To prevent Warden from removing the log files, by default, cldbaudit* and authaudit* are listed under the log.retention.exceptions parameter in the warden.conf file.

To enable Warden to automatically cleanup log files, remove cldbaudit* and authaudit* from the log.retention.exceptions parameter in the warden.conf file and, if you want a shorter cleanup time, set the value for log.retention.time parameter in the warden.conf file. The value for log.retention.time must be specified in milliseconds.

To disable all exceptions, comment out the log.retention.exceptions parameter, that is, #log.retention.exceptions. When this parameter is null, that is, log.retention.exceptions=, no files are picked for log cleanup.