Example Log Entries for Audited Operations on MapR Database Binary and JSON Tables

When auditing of table operations is enabled at the cluster level, volume level, and filesystem level, each operation on a table is logged on the node where the operation was executed, which could differ from the node where the operation was initiated.

Typical log entries provide a timestamp of the operation, the type of operation, the UID of the user who ran the command, the IP address from which the user ran the command, identifiers of the affected resources, and the status of the operation. Fields such as “ColumnFamily” and “Column” for some operations are also included when applicable. Row keys are not included. Status codes come from the Linux errno.h file. For a list of these codes, see Status Codes That Can Appear in Audit Logs.

Note: Due to the way that the creation of tables is processed internally, sometimes the creation of tables is logged in FSAudit.log.json, rather than in DBAudit.log.json.
Note: Audit logs do not display the indices of array elements when there are put or update operations on arrays that are in documents within JSON tables.

Below are some typical log entries:


To convert the user IDs to usernames, file identifiers to pathnames, and volume IDs to volume names, run the expandaudit utility. For example, here are the same audit records after they were processed by this utility: