Entries for audit logs are initially held in memory until 128 operations have been logged or 10 seconds have elapsed, whichever happens first. At that point, the new log entries are flushed to disk.
Audit logs are in JSON format, so they can be queried by Drill or processed by other third-party tools or your own scripts.
Audit logs are readable only by the mapr and root users on the cluster where the logs are located. These users can also copy and delete audit logs.
status field in every log entry shows the status of the attempted operation. The status codes are taken from the Linux
errno.h file. For a list of these codes, see Status Codes That Can Appear in Audit Logs.
Audit logs use Coordinated Universal Time (UTC) in the records of audited operations.
The cleanup of old audit log files is handled automatically by
warden. They are removed by
warden either when they are older than 10 days (the default retention time) or when they are older than the number of days set for the
log.retention.time parameter in the
warden.conf file. The value for
log.retention.time must be specified in milliseconds. If you do not want
warden to remove these log files, add
authaudit* to the
log.retention.exceptions parameter in the
warden.conf file. Then, restart