volume audit

Enables or disables auditing on the specified volume.

You must have the fc permission on the cluster to use this command. See acl for details about this permission.

To learn how to determine whether auditing is enabled for a volume, see Checking Whether Auditing is Enabled for a Directory, File, or HPE Ezmeral Data Fabric Database Table.

Syntax

CLI
maprcli volume audit
   [ -cluster <cluster name> ]
   -name <volume name>
   [-dataauditops <+|-operations>]
   [ -enabled <true|false> ]
   [ -forceenable true|false ]
   [ -coalesce <interval in minutes> ]               
REST
Request Type POST
Request URL
http[s]://<host>:<port>/rest/volume/audit?<parameters>

Parameters

Parameter

Description

cluster The cluster on which the volume is located. This parameter is required if the volume is on a remote cluster. The remote cluster must be listed in the mapr-clusters.conf file for the cluster where you run the command.
coalesce The interval of time during which READ, WRITE, or GETATTR operations on one file from one IP address or UID are logged only once for a particular operation, if auditing is enabled.

For example, suppose that a client application reads a single file three times in 6 minutes, so that there is one read at 0 minutes, another at 3 minutes, and a final read at 6 minutes. If the coalesce interval is at least 6 minutes, then only the first read operation is logged. However, if the interval is between 4 minutes, then only the first and third read operations are logged. If the interval is 2 minutes, all three read operations are logged.

Now however, if the client was also writing to the file, irrespective of the coalesce interval for the read operation in the example stated previously, the write operation is logged, as it is a different operation from reading.

The default value is 60 minutes. Setting this field to a larger number helps prevent audit logs from growing quickly.

dataauditops The comma separated list of filesystem operations to include (specified with a preceding plus sign (+)) and/or exclude (specified with a preceding minus sign (-)) from auditing.
NOTE
If the first operation in the list is to be excluded from auditing, it must be preceded by two minus (--) signs. Subsequent operations to exclude must be preceded by only a single minus (-) sign, whether or not the first operation was included (using a plus (+) sign) or excluded (using two minus (--) signs). If neither sign is specified, the given operation is included for auditing.

The operations that can be included (+) and/or excluded (-) from auditing are listed here. You can, alternatively, group all the filesystem and table operations using the keyword all, which:

  • If included (+), cannot be specified with a list of other included operations.
  • If excluded (-), cannot be specified with a list of other excluded operations.
NOTE
You can specify a mixed list of included and excluded operations. There are no changes to operations that are not specified with the command.
enabled Enables or disables the auditing of operations within the volume. You must use either this parameter, the -coalesce parameter, or both.

See Enabling Auditing for the steps to enable auditing on directories, files, and tables in a volume.

When you set the value to false, auditing of operations within the volume ceases. None of the auditing settings are changed on the directories, files, and HPE Ezmeral Data Fabric Database tables within the volume. If you later run the maprcli volume audit command with -enabled set to true, auditing begins again on the objects that were already enabled for auditing.

forceenable Enables or disables auditing of all directories, files, tables, and streams in the volume whether or not auditing is enabled at the individual file, table, and/or stream level.
name The name of the volume.

Examples

Enable Auditing for a volume

The following example shows how to enable auditing for the volume “auditVolume”:

maprcli volume audit -name auditVolume -enabled true
curl -X POST 'https://abc.sj.us:8443/rest/volume/audit?name=auditVolume&enabled=true' --user <username>:<password>

Modify the list of operations to audit

The following example shows how to specify the operations to audit. Here, create operation is included for auditing and lookup operation is excluded from auditing. There are no changes to operations that are not specified.

maprcli volume audit -name sampleAuditVolume -dataauditops +create,-lookup
curl -X POST 'https://server.sj.us:8443/rest/volume/audit?name=sampleAuditVolume&dataauditops=%2Bcreate%2C%2Dlookup' --user <username>:<password>