Enabling and Disabling Auditing of Data Access Operations
Describes how to enable or disable auditing of data-access operations using the Control System and the CLI.
About this task
See Auditing Data Access Operations for the complete list of data-access operations that can be audited.
Enabling and Disabling Auditing of Data Access Operations Using the Control System
About this task
Procedure
- Log in to the Control System and go to the Auditing tab in the page.
-
Set the following:
Enabled Move the slider to Yes to enable or toNo to disable data auditing. Maximum Size Set the size in GB, which when reached causes an alarm to be sent to the dashboard on the Control System. The alarm is to notify the cluster administrator that the audit log size is large enough to need administrator intervention. The audit log continues to grow until the administrator takes action or until the retention period ends. Retain Logs for Set the period of time in days to keep the data in the audit log. After this period elapses, the content of the file is deleted and new entries are added to the file until the retention period elapses. -
Click Save Changes for the changes to take effect.
NOTEThis action does not cause auditing to start for operations within the volumes. It only sets a flag that indicates that you allow auditing of individual volumes to be enabled when volume is created or modified.
Enabling and Disabling Auditing of Data Access Operations Using the CLI or REST API
Procedure
-
To enable or disable auditing of the filesystem, table, and streams
operations on a cluster, run the
maprcli audit data
command.This command does not cause auditing to start for operations within those volumes. It only sets a flag that indicates you allow auditing of individual volumes to be enabled with themaprcli volume audit
command. The audit logs for file operations, table operations, and stream operations are affected by the value that you set for the-retention
parameter. -
To enable or disable auditing for a particular volume, run the
maprcli volume audit
command. To verify that auditing is enabled for a volume, run themaprcli volume info
command.You can grep with the search term'audited\|coalesce'
.
The output of the command should be as follows, with a 1 for themaprcli volume info -name <volume_name> -json | grep -i 'audited\|coalesce'
audited
key and the value for thecoalesceinterval
key:"audited":1,
"coalesceInterval":2
-
To enable or disable auditing for a particular directory, file, HPE Ezmeral Data Fabric Database table, or streams that existed in a volume
at the time that you ran the
maprcli volume audit
command, run thehadoop mfs
command with the-setaudit
parameter.hadoop mfs -setaudit <on|off> <directory|file|table>
Enabling auditing on a directory does not enable auditing on the files that already exist in the directory, though new files and directories created in the directory will have auditing enabled. For example, if you run this command on the root directory of a volume, all new files, directories, and tables that are subsequently created in the volume are audited. The creation of those objects is also audited.NOTEWildcards are not supported for the names of filesystem objects in this command.
Results
After enabling auditing, if you create a:
- Snapshot of a volume, the snapshot inherits the audit settings of the original volume.
- Local mirror or remote mirror of a volume, you must run the
maprcli volume audit
command to enable auditing on the mirror volume. Auditing for particular directories, files, and HPE Ezmeral Data Fabric Database tables in a mirror volume is automatically enabled if auditing is enabled for them in the source volume.