Viewing Hive Audit Logs

Starting in EEP 7.1.0, you can view Hive audit logs for connected, disconnected, and total connected users.

To view audit logs, add the following property in the hive-site.xml file:

<property>
    <name>hive.enable.full.list.of.connected.users</name>
    <value>true</value>
</property>

By default, logs are updated every five seconds.

The following table describes the Hive Parameters used to manage the user audit logs:

Parameter	Default value	Description
hive.enable.full.list.of.connected.users	false	Enables the logging of the users currently connected to Hive when set to true. Use for debugging purposes only.
hive.full.list.of.connected.users.update.interval	5	Enables the log updates for currently connected Hive users in seconds. Must be used with the `hive.enable.full.list.of.connected.users` parameter. Use for debugging purposes only.

How to View Audit Logs

Enable the hive.enable.full.list.of.connected.users property in hive-site.xml file. You can view audit logs for connected, disconnected, and total connected users in HiveServer2 logs located in ${HIVE_HOME}/logs/mapr/mapr-hiveserver2-<hostname>.log directory.

The following examples show you how the audit logs look in different scenarios:

Logs display for new user connection

Log entries for connected users provide the current session ID, username, IP address of the user, and the authentication type.

INFO [HiveServer2-Handler-Pool: Thread-51] HiveSessionImpl.audit: Connected: sessionId=4c25b6d6-6e8e-4d56-83ba-52ea271d0545 user=mapr ip=192.168.33.11  auth=MAPRSASL

Logs display for disconnected user

Log entries for disconnected users provide the current session ID, username, IP address of the user, and the authentication type.

INFO [HiveServer2-Handler-Pool: Thread-51] HiveSessionImpl.audit: Disconnected: sessionId=4c25b6d6-6e8e-4d56-83ba-52ea271d0545 user=mapr ip=192.168.33.11  auth=MAPRSASL

Logs display for total connected users

Log entries for total connected users start with a message -Start of connected users list, and provides the current session ID, username, IP address of the user, operation count, active time, idle time, authentication type, and end with a message- End of the connected user's list.

INFO [pool-4-thread-1] SessionManager.audit: Start of the connected users list

INFO [pool-4-thread-1] SessionManager.audit: sessionId=c6261d49-1a71-4404-8cad-9cac11a28151 user=mapr ip=192.168.33.11 operationCount=0 activeTime(s)=268 IdleTime(s)=268, auth=MAPRSASL

INFO [pool-4-thread-1] SessionManager.audit: sessionId=36b4d8d4-f201-43da-90eb-cb683d343b80 user=mapr ip=192.168.33.11 operationCount=0 activeTime(s)=198 IdleTime(s)=197, auth=MAPRSASL

INFO [pool-4-thread-1] SessionManager.audit: sessionId=32b50c8a-28ca-46a5-bbcd-963c9b22af7f user=mapruser1 ip=192.168.33.11 operationCount=0 activeTime(s)=4 IdleTime(s)=4, auth=PAM

INFO [pool-4-thread-1] SessionManager.audit: End of the connected user's list

How to Audit a Hive Query

The audit log in HiveServer2 allows you to trace the activities of a Hive query. The log entries for a Hive query includes username, user’s IP address, query ID, query type, and query string.

To audit a Hive query, run any Hive query and then see the HiveServer2 logs located in ${HIVE_HOME}/logs/mapr/mapr-hiveserver2-<hostname>.log directory.

INFO [HiveServer2-Background-Pool: Thread-54] Driver.audit: user=mapr ip=192.168.33.11 queryId=mapr_20210426155754_ace67f82-9a0c-4d0e-9ac5-c529b9798ec7 query type=SHOWTABLES queryStr=show tables

HPE Ezmeral Data Fabric – Customer-Managed 7.9.0 Documentation
Abstract	This site contains documentation for the customer-managed platform of the HPE Ezmeral Data Fabric version 7.9.0 including installation, configuration, administration, and reference content, as well as content for the associated bundled ecosystem components and drivers.
Published	November 2024
Edition	7.9.0