Viewing Hive Audit Logs
Starting in EEP 7.1.0, you can view Hive audit logs for connected, disconnected, and total connected users.
To view audit logs, add the following property in the
hive-site.xml
file:
<property>
<name>hive.enable.full.list.of.connected.users</name>
<value>true</value>
</property>
By default, logs are updated every five seconds.
The following table describes the Hive Parameters used to manage the user audit logs:
Parameter | Default value | Description |
hive.enable.full.list.of.connected.users | false | Enables the logging of the users currently connected to Hive when set to true. Use for debugging purposes only. |
hive.full.list.of.connected.users.update.interval | 5 | Enables the log updates for currently connected Hive users in seconds. Must be
used with the hive.enable.full.list.of.connected.users parameter.
Use for debugging purposes only. |
How to View Audit Logs
Enable the hive.enable.full.list.of.connected.users
property in
hive-site.xml
file. You can view audit logs for connected, disconnected,
and total connected users in HiveServer2 logs located in
${HIVE_HOME}/logs/mapr/mapr-hiveserver2-<hostname>.log
directory.
The following examples show you how the audit logs look in different scenarios:
- Logs display for new user connection
- Log entries for connected users provide the current session ID, username, IP address
of the user, and the authentication
type.
INFO [HiveServer2-Handler-Pool: Thread-51] HiveSessionImpl.audit: Connected: sessionId=4c25b6d6-6e8e-4d56-83ba-52ea271d0545 user=mapr ip=192.168.33.11 auth=MAPRSASL
- Logs display for disconnected user
- Log entries for disconnected users provide the current session ID, username, IP
address of the user, and the authentication type.
INFO [HiveServer2-Handler-Pool: Thread-51] HiveSessionImpl.audit: Disconnected: sessionId=4c25b6d6-6e8e-4d56-83ba-52ea271d0545 user=mapr ip=192.168.33.11 auth=MAPRSASL
- Logs display for total connected users
- Log entries for total connected users start with a message -Start of connected users
list, and provides the current session ID, username, IP address of the user, operation
count, active time, idle time, authentication type, and end with a message- End of the
connected user's
list.
INFO [pool-4-thread-1] SessionManager.audit: Start of the connected users list INFO [pool-4-thread-1] SessionManager.audit: sessionId=c6261d49-1a71-4404-8cad-9cac11a28151 user=mapr ip=192.168.33.11 operationCount=0 activeTime(s)=268 IdleTime(s)=268, auth=MAPRSASL INFO [pool-4-thread-1] SessionManager.audit: sessionId=36b4d8d4-f201-43da-90eb-cb683d343b80 user=mapr ip=192.168.33.11 operationCount=0 activeTime(s)=198 IdleTime(s)=197, auth=MAPRSASL INFO [pool-4-thread-1] SessionManager.audit: sessionId=32b50c8a-28ca-46a5-bbcd-963c9b22af7f user=mapruser1 ip=192.168.33.11 operationCount=0 activeTime(s)=4 IdleTime(s)=4, auth=PAM INFO [pool-4-thread-1] SessionManager.audit: End of the connected user's list
How to Audit a Hive Query
The audit log in HiveServer2 allows you to trace the activities of a Hive query. The log entries for a Hive query includes username, user’s IP address, query ID, query type, and query string.
To audit a Hive query, run any Hive query and then see the HiveServer2 logs located in
${HIVE_HOME}/logs/mapr/mapr-hiveserver2-<hostname>.log
directory.INFO [HiveServer2-Background-Pool: Thread-54] Driver.audit: user=mapr ip=192.168.33.11 queryId=mapr_20210426155754_ace67f82-9a0c-4d0e-9ac5-c529b9798ec7 query type=SHOWTABLES queryStr=show tables