Viewing Hive Audit Logs

Starting in EEP 7.1.0, you can view Hive audit logs for connected, disconnected, and total connected users.

To view audit logs, add the following property in the hive-site.xml file:
<property>
    <name>hive.enable.full.list.of.connected.users</name>
    <value>true</value>
</property>

By default, logs are updated every five seconds.

The following table describes the Hive Parameters used to manage the user audit logs:
Parameter Default value Description
hive.enable.full.list.of.connected.users false Enables the logging of the users currently connected to Hive when set to true. Use for debugging purposes only.
hive.full.list.of.connected.users.update.interval 5 Enables the log updates for currently connected Hive users in seconds. Must be used with the hive.enable.full.list.of.connected.users parameter. Use for debugging purposes only.

How to View Audit Logs

Enable the hive.enable.full.list.of.connected.users property in hive-site.xml file. You can view audit logs for connected, disconnected, and total connected users in HiveServer2 logs located in ${HIVE_HOME}/logs/mapr/mapr-hiveserver2-<hostname>.log directory.

The following examples show you how the audit logs look in different scenarios:
Logs display for new user connection
Log entries for connected users provide the current session ID, username, IP address of the user, and the authentication type.
INFO [HiveServer2-Handler-Pool: Thread-51] HiveSessionImpl.audit: Connected: sessionId=4c25b6d6-6e8e-4d56-83ba-52ea271d0545 user=mapr ip=192.168.33.11  auth=MAPRSASL
Logs display for disconnected user
Log entries for disconnected users provide the current session ID, username, IP address of the user, and the authentication type.
INFO [HiveServer2-Handler-Pool: Thread-51] HiveSessionImpl.audit: Disconnected: sessionId=4c25b6d6-6e8e-4d56-83ba-52ea271d0545 user=mapr ip=192.168.33.11  auth=MAPRSASL
Logs display for total connected users
Log entries for total connected users start with a message -Start of connected users list, and provides the current session ID, username, IP address of the user, operation count, active time, idle time, authentication type, and end with a message- End of the connected user's list.
INFO [pool-4-thread-1] SessionManager.audit: Start of the connected users list

INFO [pool-4-thread-1] SessionManager.audit: sessionId=c6261d49-1a71-4404-8cad-9cac11a28151 user=mapr ip=192.168.33.11 operationCount=0 activeTime(s)=268 IdleTime(s)=268, auth=MAPRSASL

INFO [pool-4-thread-1] SessionManager.audit: sessionId=36b4d8d4-f201-43da-90eb-cb683d343b80 user=mapr ip=192.168.33.11 operationCount=0 activeTime(s)=198 IdleTime(s)=197, auth=MAPRSASL

INFO [pool-4-thread-1] SessionManager.audit: sessionId=32b50c8a-28ca-46a5-bbcd-963c9b22af7f user=mapruser1 ip=192.168.33.11 operationCount=0 activeTime(s)=4 IdleTime(s)=4, auth=PAM

INFO [pool-4-thread-1] SessionManager.audit: End of the connected user's list

How to Audit a Hive Query

The audit log in HiveServer2 allows you to trace the activities of a Hive query. The log entries for a Hive query includes username, user’s IP address, query ID, query type, and query string.

To audit a Hive query, run any Hive query and then see the HiveServer2 logs located in ${HIVE_HOME}/logs/mapr/mapr-hiveserver2-<hostname>.log directory.
INFO [HiveServer2-Background-Pool: Thread-54] Driver.audit: user=mapr ip=192.168.33.11 queryId=mapr_20210426155754_ace67f82-9a0c-4d0e-9ac5-c529b9798ec7 query type=SHOWTABLES queryStr=show tables