Auditing Cluster Operations

The following types of operations are audited when you run the maprcli audit cluster command on a cluster:

All maprcli commands, REST calls, and actions in the Control System that have effects at the cluster level, including those that enable auditing, are audited.
All authentications to the Control System and authentications to data-fabric clusters via maprlogin are audited.
All volume level tiering operations are audited.

Audit records for these operations are recorded in the following audit logs:

Audit logs for operations related to cluster management and authentications to clusters via maprlogin

Every CLDB operation is logged in the local filesystem of the CLDB node that responded to the operation. The log file is /opt/mapr/logs/cldbaudit.log.json.

Audit logs for maprcli commands, REST API calls, and actions in the Control System

Running of a maprcli command is logged to the local filesystem on the node where the maprcli command is run. Log files are located at /opt/mapr/mapr-cli-audit-log/audit.log.json. To see what information is recorded in typical log entries, see Example Log Entries for Audited maprcli Command Runs.

The following maprcli commands, as well as their equivalent REST API calls and actions in the Control System, are also logged in audit logs on the servers where they are processed.

Command Family	Commands
acl	`acl edit, acl set, acl show`
audit	`audit cluster, audit data, audit info`
blacklist	`blacklist listusers, blacklist user`
cluster	`cluster mapreduce get, cluster mapreduce set`
config	`config load, config save`
entity	`entity info, entity list, entity modify`
license	`license add, license addcrl, license apps, license list, license listcrl, license remove, license showid`
nagios	`nagios generate`
rlimit	`rlimit get, rlimit set`
schedule	`schedule create, schedule list, schedule modify, schedule remove`
virtualip	`virtualip add, virtualip edit, virtualip list, virtualip move, virtualip remove`
volume	`volume compact, volume container move, volume container switchmaster, volume create, volume fixmountpath, volume info, volume list, volume mirror push, volume mirror start, volume mirror stop, volume modify, volume mount, volume move, volume offload, volume recall, volume remove, volume rename, volume showmounts, volume snapshot list, volume snapshot preserve, volume snapshot remove, volume tierstats, volume tierjobabort, volume tierjobstatus, volume unmount` NOTE The following commands are not audited: `volume dump create, volume dump restore, volume link create, volume link remove, volume snapshot create`

Audit logs for authentications to the Control System

Every attempt at authentication to the Control System, whether successful or unsuccessful, is logged to the local filesystem in /opt/mapr/logs/authaudit.log.json on the webserver node where an attempt was made.

Audit logs for volume level tiering operations

All volume level tiering operations, whether successful or unsuccessful, are logged in the /opt/mapr/logs/cldbaudit.log.json file.

HPE Ezmeral Data Fabric – Customer-Managed 7.9.0 Documentation
Abstract	This site contains documentation for the customer-managed platform of the HPE Ezmeral Data Fabric version 7.9.0 including installation, configuration, administration, and reference content, as well as content for the associated bundled ecosystem components and drivers.
Published	January 2025
Edition	7.9.0