Viewing Log Entries for Audited maprcli Command Executions
Describes where audit records of operations performed using the CLI are stored and how to view them.
The execution of any maprcli
command on the cluster is logged in the
local filesystem on the node on which the execution happened. The log file is
/opt/mapr/mapr-cli-audit-log/audit.log.json
. Auditing of CLI operations is always enabled, whether or not auditing is enabled for
cluster-level operations with the maprcli audit cluster
command.
Typical log entries provide a timestamp of the execution, the UID of the user who ran the command, the IP address from which the user ran the command, the command itself, and the status of the execution. Status codes are 0 for success and 1 for failure. The error messages field provides the reasons for failures.
Below are some typical log entries:
{"timestamp":{"$date":"2015-06-15T11:45:56.434Z"},"uid":2147483632,"ipAddress":
"10.10.20.12","command":"volume info","arguments":{"name":"mapr.opt"},"status":
1,"errors": ["Volume lookup of mapr.opt failed, No such volume"]}
{"timestamp":{"$date":"2015-06-15T11:49:34.434Z"},"uid":2147483632,"ipAddress":
"10.10.20.12","command":"alarm add","arguments":{"baseService":"1","alarm":
"NODE_ALARM_SERVICE_GATEWAY_DOWN","service":"gateway","displayName":"GatewayServiceDown",
"serviceName":"GatewayService","terse":"nagwsd"},"status":1,"errors":["Terse name of
nagwsd already exists in the system.","Alarm NODE_ALARM_SERVICE_GATEWAY_DOWN already
exists in the system."]}
{"timestamp":{"$date":"2015-06-15T11:49:52.598Z"},"uid":2147483632,"ipAddress":
"10.10.20.12","command":"volume create","arguments":{"name":"mapr.hbase","path":"/hbase",
"replicationtype":"low_latency"},"status":1,"errors":["Volume Name mapr.hbase, Already In Use"]}