Viewing Log Entries for Audited maprcli Command Executions

Describes where audit records of operations performed using the CLI are stored and how to view them.

The execution of any maprcli command on the cluster is logged in the local filesystem on the node on which the execution happened. The log file is /opt/mapr/mapr-cli-audit-log/audit.log.json. Auditing of CLI operations is always enabled, whether or not auditing is enabled for cluster-level operations with the maprcli audit cluster command.

Typical log entries provide a timestamp of the execution, the UID of the user who ran the command, the IP address from which the user ran the command, the command itself, and the status of the execution. Status codes are 0 for success and 1 for failure. The error messages field provides the reasons for failures.

Below are some typical log entries:

{"timestamp":{"$date":"2015-06-15T11:45:56.434Z"},"uid":2147483632,"ipAddress":
"10.10.20.12","command":"volume info","arguments":{"name":"mapr.opt"},"status":
1,"errors": ["Volume lookup of mapr.opt failed, No such volume"]}
{"timestamp":{"$date":"2015-06-15T11:49:34.434Z"},"uid":2147483632,"ipAddress":
"10.10.20.12","command":"alarm add","arguments":{"baseService":"1","alarm": 
"NODE_ALARM_SERVICE_GATEWAY_DOWN","service":"gateway","displayName":"GatewayServiceDown",
"serviceName":"GatewayService","terse":"nagwsd"},"status":1,"errors":["Terse name of 
nagwsd already exists in the system.","Alarm NODE_ALARM_SERVICE_GATEWAY_DOWN already 
exists in the system."]}
{"timestamp":{"$date":"2015-06-15T11:49:52.598Z"},"uid":2147483632,"ipAddress":
"10.10.20.12","command":"volume create","arguments":{"name":"mapr.hbase","path":"/hbase", 
"replicationtype":"low_latency"},"status":1,"errors":["Volume Name mapr.hbase, Already In Use"]}