Enabling and Disabling Auditing of Data Access Operations

Describes how to enable or disable auditing of data-access operations using the Control System and the CLI.

About this task

See Auditing Data Access Operations for the complete list of data-access operations that can be audited.

Enabling and Disabling Auditing of Data Access Operations Using the Control System

About this task

To enable or disable auditing of data-access operations on a cluster:

Procedure

  1. Log in to the Control System and go to the Auditing tab in the Admin > Cluster Settings page.
  2. Set the following:
    Enabled Move the slider to Yes to enable or toNo to disable data auditing.
    Maximum Size Set the size in GB, which when reached causes an alarm to be sent to the dashboard on the Control System. The alarm is to notify the cluster administrator that the audit log size is large enough to need administrator intervention. The audit log continues to grow until the administrator takes action or until the retention period ends.
    Retain Logs for Set the period of time in days to keep the data in the audit log. After this period elapses, the content of the file is deleted and new entries are added to the file until the retention period elapses.
  3. Click Save Changes for the changes to take effect.
    NOTE
    This action does not cause auditing to start for operations within the volumes. It only sets a flag that indicates that you allow auditing of individual volumes to be enabled when volume is created or modified.

Enabling and Disabling Auditing of Data Access Operations Using the CLI or REST API

Procedure

  1. To enable or disable auditing of the filesystem, table, and streams operations on a cluster, run the maprcli audit data command.
    This command does not cause auditing to start for operations within those volumes. It only sets a flag that indicates you allow auditing of individual volumes to be enabled with the maprcli volume audit command. The audit logs for file operations, table operations, and stream operations are affected by the value that you set for the -retention parameter.
  2. To enable or disable auditing for a particular volume, run the maprcli volume audit command. To verify that auditing is enabled for a volume, run the maprcli volume info command.
    You can grep with the search term 'audited\|coalesce'. 
    maprcli volume info -name <volume_name> -json | grep -i 'audited\|coalesce'
    The output of the command should be as follows, with a 1 for the audited key and the value for the coalesceinterval key: "audited":1, "coalesceInterval":2
  3. To enable or disable auditing for a particular directory, file, HPE Data Fabric Database table, or streams that existed in a volume at the time that you ran the maprcli volume audit command, run the hadoop mfs command with the -setaudit parameter. 
    hadoop mfs -setaudit <on|off> <directory|file|table>
    NOTE
    Wildcards are not supported for the names of filesystem objects in this command.
    Enabling auditing on a directory does not enable auditing on the files that already exist in the directory, though new files and directories created in the directory will have auditing enabled. For example, if you run this command on the root directory of a volume, all new files, directories, and tables that are subsequently created in the volume are audited. The creation of those objects is also audited.

Results

After enabling auditing, if you create a:
  • Snapshot of a volume, the snapshot inherits the audit settings of the original volume.
  • Local mirror or remote mirror of a volume, you must run the maprcli volume audit command to enable auditing on the mirror volume. Auditing for particular directories, files, and HPE Data Fabric Database tables in a mirror volume is automatically enabled if auditing is enabled for them in the source volume.