Service Auditing Properties

Each service that supports auditing configuration has the following properties:
  • Enable Collection - A flag to enable collection of audit events.
      Note: Impala auditing is controlled by the Audit Log Directory property. If this property has a non-empty value, the Impala service logs audit events to an audit log file. If the specified directory doesn't exist, Cloudera Manager creates the directory.

    The Enable Collection flag controls whether the Cloudera Manager Agent tracks the Impala audit log file. A validation check is performed for all Impala life cycle actions (stop/start/restart). If the Enable Collection flag is selected and the Audit Log Directory property is not set, the validator displays a message that says that the Audit Log Directory property must be set to enable auditing.

  • Event Filter - A set of rules that capture properties of auditable events and actions to be performed when an event matches those properties.
      Note: Specifying a filter on the audit events to be collected for Impala is currently not supported.
  • Event Tracker - A set of rules for tracking and coalescing events. This feature is used to define equivalency between different audit events. When events match, according to a set of configurable parameters, only one entry in the audit list is generated for all the matching events.
  • Queue Policy - The action to take when the audit event queue is full. The options are Drop or Shutdown. When a queue is full and the queue policy of the service is Shutdown, before shutting down the service, N audits will be discarded, where N is the size of the Cloudera Navigator Server queue.
      Note: If the queue policy is Shutdown, the Impala service is shut down only if Impala is unable to write to the audit log file. It is possible that an event may not appear in the audit event log due to an error in transfer to the Cloudera Manager Agent or database. In such cases Impala will not shut down and will keep writing to the log file. When the transfer problem is fixed the events will be transferred to the database.

The Event Filter and Event Tracker rules for filtering and coalescing events are expressed as JSON objects. For information on the structure of the objects, see the description on the configuration page within the Cloudera Manager Admin Console.

Configuring Service Auditing Properties

  1. Click an HDFS, HBase, Hive, or Cloudera Impala service.
  2. Select Configuration > View and Edit.
  3. Click the Cloudera Navigator category. The Service-Wide properties display.
  4. Edit the properties.
  5. Click Save Changes.

Configuring Cloudera Impala Audit Log Properties

Cloudera Impala records audit events in an audit log file. The following properties apply to the log file:
  • Audit Log Directory - The directory in which audit event log files are written. By default, this property is not set if Cloudera Navigator is not installed.
      Note: If the value of this property is changed, and Impalad restarted, then the Cloudera Manager Agent will start monitoring the new log directory for audit events. In this case it is possible that not all events are published from the old audit log directory. To avoid loss of audit events, when this property is changed, perform the following steps:
    1. Stop the Impala service.
    2. Copy audit log files and the impalad_audit_wal file from the old audit log directory to the new audit log directory. This need to be done on all the nodes where Impala daemons are running.
    3. Start the Impala service.
  • Maximum Audit Log File Size - The maximum size (in queries) of the audit event log file before a new file is created.
For further information on Cloudera Impala auditing, see the section on auditing in Impala Security.
To configure the Cloudera Impala audit log properties:
  1. Click an Impala service.
  2. Select Configuration > View and Edit.
  3. Select Impala Daemon (Default) > Logs.
  4. Edit the audit properties.
  5. Click Save Changes.
  6. Restart the Impala service in order for the changes to take affect.