This is the documentation for Cloudera Navigator 1.2.0.
Documentation for other versions is available at Cloudera Documentation.

Audit Events

An audit event is an event that describes an action that has been taken for a service, role, or host instance.

In Cloudera Manager audit event logs display service, role, and host life cycle events recorded by Cloudera Manager management services and service access events recorded by the Cloudera Navigator auditing component. For information on the former, see Audit Events in the Cloudera Manager Monitoring and Diagnostics Guide.

Viewing Audit Events

You can view audit events for all services or for a specific service.

To view audit events, follow the appropriate procedure:
Object Procedure

All Services

  1. Click Audits in the Cloudera Manager top navigation bar.

Service

  1. Click a service that supports auditing.
  2. Click the Audits tab on the service navigation bar.

Audit event entries are ordered with the most recent at the top.

Audit Event Properties

The following properties can appear in an audit event entry:

  • Date - Date and time the action was performed.
  • Command - The action performed.
  • Source - The object affected by the service action.
  • User - The name of the user that performed the action.
  • Impersonator - If the action was requested by another service, the name of the service that invoked the service action on behalf of the user.
  • IP Address - The IP address of the host where the service action occurred.
  • Service - The name of the service that performed the service action.
  • Role - The name of the role that performed the service action.
When you mouse over a Hive, Hue, or Cloudera Impala query event, a pop-up displays the query that generated the event.

Events that represent denied access are labeled Denied and have a pink background.

Filtering Audit Events

You filter on generated audit events in the audit log by selecting a time range and adding filters.

You can use the Time Range Selector or a duration link () to set the time range. (See Time Line in Cloudera Manager Monitoring and Diagnostics Guide for details). When you select the time range, the log displays all events in that range. Note that the time it takes to perform a search will typically increase for a longer time range, as the number of events to be searched will be larger.

Adding a Filter

  • Click the icon that displays next to a property when you hover in one of the event entries. A filter containing the property, operator, and its value is added to the list of filters at the left and Cloudera Manager redisplays all events that match the filter.
  • Click the Add a filter link. A filter control is added to the list of filters.
    1. Choose a property in the drop-down list. You can search by properties such as Username, Service, Command, or Role. The properties vary depending on the service or role.
    2. If the property allows it, choose an operator in the operator drop-down list.
    3. Type a property value in the value text field. For some properties, where the list of values is finite and known, you can start typing and then select from a list of potential matches. To match a substring, use the like operator and specify % around the string. For example, to see all the audit events for files created in the folder /user/joe/out specify Source like %/user/joe/out%.
    4. Click Search. The log displays all events that match the filter criteria.
    5. Click to add more filters and repeat steps 1 through 4.

Removing a Filter

  1. Click the at the right of the filter. The filter is removed.
  2. Click Search. The log displays all events that match the filter criteria.

Downloading Audit Event Logs

You can download audit event logs.
  1. Specify desired filters and time range.
  2. Click the Download CSV button. A file with the following fields is downloaded: service, username, command, ipAddress, resource, allowed, timestamp, operationText. The structure of the resource field depends on the type of the service:
    • HDFS - A file path.
    • Hive, Hue, and Cloudera Impala - database:tablename
    • HBase - table family:qualifier
    For Hive, Hue, and Cloudera Impala query and load commands, operationText is the query and load strings.

HDFS Audit Log Example

service,username,command,ipAddress,resource,allowed,timestamp,operationText,
hdfs1,cloudera,setPermission,10.20.187.242,/user/hive,false,"2013-02-09T00:59:34.430Z",
hdfs1,cloudera,getfileinfo,10.20.187.242,/user/cloudera,true,"2013-02-09T00:59:22.667Z",
hdfs1,cloudera,getfileinfo,10.20.187.242,/,true,"2013-02-09T00:59:22.658Z",

In this example, the first event access was denied, and therefore the allowed field has the value false.

Cloudera Impala Audit Log Example

IMPALA-1,admin,QUERY,"::ffff:10.20.186.210:50745",default:sample_08,true,"2013-08-21T18:27:12.000Z","select s07.description, s07.total_emp, s08.total_emp, s07.salary FROM sample_07 s07 JOIN sample_08 s08 ON ( s07.code = s08.code ) WHERE ( s07.total_emp > s08.total_emp AND s07.salary > 100000 ) ORDER BY s07.salary DESC LIMIT 1000"
IMPALA-1,admin,QUERY,"::ffff:10.20.186.210:50745",default:sample_07,true,"2013-08-21T18:27:12.000Z","select s07.description, s07.total_emp, s08.total_emp, s07.salary FROM sample_07 s07 JOIN sample_08 s08 ON ( s07.code = s08.code ) WHERE ( s07.total_emp > s08.total_emp AND s07.salary > 100000 ) ORDER BY s07.salary DESC LIMIT 1000"
IMPALA-1,admin,RESET_METADATA,"::ffff:10.20.186.210:50745",null:null,true,"2013-08-21T18:27:04.000Z","invalidate metadata"

In this example, the two query events are from the same query, but involve two different tables.