expandaudit
As operations are performed on the directories, files, and tables that you are auditing, the audit logs capture records of those operations. Those records identify the affected directories, files, and tables by means of file IDs, the volumes on which the operations took place by means of volume identifiers, and the users who performed the operations by means of user IDs. These IDs are used instead of names in the audit records because fetching the actual names of these objects and users in real-time is costly in terms of performance.
You can use the expandaudit utility, however, to create copies of your logs files in which the IDs are resolved into names and inserted into the audit records.
This utility acts on audit logs that exist in the current MapR cluster at the time that the utility is run.
Restrictions
This utility operates on audit logs for filesystem operations and MapR-DB operations, which
are logged in a local MapR volume on each node where the operations are performed. These
operations are logged in FSAudit and DBAudit log files.
- The file exists at the time that
expandauditis run. - The file has been deleted but the deletion of the file was logged and the log files
being processed by
expandauditinclude the record of the file deletion.
If a volume is deleted, expandaudit will not be able to convert
identifiers for files that were in the volume unless the creation of the volume and files
were logged.
If the creation of a file is audited and the file is later renamed, the file ID is converted to the current name.
Permissions
Although the permissions on the tool are 755, the tool generates output only when run by root or the user mapr.
Syntax
expandaudit
[ -name <volume name> | -id <volume identifier>]
-o <output directory>Parameters
| Parameter | Description |
|---|---|
| name | The name of the volume being audited. If neither this parameter nor the
-id parameter is used, all audit logs on the cluster are
included in the operation. |
| id | The ID of the volume being audited. If neither this parameter nor the
-name parameter is used, all audit logs on the cluster are
included in the operation. |
| o | The directory in the MapR filesystem in which to create the copies of the
audit logs. The directory must already exist. The directory structure is:
|
Sample Expansion of a Record for Filesystem Operations
{"timestamp":{"$date":"2015-06-06T13:02:23.746Z"},"operation":"GETATTR","uid":"1","ipAddress":
"10.10.104.53","srcFid":"2049.652.263696","volumeId":68048396,"status":0}{"timestamp":{"$date":"2015-06-06T13:02:23.746Z"},"operation":"GETATTR","user":
"userA","uid":"1","ipAddress":"10.10.104.53","srcPath":"/customers/US_Western_Region.json",
"srcFid":"2049.3296.268968","volumeName":"data_analysis","volumeId":68048396,"status":0}Sample Expansion of a Record for MapR-DB Table Operations
{"timestamp":{"$date":"2015-06-06T13:08:54.474Z"},"operation":"DB_PUT","uid":"1","ipAddress":
"10.10.104.51","volumeId":68048396,"columnFamily":"fam63","columnQualifier":"col_96","tableFid":
"2049.56.262518","status":0}{"timestamp":"{$date=2015-06-06T13:08:54.474Z}","operation":"DB_PUT","user":"userA","uid":
"1","ipAddress":"10.10.104.51","VolumeName":"mapr.cluster.root","volumeId":"68048396",
"columnFamily":"fam63","columnQualifier":"col_96","tablePath":"/mytable","tableFid":"2049.56.262518",
"status":"0"}