volume audit
Enables or disables auditing on the specified volume.
You must have the fc
permission on the cluster to use this command. See
acl
for details about this
permission.
To learn how to determine whether auditing is enabled for a volume, see Checking Whether Auditing is Enabled for a Directory, File, or MapR-DB Table.
Syntax
- CLI
-
maprcli volume audit
[ -cluster <cluster name> ]
-name <volume name>
[-dataauditops <+|-operations>]
[ -enabled <true|false> ]
[ -coalesce <interval in minutes> ]
- REST
-
http[s]://<host>:<port>/rest/volume/audit?cluster=<name of cluster>&name=<name of volume>&enabled=<true|false>&coalesce=<minutes>
Parameters
Parameter |
Description |
---|---|
cluster |
The cluster on which the volume is located. This parameter is required if the volume is on a remote cluster. The remote cluster must be listed in the mapr-cluster.conf file for the cluster where you run the command. |
name |
The name of the volume. |
enabled |
Enables or disables the auditing of operations within the volume. You
must use either this parameter, the See Enabling Auditing for the steps to enable auditing on directories, files, and tables in a volume. When you set the value to false, auditing of operations within the volume
ceases. None of the auditing settings are changed on the directories,
files, and MapR-DB tables within the volume. If you later run the
|
coalesce |
The interval of time during which READ, WRITE, or GETATTR operations on one file from one client IP address are logged only once, if auditing is enabled. For example, suppose that a client application reads a single file three times in 6 minutes, so that there is one read at 0 minutes, another at 3 minutes, and a final read at 6 minutes. If the coalesce interval is at least 6 minutes, then only the first read operation is logged. However, if the interval is between 4 minutes, then only the first and third read operations are logged. If the interval is 2 minutes, all three read operations are logged. The default value is 60 minutes. Setting this field to a larger number helps prevent audit logs from growing quickly. |
dataauditops |
The comma separated list of filesystem operations to include (specified
with a preceding plus sign ( NOTE: If the first operation in the list is to be excluded from auditing, it
must be preceded by two minus (
-- ) signs. Subsequent
operations to exclude must be preceded by only a single minus
(- ) sign, whether or not the first operation was
included (using a plus (+ ) sign) or excluded (using two
minus (-- ) signs). If neither sign is specified, the
given operation is included for auditing.The operations that can be included (
NOTE: You can specify a mixed list of included and excluded operations.
There are no changes to operations that are not specified with the
command.
|
Examples
Enable Auditing for a volume
The following example shows how to enable auditing for the volume “auditVolume”:
- CLI
-
maprcli volume audit -name auditVolume
- REST
-
https://centos26.lab:8443/rest/volume/audit?name=auditVolume
Modify the list of operations to audit
The following example shows how to specify the operations to audit. Here,
create
operation is included for auditing and
lookup
operation is excluded from auditing. There are no changes to
operations that are not specified.
- CLI
-
maprcli volume audit -name sampleAuditVolume -dataauditops +create,-lookup
- REST
-
https://centos26.lab:8443/rest/volume/audit?name=sampleAuditVolume&dataauditops=%2Bcreate%2C%2Dlookup