Enabling Auditing

About this task

To enable or disable auditing of cluster-management operations on a MapR cluster, run the maprcli audit cluster command. To enable or disable auditing of data-access operations:

Procedure

  1. To enable or disable auditing of filesystem and table operations on a cluster, run the maprcli audit data command.
    This command does not cause auditing to start for operations within those volumes. It only sets a flag that says you allow auditing of individual volumes to be enabled with the maprcli volume audit command. Both the audit logs for file operations and the audit logs for table operations are affected by the value that you set for the -retention parameter.
  2. To enable or disable auditing for a particular volume, run the maprcli volume audit command. To verify that auditing is enabled for a volume, run the maprcli volume info command.
    You can grep with the search term 'audited\|coalesce'. 
    maprcli volume info -name <volume_name> -json | grep -i 'audited\|coalesce'
    The output of the command should look like this, with a 1 for the audited key and the value for the coalesceinterval key: “audited”:1, “coalesceInterval”:2
  3. To enable or disable auditing for a particular directory, file, or MapR-DB table that existed in a volume at the time that you ran the maprcli volume audit command, run the hadoop mfs command with the -setaudit parameter. 
    hadoop mfs -setaudit <on|off> <directory|file|table>
    NOTE: Wildcards are not supported for the names of filesystem objects in this command.
    Enabling auditing on a directory does not enable auditing on the files that already exist in the directory, though new files and directories created in the directory will have auditing enabled. For example, if you run this command on the root directory of a volume, all new files, directories, and tables that are subsequently created in the volume are audited. The creation of those objects is also audited.

Results

After enabling auditing, if you create a:
  • Snapshot of a volume, the snapshot inherits the audit settings of the original volume.
  • Local mirror or remote mirror of a volume, you must run the maprcli volume audit command to enable auditing on the mirror volume. Auditing for particular directories, files, and MapR-DB tables in a mirror volume is enabled automatically if auditing is enabled for them in the source volume.