MapR Audit Logs Output to Stream instead of File?

Idea created by MichaelSegel on Oct 20, 2016

Comment • 4

Active

Score20

Instead of writing MapR audit events to a log file, out put the log event to a MapRStream (Kafka) that can be consumed by a listener rather than writing to a volume. (Or allow for both writing to a stream or a log file)

This will simplify the process of capturing an event and would reduce the need for storing the logs.

The other upside is that it will make it easier to filter the events and down stream processing.

If this is already a feature, please let me know where I can find it in the documentation.

(Note: I could write a named pipe to do this... but would rather have something native from MapR)

akrd

Oct 20, 2016 1:37 PM

This is a great suggestion and something some of the internal engineers and product types have also thought about. Would love to hear more from other members in the community. Especially useful is to understand what is potential possible in terms of use cases if this functionality was available.

Actions

MichaelSegel @ akrd on Oct 20, 2016 2:02 PM

Hi Anoop,

I'm limited on what I can say...

I don't know how many MapR customers are working with PCI, PII, <insert your restricted data here>...

I can imagine that if you are turning on auditing you can and will generate a lot of data.

You can always run analytics on your log files, but in certain use cases you will want to review your data in subjective real-time or in short order. Think dashboards.

HTH

-Mike

Actions

akrd

@ MichaelSegel on Oct 20, 2016 3:41 PM

Would running Drill SQL on the latest audit log files help? The logs are in JSON and Drill could query it.

Actions

MichaelSegel @ akrd on Oct 21, 2016 7:57 PM

Anoop,

I think you misunderstand.

Today, you can run Drill against your log files. But you are limited in that you have to design your analytic queries and run them locally.

By creating an option to be able to stream the output directly, you open up the possibility to push data to external systems to perform the analytics. (e.g. Splunk) In multi-tenant environment, do you really want to spin cycles on your cluster to process analytics or have an external system be used for processing? (e.g. standalone spark on VMs)

I would like to see the option to either or both.

Actions

4 Comments

akrd Oct 20, 2016 1:37 PM
This is a great suggestion and something some of the internal engineers and product types have also thought about. Would love to hear more from other members in the community. Especially useful is to understand what is potential possible in terms of use cases if this functionality was available.
Like • Show 0 Likes0
Actions
- MichaelSegel @ akrd on Oct 20, 2016 2:02 PM
  Hi Anoop,
  
  I'm limited on what I can say...
  
  I don't know how many MapR customers are working with PCI, PII, <insert your restricted data here>...
  I can imagine that if you are turning on auditing you can and will generate a lot of data.
  
  You can always run analytics on your log files, but in certain use cases you will want to review your data in subjective real-time or in short order. Think dashboards.
  
  HTH
  -Mike
  Like • Show 0 Likes0
  Actions
  - akrd @ MichaelSegel on Oct 20, 2016 3:41 PM
    Would running Drill SQL on the latest audit log files help? The logs are in JSON and Drill could query it.
    Like • Show 0 Likes0
    Actions
    - MichaelSegel @ akrd on Oct 21, 2016 7:57 PM
      Anoop,
      
      I think you misunderstand.
      Today, you can run Drill against your log files. But you are limited in that you have to design your analytic queries and run them locally.
      
      By creating an option to be able to stream the output directly, you open up the possibility to push data to external systems to perform the analytics. (e.g. Splunk) In multi-tenant environment, do you really want to spin cycles on your cluster to process analytics or have an external system be used for processing? (e.g. standalone spark on VMs)
      
      I would like to see the option to either or both.
      Like • Show 0 Likes0
      Actions

MapR Audit Logs Output to Stream instead of File?

Related Content

Recommended Content