AnsweredAssumed Answered

Empty audit logs despite auditing enabled

Question asked by reedv on Jan 4, 2018
Latest reply on Jan 9, 2018 by deborah

The mapr docs seem to indicate that all audit logs should be in the /var/mapr/local/<node_name>/audit/ directory of the cluster. However, when looking in some of the log files in those volumes, they appear to all be empty. This is confirmed by running:

 

[mapr@mapr001 local]$ ls -lhR */audit
mapr001.ucera.local/audit:
total 512
drwxr-xr-x. 2 mapr mapr 21 Dec 27 13:59 5660

mapr001.ucera.local/audit/5660:
total 0
-rw-------. 1 mapr mapr 0 Dec 14 17:04 DBAudit.log-2017-12-15-001.json
-rw-------. 1 mapr mapr 0 Dec 14 18:01 DBAudit.log-2017-12-15-002.json
-rw-------. 1 mapr mapr 0 Dec 27 13:59 DBAudit.log-2017-12-27-001.json
-rw-------. 1 mapr mapr 0 Dec 14 17:04 ExpandAudit.log-2017-12-15-001.json
-rw-------. 1 mapr mapr 0 Dec 14 18:01 ExpandAudit.log-2017-12-15-002.json
-rw-------. 1 mapr mapr 0 Dec 27 13:59 ExpandAudit.log-2017-12-27-001.json
-rw-------. 1 mapr mapr 0 Dec 14 17:04 FSAudit.log-2017-12-15-001.json
-rw-------. 1 mapr mapr 0 Dec 14 18:01 FSAudit.log-2017-12-15-002.json
-rw-------. 1 mapr mapr 0 Dec 27 13:59 FSAudit.log-2017-12-27-001.json
-rw-------. 1 mapr mapr 0 Dec 14 17:04 Metrics.log-2017-12-15-001.json
-rw-------. 1 mapr mapr 0 Dec 14 18:01 Metrics.log-2017-12-15-002.json
-rw-------. 1 mapr mapr 0 Dec 27 13:59 Metrics.log-2017-12-27-001.json
-rw-------. 1 mapr mapr 0 Dec 14 17:04 Vollist_DBAudit.log-2017-12-15-001
-rw-------. 1 mapr mapr 0 Dec 14 18:01 Vollist_DBAudit.log-2017-12-15-002
-rw-------. 1 mapr mapr 0 Dec 27 13:59 Vollist_DBAudit.log-2017-12-27-001
-rw-------. 1 mapr mapr 0 Dec 14 17:04 Vollist_FSAudit.log-2017-12-15-001
-rw-------. 1 mapr mapr 0 Dec 14 18:01 Vollist_FSAudit.log-2017-12-15-002
-rw-------. 1 mapr mapr 0 Dec 27 13:59 Vollist_FSAudit.log-2017-12-27-001
-rw-------. 1 mapr mapr 0 Dec 14 17:04 Vollist_Metrics.log-2017-12-15-001
-rw-------. 1 mapr mapr 0 Dec 14 18:01 Vollist_Metrics.log-2017-12-15-002
-rw-------. 1 mapr mapr 0 Dec 27 13:59 Vollist_Metrics.log-2017-12-27-001

... and so on

to see that all the audit log locations are empty. Am I misinterpreting how the auditing feature works or should I be seeing something here? Checking the MCS, I do have auditing enabled for certain volumes. Never used this feature before, so more details would be appreciated. Thank you.

Outcomes