AnsweredAssumed Answered

mapr audit logs seem to not log actions from external applications

Question asked by reedv on Jan 29, 2018
Latest reply on Jan 30, 2018 by reedv

   Having problem where it seems that operations done by external apps, such as browsing files from drill explorer on a remote windows machine, are not showing up in the audit logs of the volumes that are being operated on the drill.

  1. Operations by certain programs on the FS do not seem to be logged/audited anywhere. Eg.
    1. When using drill explorer to look at/browse volumes that have auditing enabled (not the volume that is simply storing the expanded audits), those operations are not logged anywhere (ie. the fact that drill explorer had examined those directories does not show up in any of the audit logs as any operation to that volume). Thus a person could connect to the cluster through drill and look at access operations and file names outside of work hours without the system ever logging that they did so. This seems very wrong and makes me think that I am not turning on auditing properly.

 

Looking at the output of 

maprcli volume info -name someauditedvolume -json

I see the snippet

"auditVolume":0,
"audited":1,
"forceAudit":0,

when I would think that it should be more like

"auditVolume":1,
"audited":1,
"forceAudit":0,

I really don't know and this is just an uneducated guess. Furthermore, I suspect that some of the problem is due to using the default "Coalesce Interval" (of 60min) when creating the volumes-to-be-audited in the MCS, but I do not think that that is the whole problem.

 

The ability to accurately audit the FS accesses and actions on our cluster is very important for what we are doing and any advice on what is causing these problem would be appreciated. Thanks.

 

mapr version: 6.0

drill version: 1.11

Outcomes