Viewing Audit Logs for File System, Table, and Stream Operations

Describes where MapR File System, MapR Database, and MapR Stream audit logs are stored and how to view them.

Operations on the MapR Data Platform file, database, and event data are captured and recorded in the audit logs. The operations take place within volumes and have effects at the level of the file system.

These audit logs are stored in a system volume created specifically to store them. This volume is created automatically during cluster installations and upgrades. Operations are logged on the nodes on which the operations are executed, which could differ from the nodes where operations are initiated. Logs are stored in the file system at /var/mapr/local/<node_name>/audit/. By default, only root and the cluster administrator (typically mapr) can read the log files. To allow other users to read the logs, set ACEs on the directory granting readfile (rf), readdir (rd), and lookupdir (ld) permissions to the users. For example:

~# hadoop mfs -setace -R -aces "rf:u:root|u:mapr|u:m7user1,rd:u:root|u:mapr|u:m7user1,ld:u:root|u:mapr|u:m7user1" /var/mapr/local/sample.qa.lab/audit/

Audit logs for operations on directories and files

Operations on directories and files, as well as the deletion of MapR Database tables, are logged in files that have this naming convention: FSAudit.log.json-dd-mm-yyyy-<001-999>

To see what information is recorded in typical log entries, see Example Log Entries for Audited File System Operations.

Audit logs for operations on MapR Database tables and MapR Event Store For Apache Kafka

All operations on MapR Database tables and MapR Event Store For Apache Kafka are logged in files that have this naming convention: DBAudit.log.json-dd-mm-yyy-<001-999>

Operations that result from maprcli commands, REST calls, or activity in MCS are also logged in /opt/mapr/mapr-cli-audit-log/audit.log.json on the local file system of the nodes where the operations are processed.

To see what information is recorded in typical log entries, see Example Log Entries for Audited Operations on MapR Database Binary and JSON Tables.

NOTE Due to how the creation of tables is processed internally, sometimes the creation of tables is logged in FSAudit.log.json, rather than in DBAudit.log.json.