Auditing Cluster Operations

Explains the operations that are audited for a cluster.

The following types of operations are audited when you run the maprcli audit cluster command on a cluster:

  • All maprcli commands, REST calls, and actions in the Control System that have effects at the cluster level, including those that enable auditing, are audited.
  • All authentications to the Control System and authentications to MapR clusters via maprlogin are audited.
  • All volume level tiering operations are audited.

Audit records for these operations are recorded in the following audit logs:

Audit logs for operations related to cluster management and authentications to clusters via maprlogin

Every CLDB operation is logged in the local filesystem of the CLDB node that responded to the operation. The log file is /opt/mapr/logs/cldbaudit.log.json.

Audit logs for maprcli commands, REST API calls, and actions in the Control System

Executions of maprcli commands, REST API calls, and actions in the Control System are logged in the local filesystem on the nodes where they are executed. Log files are located at /opt/mapr/mapr-cli-audit-log/audit.log.json. To see what information is recorded in typical log entries, see Example Log Entries for Audited maprcli Command Executions, REST API Calls, and Actions in the Control System.

The following maprcli commands, as well as their equivalent REST API calls and actions in the Control System, are also logged in audit logs on the servers where they are processed.

Command Family Commands
acl acl edit, acl set, acl show
audit audit cluster, audit data, audit info
blacklist blacklist listusers, blacklist user
cluster cluster mapreduce get, cluster mapreduce set
config config load, config save
entity entity info, entity list, entity modify
license license add, license addcrl, license apps, license list, license listcrl, license remove, license showid
nagios nagios generate
rlimit rlimit get, rlimit set
schedule schedule create, schedule list, schedule modify, schedule remove
virtualip virtualip add, virtualip edit, virtualip list, virtualip move, virtualip remove
volume volume compact, volume container move, volume container switchmaster, volume create, volume fixmountpath, volume info, volume list, volume mirror push, volume mirror start, volume mirror stop, volume modify, volume mount, volume move, volume offload, volume recall, volume remove, volume rename, volume showmounts, volume snapshot list, volume snapshot preserve, volume snapshot remove, volume tierstats, volume tierjobabort, volume tierjobstatus, volume unmount
NOTE These commands are not audited: volume dump create, volume dump restore, volume link create, volume link remove, volume snapshot create

Audit logs for authentications to the Control System

Every attempt at authentication to the Control System, whether successful or unsuccessful, is logged to the local filesystem in /opt/mapr/logs/authaudit.log.json on the webserver node where an attempt was made.

Audit logs for volume level tiering operations

All volume level tiering operations, whether successful or unsuccessful, are logged in the /opt/mapr/logs/cldbaudit.log.json file.