Viewing MRS Cluster Audit Logs

The Audit page records user operations on Manager. Administrators can view user operation records on Manager. For details, see Audit logs.

This section describes how to view and export audit logs on MRS Manager for post-event tracing, fault cause locating, and responsibility division of security events.

Viewing Audit Logs (MRS 3.x or Later)

Log in to FusionInsight Manager.
Choose Audit. The Audit page displays audit information of FusionInsight Manager, including the operation type, risk level, start time, end time, user, host name, service, instance, and operation result.

Figure 1 Audit information list
- You can select audit logs at the Critical, Major, Minor, or Notice level from the All risk levels drop-down list.
- In Advanced Search, you can set filter criteria to query audit logs.
  1. You can query audit logs by user management, cluster, service, and health in the Operation Type column.
  2. In the Service column, you can select a service to query corresponding audit logs.
    
    You can select -- to search for audit logs using all other search criteria except services.
  3. You can query audit logs by operation result. The options are All, Successful, Failed, and Unknown.
- You can click to manually refresh the current page or click to choose the columns to display on the page.
- Click Export All to export all audit information at a time, in TXT or CSV format.

Viewing Audit Logs (Versions Earlier Than MRS 3.x)

On MRS Manager, click Audit and view default audit logs.
If an audit log contains more than 256 characters, click expand button to view full audit details.
- Records are sorted in descending order by the Occurred column as the default setting. To change the sorting mode, click Operation Type, Severity, Occurred, User, Host, Service, Instance, or Operation Result.
- You can filter all alarms of the same severity, including both cleared and uncleared alarms, by Severity.
Exported audit log files contain the following columns:
- Sno: number of audit log files generated by MRS Manager. The number increases by 1 automatically for each new audit log file generated.
- Operation Type: type of a user operation. The options are Alarm, Auditlog, Backup and Restoration, Cluster, Collect Log, Host, Service, Tenant, and User_Manager. User_Manager is available only for clusters with Kerberos authentication enabled. Each option contains varying operation types. For example, Alarm includes Export alarms; Cluster includes Start cluster; Tenant includes Add tenant.
- Severity: security level of each audit log file, including Critical, Major, Minor, and Informational.
- Start Time: time when an operation starts. The time is CET or CEST.
- End Time: time when an operation ends. The time is CET or CEST.
- User IP Address: IP address used by a user to perform operations.
- User: name of the user who performs operations.
- Host: node where user operations are performed. Host information is not recorded in the log file if operations are not performed on any node.
- Service: service where user operations are performed. Service information is not recorded in the log file if operations are not performed on any service.
- Instance: role instance where user operations are performed. Instance information is not recorded in the log file if operations are not performed on any role instance.
- Operation Result: operation result. The options are Successful, Failed, and Unknown.
- Content: execution information of the user operation.
Click Advanced Search. In the search area, set search criteria and click Search to view audit logs of a specified type. Click Reset to clear the search criteria.

Start Time and End Time indicate the start time and end time of a time range. You can search for alarms generated within the time range.
To export all audit log files in the log list, click Export All.
To export an audit log file, select it in the log list and click Export.