Configuring Dumping for MRS Cluster Audit Logs

Configuring Audit Log Dumping to an SFTP Server (MRS 3.x or Later)

The audit logs of FusionInsight Manager are stored in the database by default. If the audit logs are retained for a long time, the disk space of the data directory may be insufficient. To store audit logs to another archive server, administrators can set the required dump parameters to automatically dump these logs. This facilitates the management of audit logs.

If you do not configure the audit log dumping, the system automatically saves the audit logs to a file when the number of audit logs reaches 100,000 pieces. The path is ${BIGDATA_DATA_HOME}/dbdata_om/dumpData/iam/operatelog on the active management node. The file name format is OperateLog_store_YY_MM_DD_HH_MM_SS.csv. A maximum of 50 historical audit log files can be saved.

Archived audit logs will not be displayed on FusionInsight Manager. Only new audit logs generated after the old logs are automatically saved are displayed.

1. Log in to FusionInsight Manager.
2. Choose Audit > Configuration.
3. Click the switch on the right of Audit Log Dumping Flag.

   Audit Log Dump is disabled by default. If is displayed, Audit Log Dump is enabled.

4. Set dumping parameters based on Table 1.
   Figure 1 Dumping parameters
   

   Table 1 Audit log dump parameters

   Parameter	Description	Value
   SFTP IP Mode	Mode of the destination IP address. The value can be IPv4 or IPv6.	IPv4
   SFTP IP	SFTP server for storing dumped audit logs. You are advised to use the SFTP service based on SSH v2 to prevent security risks.	192.168.10.51 (example value)
   SFTP Port	Connection port of the SFTP server for storing dumped audit logs	22 (example value)
   Save Path	Path for storing audit logs on the SFTP server	/opt/omm/oms/auditLog (example value)
   SFTP Username	User name for logging in to the SFTP server	root (example value)
   SFTP Password	Password for logging in to the SFTP server	Password for logging in to the SFTP server
   SFTP Public Key	(Optional) Public key of the SFTP server. Set this parameter to the public key of the SFTP server; or, there may be security risks.	-
   Dumping Mode	Dump mode. Value options are as follows: By Quantity: If the number of pieces of logs reaches the value of this parameter (100000 by default), the logs are dumped. By Time: specifies the date when logs are dumped. The dumping frequency is once a year.	By Quantity By Time
   Dumping Date	This parameter is available only when Dumping Mode is set to By time. After you select a dump date, the system starts dumping on this date. The logs to be dumped include all the audit logs generated before January 1 00:00 of the current year.	11-06

   

   If the SFTP public key is empty, the system displays a security risk warning. Evaluate the security risk and then save the configuration.

5. Click OK to complete the settings.
   

   Key fields in the audit log dump file are as follows:

   • USERTYPE indicates the user type. Value 0 indicates a human-machine user, and value 1 indicates a machine-machine user.
   • LOGLEVEL indicates the security level. Value 0 indicates Critical, value 1 indicates Major, value 2 indicates Minor, and value 3 indicates Warning.
   • OPERATERESULT indicates the operation result. Value 0 indicates that the operation is successful, and value 1 indicates that the operation failed.

Configuring Audit Log Dumping to OBS (MRS Versions Earlier Than 3.x)

Storing MRS audit logs in the system may result in insufficient disk space of the data directory. To facilitate audit log management, you can set export parameters to automatically export audit logs to a specified directory on the OBS server.

Audit logs exported to the OBS server include service audit logs and management audit logs.

• Service audit logs are automatically compressed and stored in the /var/log/Bigdata/audit/bk/ directory on the active management node at 03:00:00 every day. Log files are named in the format of <yyyy-MM-dd_HH-mm-ss>.tar.gz. By default, only log files generated within the past seven days are stored, while those generated beyond seven days are automatically deleted.
• Management audit logs are exported to OBS starting from the date of the last export until the current execution date of the export task. When there are 100,000 entries in a management audit log file, the system automatically dumps the first 90,000 entries to a local file and keeps the remaining 10,000 in the database. Dumped log files are saved in the ${BIGDATA_DATA_HOME}/dbdata_om/dumpData/iam/operatelog directory of the active management node, with a file name format of OperateLog_store_YY_MM_DD_HH_MM_SS.csv. A maximum of 50 historical audit log files can be saved.

Prerequisites

• You have obtained the access key ID (AK) and secret access key (SK) of the account.
• A parallel file system has been created in OBS.

Procedure

1. On MRS Manager, choose System.
2. Choose Export Audit Log under Maintenance.

   Table 2 Parameters for exporting audit logs

   Parameter	Value	Description
   Export Audit Log	On Off	(Mandatory) Whether to enable audit log export. The options are: On: Audit log export is enabled. Off: Audit log export is disabled.
   Started	07/24/2017 09:00:00 (example)	(Mandatory) Start time for exporting audit logs.
   Period	1 day (example)	(Mandatory) Interval for exporting audit logs. The interval ranges from 1 to 5 days.
   Bucket	mrs-bucket (example)	(Mandatory) Name of the OBS file system to which audit logs are exported.
   OBS Path	/opt/omm/oms/auditLog (example)	(Mandatory) OBS path to which audit logs are exported.
   AK	XXX (example)	(Mandatory) User's access key ID.
   SK	XXX (example)	(Mandatory) User's secret access key.

   

   Service and management audit log files are stored in service_auditlog and manager_auditlog on OBS, respectively.