Configuring audit logging to a Cassandra table
Set options in dse.yaml if audit logging is enabled and set to output to a Cassandra table.
Set options in dse.yaml if audit logging is enabled and set to output to a Cassandra table.
Installer-Services | /etc/dse/dse.yaml |
Package installations | /etc/dse/dse.yaml |
Installer-No Services | install_location/resources/dse/conf/dse.yaml |
Tarball installations | install_location/resources/dse/conf/dse.yaml |
Package installations | /etc/cassandra/cassandra.yaml |
Tarball installations | install_location/resources/cassandra/conf/cassandra.yaml |
If you've enabled audit logging and set the logger to output to a Cassandra table as described in Configuring and using data auditing you can configure the logger by setting options in dse.yaml.
Audit events are written to the dse_audit.audit_log table. The
logger can be run synchronously or asynchronously. By default, the logger runs
synchronously. The permissions for accessing dse_audit.audit_log
can be managed using the GRANT
or REVOKE
CQL commands.
When run synchronously, an event will not complete until the event has been written to the table. If there is a failure after the event has been written to the table but before the event completed, the log may contain events that were never completed. For example, a query may be logged in the table but it did not successfully complete.
When run asynchronously, audit events are queued for writing to the table, but may not be logged before the event is completed. For example, when logging a query, the query may execute before the audit event is written to the table. A pool of writer threads handles logging audit events from the queue, writing to the table in batch queries. The advantage of writing audit events asynchronously is better performance under load, however if there is a failure before an audit event is written to the table, the audit event may not be logged even though the event has completed.
Procedure
- Open dse.yaml in a text editor.
-
Set the options in the audit_logging_options section.
Option Description cassandra_batch_size
The maximum number of events the writer will dequeue before writing them to the audit table. The default value is 50. Set this option to less than 1 to log events synchronously. If you see warnings about the batches being too large, set this number to a lower number or increase the setting of batch_size_warn_threshold_in_kb
in cassandra.yaml.cassandra_flush_time
The maximum amount of time in milliseconds an event will be dequeued by a writer before being written out. The default value is 500. Set this option to less than 1 to log events synchronously. This option prevents events from waiting too long before being written to the table when there are few audit events occurring. cassandra_num_writers
The number of worker threads asynchronously logging events to the table. The default value is 0. Set this value to less than 1 to log events synchronously. If you want to log events asynchronously, setting this option to 10 is a good starting value. cassandra_queue_size
The size of the queue feeding the asynchronous audit log writer threads. The default value is 10,000. When there are more audit events than the queue can handle, new events will be blocked until there is space in the queue. If this option is set to less than 1, the queue size will be unbounded, which can lead to resource exhaustion under heavy loads. cassandra_dropped_event_log
When running asynchronously, failures may prevent the events in the queue from being written to the table. If this occurs, the events are logged to this file. The default setting is /var/log/cassandra/dropped_audit_events.log. cassandra_keyspace_replication
This section is used to configure how the audit logging table is replicated, has to suboptions: class
andreplication_factor
. By default,class
is set to SimpleStrategy, andreplication_factor
is set to 3.cassandra_table_compression
This section configures the audit logging table's compression, has one suboption: sstable_compression
. By default,sstable_compression
is set to SnappyCompressor.cassandra_table_compaction
This section configures the audit logging table's compaction strategy, and has one suboption: class
. By defaultclass
is set to SizeTieredCompactionStrategy. - Save the file and restart DataStax Enterprise.