Configuring audit logging to a Cassandra table

Set options in dse.yaml if audit logging is enabled and set to output to a Cassandra table.

Set options in dse.yaml if audit logging is enabled and set to output to a Cassandra table.

The location of the dse.yaml file depends on the type of installation:
Installer-Services /etc/dse/dse.yaml
Package installations /etc/dse/dse.yaml
Installer-No Services install_location/resources/dse/conf/dse.yaml
Tarball installations install_location/resources/dse/conf/dse.yaml
The location of the cassandra.yaml file depends on the type of installation:
Package installations /etc/cassandra/cassandra.yaml
Tarball installations install_location/resources/cassandra/conf/cassandra.yaml

If you've enabled audit logging and set the logger to output to a Cassandra table as described in Configuring and using data auditing you can configure the logger by setting options in dse.yaml.

Audit events are written to the dse_audit.audit_log table. The logger can be run synchronously or asynchronously. By default, the logger runs synchronously. The permissions for accessing dse_audit.audit_log can be managed using the GRANT or REVOKE CQL commands.

When run synchronously, an event will not complete until the event has been written to the table. If there is a failure after the event has been written to the table but before the event completed, the log may contain events that were never completed. For example, a query may be logged in the table but it did not successfully complete.

When run asynchronously, audit events are queued for writing to the table, but may not be logged before the event is completed. For example, when logging a query, the query may execute before the audit event is written to the table. A pool of writer threads handles logging audit events from the queue, writing to the table in batch queries. The advantage of writing audit events asynchronously is better performance under load, however if there is a failure before an audit event is written to the table, the audit event may not be logged even though the event has completed.

Procedure

  1. Open dse.yaml in a text editor.
  2. Set the options in the audit_logging_options section.
    Option Description
    cassandra_batch_size The maximum number of events the writer will dequeue before writing them to the audit table. The default value is 50. Set this option to less than 1 to log events synchronously. If you see warnings about the batches being too large, set this number to a lower number or increase the setting of batch_size_warn_threshold_in_kb in cassandra.yaml.
    cassandra_flush_time The maximum amount of time in milliseconds an event will be dequeued by a writer before being written out. The default value is 500. Set this option to less than 1 to log events synchronously. This option prevents events from waiting too long before being written to the table when there are few audit events occurring.
    cassandra_num_writers The number of worker threads asynchronously logging events to the table. The default value is 0. Set this value to less than 1 to log events synchronously. If you want to log events asynchronously, setting this option to 10 is a good starting value.
    cassandra_queue_size The size of the queue feeding the asynchronous audit log writer threads. The default value is 10,000. When there are more audit events than the queue can handle, new events will be blocked until there is space in the queue. If this option is set to less than 1, the queue size will be unbounded, which can lead to resource exhaustion under heavy loads.
    cassandra_dropped_event_log When running asynchronously, failures may prevent the events in the queue from being written to the table. If this occurs, the events are logged to this file. The default setting is /var/log/cassandra/dropped_audit_events.log.
    cassandra_keyspace_replication This section is used to configure how the audit logging table is replicated, has to suboptions: class and replication_factor. By default, class is set to SimpleStrategy, and replication_factor is set to 3.
    cassandra_table_compression This section configures the audit logging table's compression, has one suboption: sstable_compression. By default, sstable_compression is set to SnappyCompressor.
    cassandra_table_compaction This section configures the audit logging table's compaction strategy, and has one suboption: class. By default class is set to SizeTieredCompactionStrategy.
  3. Save the file and restart DataStax Enterprise.