Configuring audit logging to a log4j log file

Configure DataStax Enterprise to log activity to a log4j log file.

Default log4j-appender locations:
  • Installer-Services and Package installations: /etc/dse/cassandra/log4j-server.properties
  • Installer-No Services and Tarball installations: install_location/resources/log4j-appender/log4j-server.properties

You can configure DataStax Enterprise to log activity to a log4j log file. DataStax Enterprise places the audit log in the directory indicated in the log4j-server.properties configuration file. After the file reaches a configurable size threshold, it rolls over, and the file name is changed. The file names include a numerical suffix determined by the maxBackupIndex property.

  • Auditing is configured through a text file in the file system, so the file is vulnerable to OS-level security breaches. You can address this issue by changing DataStax Enterprise's umask setting to change the permissions to 600 on the audit files by default. Be aware that if other tools look at the data, changing this setting can cause read problems. Alternately, you can store the audit file on an OS-level encrypted file system such as Vormetric.

Configuring data auditing 

You can configure which categories of audit events should be logged and also whether operations against any specific keyspaces should be omitted from audit logging.

Procedure

  1. Open the log4j-server.properties file in a text editor.
  2. To configure data auditing, set the following properties:
    Option Description
    log4j.logger.DataAudit The value is the logging level and name of the appender to the DataAudit log. The default value is INFO, A.
    log4j.additivity.DataAudit Specifies whether the logging messages for the DataAudit logger should be appended to the root log. By default this is set to false to prevent logging to the root logger, and instead all log messages will be logged to the A log.
    log4j.appender.A The type of log for the A log appender. The default value is org.apache.log4j.RollingFileAppender.
    log4j.appender.A.File The location of the log file for the A log appender. The default value is /var/log/cassandra/audit.log.
    log4j.appender.A.bufferedIO Specifies whether the A log should used buffered IO, which will improve performance but will not be in real time. The default value is true.
    log4j.appender.A.maxFileSize The maximum file size for the A log file before it will be archived and a new file will be created. The default value is 200 MB.
    log4j.appender.A.maxBackupIndex The maximum number of archived copies of the log file. The default value is 5.
    log4j.appender.A.layout The log4j layout class to use for the log file. The default value is org.apache.log4j.PatternLayout.
    log4j.appender.A.layout.ConversionPattern The pattern to use for messages in the output file. The default value is %m%n, which will add a new line after each message.
    The Log4J audit logger logs at INFO level, so the DataAudit logger must be configured at INFO (or lower) level in log4j-server.properties. Setting the logger to a higher level, such as WARN, prevents any log events from being recorded, but it does not completely disable the data auditing. Some overhead occurs beyond that caused by regular processing.
  3. Restart the node to see changes in the log.

Example

The audit log section of the log4j-server.properties by default looks like this:

log4j.logger.DataAudit=INFO, A
log4j.additivity.DataAudit=false
log4j.appender.A=org.apache.log4j.RollingFileAppender
log4j.appender.A.File=/var/log/cassandra/audit.log
log4j.appender.A.bufferedIO=true
log4j.appender.A.maxFileSize=200MB
log4j.appender.A.maxBackupIndex=5
log4j.appender.A.layout=org.apache.log4j.PatternLayout
log4j.appender.A.layout.ConversionPattern=%m%n