Configuring and using data auditing
Enable logging for the audit logger on the node that is set up for logging. Logs provide detailed audit trails of cluster activity.
The audit logger logs information only on nodes set up for logging. For example, node 0 has audit turned on, node 1 does not. This means issuing updates and other commands on node 1 does not affect the node 0 audit log. For maximum information from data auditing, turn on data auditing on every node.
Audit logs can be written to filesystem log files using logback, or to a Cassandra table. When you turn on audit logging, the default is to write to logback filesystem log files.
For simple installations, logging to logback files is typically easier than logging audit data to a Cassandra tables. The log files can be read from a terminal for troubleshooting queries or managing security. However, larger clusters can make logback audit logs cumbersome. Because the log files grow extremely large, it's difficult to analyze all the messages. Additionally, the format of the logback files are not flexible. Moreover, because the node's log files are local, it is difficult to find out what is happening across the cluster.
As your cluster scales up, logging audit data to a Cassandra table is more useful. The data can be queried like any other table, making analysis easier and custom audit reports possible.
Audit logging of queries and prepared statements submitted to the DataStax drivers, which use the CQL binary protocol, is supported.
When using audit logging with Kerberos authentication, the login events take place on Kerberos and are not logged in DataStax Enterprise. Authentication history is available only on Kerberos. When DataStax Enterprise is unable to authenticate a client with Kerberos, a LOGIN_ERROR event is logged.
When using audit logging with Cassandra native protocol authentication, the login events take place as part of connection negotiation and are not logged in DataStax Enterprise.
Procedure
Example
The following example sets the audit logger to log to a Cassandra table.
# Audit logging options
audit_logging_options:
enabled: true
logger: CassandraAuditWriter