Configuring audit logging to a Cassandra table

Steps to configure audit logging to output to a Cassandra table.

If you've enabled audit logging and set the logger to output to a Cassandra table as described in Enabling data auditing in DataStax Enterprise, you can configure the logger by setting options in dse.yaml.

Audit events are written to the dse_audit.audit_log table. The default compaction strategy for the dse_audit.audit_log table is 'TimeWindowCompactionStrategy' (TWCS). DataStax recommends changing the compaction strategy for tables that were created before DataStax Enterprise 4.8.0:
ALTER TABLE dse_audit.audit_log WITH COMPACTION={'class':'TimeWindowCompactionStrategy'};

The logger can be run synchronously or asynchronously. By default, the logger runs synchronously.

Use the GRANT or REVOKE CQL commands to manage the permissions for accessing the dse_audit.audit_log table.

When run synchronously, an event does not complete until the event has been written to the table. If there is a failure after the event has been written to the table but before the event completed, the log may contain events that were never completed. For example, a query may be logged in the table but it did not successfully complete.

When run asynchronously, audit events are queued for writing to the table, but may not be logged before the event is completed. For example, when logging a query, the query may execute before the audit event is written to the table. A pool of writer threads handles logging audit events from the queue, writing to the table in batch queries. The advantage of writing audit events asynchronously is better performance under load, however if there is a failure before an audit event is written to the table, the audit event may not be logged even though the event has completed.

Procedure

  1. Open dse.yaml in a text editor.
    The location of the dse.yaml file depends on the type of installation:
    Installer-Services /etc/dse/dse.yaml
    Package installations /etc/dse/dse.yaml
    Installer-No Services install_location/resources/dse/conf/dse.yaml
    Tarball installations install_location/resources/dse/conf/dse.yaml
    The location of the cassandra.yaml file depends on the type of installation:
    Installer-Services /etc/dse/cassandra/cassandra.yaml
    Package installations /etc/dse/cassandra/cassandra.yaml
    Installer-No Services install_location/resources/cassandra/conf/cassandra.yaml
    Tarball installations install_location/resources/cassandra/conf/cassandra.yaml
  2. Set these audit_logging_options:
    cassandra_audit_writer_options
    Logging to a Cassandra table can provide a more centralized auditing view. Configuration options for the CassandraAuditWriter.
    cassandra_audit_writer_options:
        mode: sync
        batch_size: 50
        flush_time: 500
        num_writers: 10
        queue_size: 10000
        write_consistency: QUORUM
        dropped_event_log: /var/log/cassandra/dropped_audit_events.log
  3. Save the file and restart DataStax Enterprise.