Configuring audit logging to a database table

Steps to configure audit logging to output to a database table.

If you've enabled audit logging and set the logger to output to a database table as described in Enabling data auditing in DataStax Enterprise, you can configure the logger by setting options in dse.yaml.

Audit events are written to the dse_audit.audit_log table. The default compaction strategy for the dse_audit.audit_log table is TimeWindowCompactionStrategy (TWCS). DataStax recommends changing the compaction strategy for tables that were created before DataStax Enterprise 4.8.0:
ALTER TABLE dse_audit.audit_log WITH COMPACTION={'class':'TimeWindowCompactionStrategy'};

The logger can be run synchronously or asynchronously. By default, the logger runs synchronously.

Use the GRANT or REVOKE CQL commands to manage the permissions for accessing the dse_audit.audit_log table.

When run synchronously, an event does not complete until the event has been written to the table. If there is a failure after the event has been written to the table but before the event completed, the log may contain events that were never completed. For example, a query may be logged in the table but it did not successfully complete.

When run asynchronously, audit events are queued for writing to the table, but may not be logged before the event is completed. For example, when logging a query, the query may execute before the audit event is written to the table. A pool of writer threads handles logging audit events from the queue, writing to the table in batch queries. The advantage of writing audit events asynchronously is better performance under load, however if there is a failure before an audit event is written to the table, the audit event may not be logged even though the event has completed.

Procedure

  1. Open dse.yaml in a text editor.

    dse.yaml

    The location of the dse.yaml file depends on the type of installation:

    Package installations
    Installer-Services installations

    /etc/dse/dse.yaml

    Tarball installations
    Installer-No Services installations

    installation_location/resources/dse/conf/dse.yaml

    cassandra.yaml

    The location of the cassandra.yaml file depends on the type of installation:

    Package installations
    Installer-Services installations

    /etc/dse/cassandra/cassandra.yaml

    Tarball installations
    Installer-No Services installations

    installation_location/resources/cassandra/conf/cassandra.yaml
  2. Set these audit_logging_options:
    cassandra_audit_writer_options
    Configuration options for CassandraAuditWriter.
    cassandra_audit_writer_options:
        mode: sync
        batch_size: 50
        flush_time: 500
        num_writers: 10
        queue_size: 10000
        write_consistency: QUORUM
        dropped_event_log: /var/log/cassandra/dropped_audit_events.log
  3. Save the file and restart DataStax Enterprise.