Configuring audit logging to a database table

If you’ve enabled audit logging and set the logger to output to a database table as described in Enabling data auditing in DataStax Enterprise, you can configure the logger by setting options in dse.yaml.

Audit events are written to the dse_audit.audit_log table. The default compaction strategy for the dse_audit.audit_log table is TimeWindowCompactionStrategy (TWCS). DataStax recommends changing the compaction strategy for tables that were created before DataStax Enterprise 4.8.0:

ALTER TABLE dse_audit.audit_log WITH COMPACTION={'class':'TimeWindowCompactionStrategy'};

The logger can be run synchronously or asynchronously. By default, the logger runs synchronously.

Use the GRANT or REVOKE CQL commands to manage the permissions for accessing the dse_audit.audit_log table.

When run synchronously, an event does not complete until the event has been written to the table. If there is a failure after the event has been written to the table but before the event completed, the log may contain events that were never completed. For example, a query may be logged in the table but it did not successfully complete.

When run asynchronously, audit events are queued for writing to the table, but may not be logged before the event is completed. For example, when logging a query, the query may execute before the audit event is written to the table. A pool of writer threads handles logging audit events from the queue, writing to the table in batch queries. The advantage of writing audit events asynchronously is better performance under load, however if there is a failure before an audit event is written to the table, the audit event may not be logged even though the event has completed.

Procedure

  1. Open dse.yaml in a text editor.

  2. Set these audit_logging_options:

    cassandra_audit_writer_options

    Configuration options for CassandraAuditWriter. Configuration options for CassandraAuditWriter.

    cassandra_audit_writer_options:
    mode: sync
    batch_size: 50
    flush_time: 500
    num_writers: 10
    queue_size: 10000
    write_consistency: QUORUM
    # dropped_event_log: /var/log/cassandra/dropped_audit_events.log
    # day_partition_millis: 3600000

  3. Save the file and restart DataStax Enterprise.

CassandraAuditWriter table columns

When logging audit data to a database table using the CassandraAuditWriter logger, the audit data is stored in the dse_audit.audit_log table.

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2024 DataStax | Privacy policy | Terms of use

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com