Filtering event categories
Configure which categories to capture in the audit_logging_options
section of the dse.yaml
file.
The location of the dse.yaml
configuration file depends on the type of installation:
-
Package installations:
/etc/dse/dse.yaml
-
Tarball installations:
<installation_location>/resources/dse/conf/dse.yaml
audit_logging_options:
enabled: true
logger: <logger_name>
# included_categories:
# excluded_categories:
where <logger_name>
is SLF4JAuditWriter
or CassandraAuditWriter
.
Category types
By default, DataStax Enterprise captures all event categories when auditing is enabled, and the following parameters are commented out.
Use either the included_categories
or excluded_categories
parameter to limit which categories are captured.
-
included_categories
- Includes only listed categories; excludes all others. -
excluded_categories
- Excludes listed categories; includes all others.
Audit logging event categories and types
All events have both a category and a type.
A type usually maps directly to a CQL
command.
The following list shows all the types in each category.
Data Definition Language (DDL)
DDL (Data Definition Language) logs the following database schema changes:
Event category | CQL or dsetool commands |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Data Manipulation Language (DML)
DML (Data Manipulation Language) logs the following database data changes:
Event category | CQL command |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
DataStax driver prepared statement, such as Java - Prepared Statement |
|
|
|
|
|
Data Control Language (DCL)
DCL (Data Control Language) logs the following database control, or role or permission changes:
Event category | CQL command |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
QUERY
QUERY logs the following data retrieval events:
Event type | CQL or other command |
---|---|
|
|
|
SELECT statement filtered by the Search index. |
|
Calls to a table using the graph traversal instance ( |
|
Remote Procedure Call (RPC) statement. |
ADMIN
ADMIN logs the following backup and restore events:
Event type | CQL command or other information |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
AUTH
AUTH logs the following authentication and authorization events:
Event type | CQLSH command |
---|---|
|
Successful login attempt. LOGIN and login requests sent from DataStax drivers. |
|
Failed login attempt. |
|
Unauthorized access attempt. |
Messages not captured by DataStax Enterprise (DSE) include:
|
ERROR
ERROR logs the following error events:
Event type | Information |
---|---|
ERROR |
Logs |
REQUEST_FAILURE |
Logs failed requests. |
UNKNOWN
UNKNOWN logs the following unknown events:
Event type | Information |
---|---|
|
Logs unknown events. |
Example
Include only data retrieval and manipulation events:
audit_logging_options:
enabled: true
logger: SLF4JAuditWriter
included_categories: QUERY, DDL, AUTH
# excluded_categories: