Enabling Audit Logging to a Table

Use the CassandraAuditWriter logger to record all database activity that happens on the local node to the dse_audit.audit_log table. Events from all nodes are captured in the same table, allowing you to easily create reports that include multiple nodes.

Using the table option provides a centralized location for all events across the cluster. Secure the table with DataStax role-based access control (RBAC), see Assigning permissions and Transparent Data Encryption (TDE), see Encrypting tables.


To capture events to the dse_audit.audit_log table:

  1. Locate the dse.yaml configuration file. The location of this file depends on the type of installation:

    • Package installations: /etc/dse/dse.yaml

    • Tarball installations: <installation_location>/resources/dse/conf/dse.yaml

  2. Set the audit_logging_options in the dse.yaml file:

        enabled: true
        logger: CassandraAuditWriter
    #    included_categories:
    #    excluded_categories:
    #    included_keyspaces:
    #    excluded_keyspaces:
    #    included_roles:
    #    excluded_roles:
        retention_time: 12
            mode: sync
            batch_size: 50
            flush_time: 250
            queue_size: 30000
            write_consistency: QUORUM
    #         dropped_event_log: /var/log/cassandra/dropped_audit_events.log
    #         day_partition_millis: 3600000
    • enabled: true - Turns on logging after the next start up.

    • logger: CassandraAuditWriter - Logger name.

    • retention_time: 12 - Number of hours to set the TTL (time-to-live) on the dse_audit.audit_log table. Use this setting to automatically expire data. The default is 0 (disabled).

    • Customize the cassandra_audit_writer_options parameters as required (the default are shown above).

      The audit_log table has the following settings:

      DESC TABLE dse_audit.audit_log
      CREATE TABLE dse_audit.audit_log (
          date timestamp,
          node inet,
          day_partition int,
          event_time timeuuid,
          authenticated text,
          batch_id uuid,
          category text,
          consistency text,
          keyspace_name text,
          operation text,
          source text,
          table_name text,
          type text,
          username text,
          PRIMARY KEY ((date, node, day_partition), event_time)
      ) WITH CLUSTERING ORDER BY (event_time ASC)
          AND bloom_filter_fp_chance = 0.01
          AND caching = {'keys': 'ALL', 'rows_per_partition': 'NONE'}
          AND comment = ''
          AND compaction = {'class': 'org.apache.cassandra.db.compaction.TimeWindowCompactionStrategy', 'max_threshold': '32', 'min_threshold': '4'}
          AND compression = {'chunk_length_in_kb': '64', 'class': 'org.apache.cassandra.io.compress.LZ4Compressor'}
          AND crc_check_chance = 1.0
          AND default_time_to_live = 0
          AND gc_grace_seconds = 7776000
          AND max_index_interval = 2048
          AND memtable_flush_period_in_ms = 3600000
          AND min_index_interval = 128
          AND nodesync = {'enabled': 'true'}
          AND speculative_retry = '99PERCENTILE';
  3. Optional: By default, NodeSync is diabled for the audit_log table. To use NodeSync in order to maintain data consistency, enable it.

    ALTER TABLE dse_audit.audit_log WITH
    nodesync = { 'enabled' : true };
  4. Set the keyspace replication strategy to NetworkTopologyStrategy and set a replication factor for each datacenter in the cluster where auditing is enabled:

    replication = {
                   'class': 'NetworkTopologyStrategy',
                   'datacenter1' : 2,
                   'datacenter2' : 1   };
  5. Force data replication to the newly added datacenters using one of the following methods:

    • If NodeSync is enabled:

      nodesync -cu <user_name> -cp <password> \
      validation submit dse_audit.audit_log

      where <user_name> is an internal login role name or LDAP/Kerberos with permission to access the CQL table.

    • If NodeSync is disabled:

      nodetool repair dse_audit audit_log

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2024 DataStax | Privacy policy | Terms of use

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com