Untitled | Hyper-Converged Database

Enable audit logging to a table

Use the CassandraAuditWriter logger to record all database activity that happens on the local node to the hcd_audit.audit_log table. Events from all nodes are captured in the same table, allowing you to easily create reports that include multiple nodes.

Using the table option provides a centralized location for all events across the cluster. Secure the table with DataStax role-based access control (RBAC), see Role-based access control and Transparent Data Encryption (TDE), see Encrypting tables.

Procedure

To capture events to the hcd_audit.audit_log table:

Locate the cassandra.yaml configuration file.

The location of this file depends on your installation type.
- Package installations
- Tarball installations
/etc/hcd/cassandra/cassandra.yaml
INSTALLATION_LOCATION/resources/cassandra/conf/cassandra.yaml
Replace INSTALLATION_LOCATION with the path where you extracted the HCD tarball.

Set the audit_logging_options in the cassandra.yaml file:

audit_logging_options:
    enabled: true
    logger:
      - class_name: CassandraAuditWriter
#    included_categories:
#    excluded_categories:
#    included_keyspaces:
#    excluded_keyspaces:
#    included_roles:
#    excluded_roles:
    retention_time: 12

    cassandra_audit_writer_options:
        mode: sync
        batch_size: 50
        flush_time: 250
        queue_size: 30000
        write_consistency: QUORUM
#         dropped_event_log: /var/log/cassandra/dropped_audit_events.log
#         day_partition_millis: 3600000

enabled: true: Turns on logging after the next start up.
logger: CassandraAuditWriter: Logger name.
retention_time: 12: Number of hours to set the TTL (time-to-live) on the hcd_audit.audit_log table. Use this setting to automatically expire data. The default is 0 (disabled).

Customize the cassandra_audit_writer_options parameters as required (the default are shown above).

The audit_log table has the following settings:

DESC TABLE hcd_audit.audit_log

CREATE TABLE hcd_audit.audit_log (
    date timestamp,
    node inet,
    day_partition int,
    event_time timeuuid,
    authenticated text,
    batch_id uuid,
    category text,
    consistency text,
    keyspace_name text,
    operation text,
    source text,
    table_name text,
    type text,
    username text,
    PRIMARY KEY ((date, node, day_partition), event_time)
) WITH CLUSTERING ORDER BY (event_time ASC)
    AND bloom_filter_fp_chance = 0.01
    AND caching = {'keys': 'ALL', 'rows_per_partition': 'NONE'}
    AND comment = ''
    AND compaction = {'class': 'org.apache.cassandra.db.compaction.TimeWindowCompactionStrategy', 'max_threshold': '32', 'min_threshold': '4'}
    AND compression = {'chunk_length_in_kb': '64', 'class': 'org.apache.cassandra.io.compress.LZ4Compressor'}
    AND crc_check_chance = 1.0
    AND default_time_to_live = 0
    AND gc_grace_seconds = 7776000
    AND max_index_interval = 2048
    AND memtable_flush_period_in_ms = 3600000
    AND min_index_interval = 128
    AND speculative_retry = '99PERCENTILE';

Set the keyspace replication strategy to NetworkTopologyStrategy and set a replication factor for each datacenter in the cluster where auditing is enabled:

ALTER KEYSPACE hcd_audit WITH
replication = {
               'class': 'NetworkTopologyStrategy',
               'datacenter1' : 2,
               'datacenter2' : 1   };

Force data replication to the newly added datacenters:
```
nodetool repair hcd_audit audit_log
```

Enable audit logging to a table

Procedure

Was this helpful?

Give Feedback