Enable audit logging to a table
Use the CassandraAuditWriter
logger to record all database activity that happens on the local node to the hcd_audit.audit_log
table.
Events from all nodes are captured in the same table, allowing you to easily create reports that include multiple nodes.
Using the table option provides a centralized location for all events across the cluster. Secure the table with DataStax role-based access control (RBAC), see Role-based access control and Transparent Data Encryption (TDE), see Encrypting tables.
Procedure
To capture events to the hcd_audit.audit_log
table:
-
Locate the
cassandra.yaml
configuration file.The location of this file depends on your installation type.
-
Package installations
-
Tarball installations
/etc/hcd/cassandra/cassandra.yaml
INSTALLATION_LOCATION/resources/cassandra/conf/cassandra.yaml
Replace INSTALLATION_LOCATION with the path where you extracted the HCD tarball.
-
-
Set the
audit_logging_options
in thecassandra.yaml
file:audit_logging_options: enabled: true logger: - class_name: CassandraAuditWriter # included_categories: # excluded_categories: # included_keyspaces: # excluded_keyspaces: # included_roles: # excluded_roles: retention_time: 12 cassandra_audit_writer_options: mode: sync batch_size: 50 flush_time: 250 queue_size: 30000 write_consistency: QUORUM # dropped_event_log: /var/log/cassandra/dropped_audit_events.log # day_partition_millis: 3600000
-
enabled: true
: Turns on logging after the next start up. -
logger: CassandraAuditWriter
: Logger name. -
retention_time: 12
: Number of hours to set the TTL (time-to-live) on thehcd_audit.audit_log
table. Use this setting to automatically expire data. The default is 0 (disabled). -
Customize the
cassandra_audit_writer_options
parameters as required (the default are shown above).The
audit_log
table has the following settings:DESC TABLE hcd_audit.audit_log CREATE TABLE hcd_audit.audit_log ( date timestamp, node inet, day_partition int, event_time timeuuid, authenticated text, batch_id uuid, category text, consistency text, keyspace_name text, operation text, source text, table_name text, type text, username text, PRIMARY KEY ((date, node, day_partition), event_time) ) WITH CLUSTERING ORDER BY (event_time ASC) AND bloom_filter_fp_chance = 0.01 AND caching = {'keys': 'ALL', 'rows_per_partition': 'NONE'} AND comment = '' AND compaction = {'class': 'org.apache.cassandra.db.compaction.TimeWindowCompactionStrategy', 'max_threshold': '32', 'min_threshold': '4'} AND compression = {'chunk_length_in_kb': '64', 'class': 'org.apache.cassandra.io.compress.LZ4Compressor'} AND crc_check_chance = 1.0 AND default_time_to_live = 0 AND gc_grace_seconds = 7776000 AND max_index_interval = 2048 AND memtable_flush_period_in_ms = 3600000 AND min_index_interval = 128 AND speculative_retry = '99PERCENTILE';
-
-
Set the keyspace replication strategy to
NetworkTopologyStrategy
and set a replication factor for each datacenter in the cluster where auditing is enabled:ALTER KEYSPACE hcd_audit WITH replication = { 'class': 'NetworkTopologyStrategy', 'datacenter1' : 2, 'datacenter2' : 1 };
-
Force data replication to the newly added datacenters:
nodetool repair hcd_audit audit_log