Enable audit logging to a table
Use the CassandraAuditWriter logger to record all database activity that happens on the local node to the hcd_audit.audit_log table.
Events from all nodes are captured in the same table, allowing you to easily create reports that include multiple nodes.
Using the table option provides a centralized location for all events across the cluster. Secure the table with DataStax role-based access control (RBAC), see Role-based access control and Transparent Data Encryption (TDE), see Encrypting tables.
Procedure
To capture events to the hcd_audit.audit_log table:
-
Locate the
cassandra.yamlconfiguration file.The location of this file depends on your installation type.
-
Package installations
-
Tarball installations
/etc/hcd/cassandra/cassandra.yamlINSTALLATION_LOCATION/resources/cassandra/conf/cassandra.yamlReplace INSTALLATION_LOCATION with the path where you extracted the HCD tarball.
-
-
Set the
audit_logging_optionsin thecassandra.yamlfile:audit_logging_options: enabled: true logger: - class_name: CassandraAuditWriter # included_categories: # excluded_categories: # included_keyspaces: # excluded_keyspaces: # included_roles: # excluded_roles: retention_time: 12 cassandra_audit_writer_options: mode: sync batch_size: 50 flush_time: 250 queue_size: 30000 write_consistency: QUORUM # dropped_event_log: /var/log/cassandra/dropped_audit_events.log # day_partition_millis: 3600000-
enabled: true: Turns on logging after the next start up. -
logger: CassandraAuditWriter: Logger name. -
retention_time: 12: Number of hours to set the TTL (time-to-live) on thehcd_audit.audit_logtable. Use this setting to automatically expire data. The default is 0 (disabled). -
Customize the
cassandra_audit_writer_optionsparameters as required (the default are shown above).The
audit_logtable has the following settings:DESC TABLE hcd_audit.audit_log CREATE TABLE hcd_audit.audit_log ( date timestamp, node inet, day_partition int, event_time timeuuid, authenticated text, batch_id uuid, category text, consistency text, keyspace_name text, operation text, source text, table_name text, type text, username text, PRIMARY KEY ((date, node, day_partition), event_time) ) WITH CLUSTERING ORDER BY (event_time ASC) AND bloom_filter_fp_chance = 0.01 AND caching = {'keys': 'ALL', 'rows_per_partition': 'NONE'} AND comment = '' AND compaction = {'class': 'org.apache.cassandra.db.compaction.TimeWindowCompactionStrategy', 'max_threshold': '32', 'min_threshold': '4'} AND compression = {'chunk_length_in_kb': '64', 'class': 'org.apache.cassandra.io.compress.LZ4Compressor'} AND crc_check_chance = 1.0 AND default_time_to_live = 0 AND gc_grace_seconds = 7776000 AND max_index_interval = 2048 AND memtable_flush_period_in_ms = 3600000 AND min_index_interval = 128 AND nodesync = {'enabled': 'true'} AND speculative_retry = '99PERCENTILE';
-
-
Optional: By default,
NodeSyncis disabled for theaudit_logtable. To useNodeSyncin order to maintain data consistency, enable it.ALTER TABLE hcd_audit.audit_log WITH nodesync = { 'enabled' : true }; -
Set the keyspace replication strategy to
NetworkTopologyStrategyand set a replication factor for each datacenter in the cluster where auditing is enabled:ALTER KEYSPACE hcd_audit WITH replication = { 'class': 'NetworkTopologyStrategy', 'datacenter1' : 2, 'datacenter2' : 1 }; -
Force data replication to the newly added datacenters using one of the following methods:
-
If
NodeSyncis enabled:nodesync -cu <user_name> -cp <password> \ validation submit hcd_audit.audit_logwhere
<user_name>is an internal login role name or LDAP/Kerberos with permission to access theCQLtable. -
If
NodeSyncis disabled:nodetool repair hcd_audit audit_log
-
