Configuring audit logging to a database table

Steps to configure audit logging to output to a database table.

If you've enabled audit logging and set the logger to output to a database table as described in Enabling data auditing in DataStax Enterprise, you can configure the logger by setting options in dse.yaml.

Audit events are written to the dse_audit.audit_log table. The default compaction strategy for the dse_audit.audit_log table is TimeWindowCompactionStrategy (TWCS). DataStax recommends changing the compaction strategy for tables that were created before DataStax Enterprise 4.8.0:
ALTER TABLE dse_audit.audit_log WITH COMPACTION={'class':'TimeWindowCompactionStrategy'};

The logger can be run synchronously or asynchronously. By default, the logger runs synchronously.

Use the GRANT or REVOKE CQL commands to manage the permissions for accessing the dse_audit.audit_log table.

When run synchronously, an event does not complete until the event has been written to the table. If there is a failure after the event has been written to the table but before the event completed, the log may contain events that were never completed. For example, a query may be logged in the table but it did not successfully complete.

When run asynchronously, audit events are queued for writing to the table, but may not be logged before the event is completed. For example, when logging a query, the query may execute before the audit event is written to the table. A pool of writer threads handles logging audit events from the queue, writing to the table in batch queries. The advantage of writing audit events asynchronously is better performance under load, however if there is a failure before an audit event is written to the table, the audit event may not be logged even though the event has completed.

dse.yaml

The location of the dse.yaml file depends on the type of installation:

Package installations
Installer-Services installations

/etc/dse/dse.yaml

Tarball installations
Installer-No Services installations

installation_location/resources/dse/conf/dse.yaml

Procedure

  1. Open dse.yaml in a text editor.
  2. Set these audit_logging_options:
    cassandra_audit_writer_options
    Configuration options for CassandraAuditWriter.
    cassandra_audit_writer_options:
        mode: sync
        batch_size: 50
        flush_time: 500
        num_writers: 10
        queue_size: 10000
        write_consistency: QUORUM
        # dropped_event_log: /var/log/cassandra/dropped_audit_events.log
        # day_partition_millis: 3600000
  3. Save the file and restart DataStax Enterprise.