Managing audit logs

Use metadata configuration to manage the DSE Advanced Replication replication load audit logs.

DSE Advanced Replication provides replication audit logging and commands to manage the audit logs with metadata configuration. Audit logs are stored on the source cluster and are handled by the audit log analyzer (AuditLogAnalyzer). The audit log analyzer reads the log files, including audit log files in GZIP (.gz) format, that might be incomplete because they are still being written or they were improperly closed. The audit log analyzer identifies the list of files which match the template that is defined with the audit_log_file configuration key and that have exceeded the maximum time interval since they were written to. Purging is based on these criteria.

Global settings apply to the entire source cluster. These global settings are stored in the CQL table dse_system.advrep_source_config that is automatically created. To define configuration keys to change global settings, use the dse advrep conf update command. The audit log files are read/write (RW) only for the file owner, with no permissions for other users.
Note: The time stamp for all writes is UTC (Universal Time Coordinated ).

Procedure

  1. Enable replication audit logging:
    dse advrep conf update --audit-log-enabled true
  2. The default base audit log directory is /var/lib/cassandra/advrep/auditlog. To define a different directory for storing audit log files:
    dse advrep conf update --audit-log-file /tmp/auditAdvRep
    If the configured audit log file is a relative path, then the log files be placed in the default base directory. If the configured audit log file is an absolute path, then that path is used.
  3. To compress the audit log output using the gzip file format:
    dse advrep conf update --audit-log-compression GZIP --audit-log-file /tmp/auditAdvRep/myaudit.gz
    The default value is NONE for compression. If .gz is not appended to the audit log filename in the command, it will be appended to the created files. Compressed audit log files will remain locked until rotated out; the active file cannot be opened.
  4. Specify the time interval to rotate the audit log file. On rotation, the rotated file is appended with the log counter .[logcounter], incrementing from [0]. To disable rotation, set to 0.
    dse advrep conf update --audit-log-rotate-mins 120
    For example, the compressed file from the last step can be uncompressed after rotating out to /tmp/auditAdvRep/myaudit.[0].gz.
  5. Specify the maximum lifetime of audit log files.
    After audit log files are rotated, they are periodically purged when the log files:
    • Match the audit log file
    • And have not been written to for more than the specified maximum lifespan minutes

    To disable purging, set to 0.

    dse advrep conf update --audit-log-max-life-span-mins 120
  6. Restart the node to enable the changes.
    When logging is enabled, log files that would be overwritten are moved to a subdirectory in the log directory. The subdirectory is named archive_x, where x increments from 0 until an unused directory is identified and created.