Viewing and Filtering Audit Events

The Audits page displays audit events that have occurred within a time range you select anywhere in your cluster.

To view the Audits page, click the Audits tab in the Cloudera Manager menu bar or from a service, role, or host instance.

Audits List

Audit entries are ordered (within the time range you've selected) with the most recent at the top.

The Audits tab lets you see the actions that have been taken for a Service or Role instance, and what user performed them. The audit history includes actions such as creating a role or service, making configuration revisions for a role or service, and running commands.

To view the Audit history for a Service:

  1. Click the Services tab on the top navigation bar, then choose the service you want to see.
  2. Click the Audits tab on the Services navigation bar.

To view the Audit history for a Role:

  1. Click the Services tab on the top navigation bar, then choose the service you want to see.
  2. Click the Instances tab on the Services navigation bar to show the list of role instances.
  3. Select the Role whose audit history you want to see.
  4. Click the Audits tab on the navigation bar for the role.

The Audit History provides the following information:

  • Context: The service or role and host affected by the action.
  • Message: What action was taken.
  • Date: Date and time that the action was taken.
  • By User: The user name of the user that performed the action.

The audit history does not track the progress or results of commands it sees (such as starting or stopping a service or creating a directory for a service) — it just notes the command that was executed and the user who executed it. If you want to view the progress or results of a command, you can look at Recent Commands under the Commands tab.

If no actions were taken during the selected time range, you can click the Try expanding the time range selection link. Each time you click the link it doubles the time range selection. If you are in the "current time" mode, the beginning time will move; if you are looking at a time range in the past, both the beginning and ending times of the range are changed. You can also change the time range using the Time Range Selector or the Custom Time Range panel (see Time Line).

Filtering Audit Events

You filter audit events by adding filters and selecting a time range.

You can use the Time Range Selector or a time range link () to set the time range for your search. (See Selecting a Time Range for details). Note that the time it takes to perform a search will typically increase for a longer time range, as the number of events to be searched will be larger.

Adding Filters

  • Click the icon that displays next to a property when you hover in one of the event entries. A filter containing the property and its value is added to the list of filters at the left and Cloudera Manager redisplays all events that match the filter.
  • Click the Add Filter to the left of the log. A filter control is added to the list of filters.
    1. Choose an audit event property in the property drop-down list. You can search by properties such as Username, Service, Command, or Role. The actual properties may vary depending on the service or role you are looking at.
    2. If the property allows it, choose an operator in the operator drop-down list.
    3. Type an audit property value in the value text field. Note that for some properties, where the list of values is finite and known, you can start typing and then select from a list of potential matches. For some properties you can include multiple values in the value field. For example, you can create a filter like "SERVICE = HBASE1, HDFS1". Multiple values for a single filter property are combined using OR (that is, SERVICE = HBASE1 OR HDFS1).
    4. Click Add Another to add additional filter components. A filter containing the property and its value is added to the list of filters at the left. Multiple filters are combined using AND – for example, SERVICE = HBASE1 AND USERNAME = admin)
    5. Click Search. The log displays all events that match the filter criteria.

Removing a Filter

  1. Click the at the right of the filter. The filter is removed and the audit log redisplays all events that match the remaining filters.

Modifying a Filter

  1. Click the filter. The filter expands into separate property, operator, and value fields.
  2. Modify the value of one or more fields.
  3. Click Search. A filter containing the property, operation, and value is added to the list of filters at the left and the audit log redisplays all events that match the modified set of filters.