Ranger audit
Ranger uses Solr to store audit logs and to implement a user interface for searching through them. The default configuration for Ranger audit in Solr uses a shared Solr instance provided by the ADPS bundle. Make sure that the Solr host has enough memory, CPU and disk capacity.
|
NOTE
Solr must be installed and configured before installing Ranger Admin.
|
-
To authorize as Ranger admin, enter the administrative credentials and click Sign In.
Log in to Ranger -
To manage audit policies in Ranger, open the Ranger console. Then, go to the Audit page.
The Audit section includes the following tabs:
-
Access
-
Admin
-
Login Sessions
-
Plugins
-
Plugin Status
-
User Sync
Access tab
The Access tab provides the service activity data for all policies that have audit enabled. The default service policy is configured to log all user activity. This default policy does not contain the user and group access rules.
You can filter the data based on the criteria listed in the table below.
| Search criteria | Description |
|---|---|
Access Enforcer |
Search by access enforcer name |
Access Type |
Search by access type like |
Agent Host Name |
Hostname of the agent |
Application |
Application name |
Client IP |
Search by IP address that was used to access the resources |
Cluster Name |
Name of the cluster |
Start Date |
Filters results for a particular date range |
End Date |
Filters results for a particular date range |
Exclude User |
Name of the user |
Resource Name |
Search by resource name |
Resource Type |
Search by resource type based on component (for example, path in HDFS, database, table in Hive) |
Result |
Search by access result (Allowed/Denied logs) |
Service Name |
Name of the service that the user tries to access |
Service Type |
Type of the service that the user tries to access |
Tags |
Tag name |
User |
Name of the user who tries to access the resource |
Zone Name |
Name of the Zone |
|
NOTE
Wildcards (for example, * or ?) are not currently supported in search queries.
|
Admin tab
The Admin tab contains all events for security audit. The events include service, service manager, login events, and actions such as creating, updating, deleting, changing a password.
You can filter the data based on the criteria listed in the table below.
| Search criteria | Description |
|---|---|
Actions |
Filter logs by the following actions: |
Audit Type |
Filter by the following types: |
Start Date |
Login time and date is stored for each session. A date range is used to filter the results for a particular time span |
End Date |
Login time and date is stored for each session. A date range is used to filter the results for a particular time span |
Session ID |
The session count increments each time you try to log in to the system |
User |
Name of the user who has performed either create, update, or delete operation |
Login Sessions tab
The Login Sessions tab displays information related to user sessions for each login.
You can filter the data based on the criteria listed in the table below.
| Search criteria | Description |
|---|---|
Login ID |
Name of the user who tried to access to the system |
Session ID |
The session count increments every time the user tries to log into the system |
Start Date |
Specifies that results should be filtered based on a specific start date |
End Date |
Specifies that results should be filtered based on a specific end date |
Login Type |
The mode through which the user tries to login (by entering username and password) |
IP |
The IP address that the user utilized for login |
User Agent |
The browser or library version used to login for the specific event (e.g. Mozilla, Java, Python) |
Result |
The result of the login attempt. Possible results are: |
Plugins tab
The Plugins tab shows the upload history and the Security Agents status. This tab displays all the services exported from the system.
You can filter the data based on the criteria listed in the table below.
| Search criteria | Description |
|---|---|
Cluster Name |
Filter by the cluster name |
Plugin IP |
IP address of the agent that tried to export the service |
Plugin ID |
Name of the agent that tried to export the service |
Start Date |
Specifies that results should be filtered based on a specific start date for each agent |
End Date |
Specifies that results should be filtered based on a specific end date for each agent |
HTTP Response Code |
HTTP code returned when trying to export the service |
Service Name |
The name of the service that was exported |
Plugin Status tab
The Plugin Status tab shows policies effective for each plugin. The tab includes relevant host information and the time when the plugin was downloaded and started enforcing the policies.
You can filter the data based on the criteria listed in the table below.
| Search criteria | Description |
|---|---|
Application |
Application name |
Cluster Name |
Filter by the cluster name |
Host Name |
Name of the host; can be FQDN |
Plugin IP |
IP Address of the agent that uses the plugin |
Service Name |
Name of the service that contains the policies |
Service Type |
Filter by the service type |
User Sync tab
The User Sync tab provides service activity data for all usersync processes in Ranger. This creates a compliance/audit trail for users and groups synchronized with each run of usersync.
You can filter the data based on the criteria listed in the table below.
| Search criteria | Description |
|---|---|
Start Date |
Filters results for a particular date range |
End Date |
Filters results for a particular date range |
User Name |
Name of the user who tried to access the resource |
Sync Source |
Filter by file, LDAP/AD, or Unix |