Enabling Audit Logging for HDFS and Solr
The Ranger service provides the capability for you to enable audit logging for HDFS and/or Solr databases, which can be very helpful to maintain/query audit data when data grows to a significant amount.
To enable auditing for HDFS, perform the steps listed below.
- Set the XAAUDIT.HDFS.ENABLE value to "true" for the component plug-in in the install.properties file, which can be found here: - /usr/hdp/<version>/ranger-<component>=plugin 
- Configure the NameNode host in the - XAAUDIT.HDFS.HDFS_DIRfield.
- Create a policy in the HDFS service from the Ranger Admin for individual component users ( - hive/hbase/knox/storm/yarn/kafka/kms) to provide READ and WRITE permissions for the audit folder (i.e., for enabling Hive component to log Audits to HDFS, you need to create a policy for the hive user with Read and WRITE permissions for the audit directory).
- Set the Audit to HDFS caches logs in the local directory, which can be specified in XAAUDIT.HDFS.LOCAL_BUFFER_DIRECTORY (this can be like - /var/log/<component>/**), which is the path where the audit is stored for a short time. This is similar for archive logs that need to be updated.
To enable auditing reporting from the Solr database, perform the steps listed below.
- Modify the following properties in the Ranger service - install.propertiesto enable auditing to the Solr database in Ranger:- audit_store=solr
- audit_solr_urls=http://solr_host:6083/solr/ranger_audits
- audit_solr_user=ranger_solr
- audit_solr_password-NONE
 
- Restart Ranger. 
To enable auditing to the Solr database for a plug-in (e.g., HBase), perform the steps listed below.
- Set the following properties in - install.propertiesof the plug-in to begin audit logging to the Solr database:- XAAUDIT.SOLR.IS.ENABLED=true 
- XAAUDIT.SOLR.ENABLE=true 
- XAAUDIT.SOLR.URL=http://solr_host:6083/solr/ranger_audits 
- XAAUDIT.SOLR.USER-ranger_solr 
- XAAUDIT.SOLR.PASSWORD=NONE 
- XAAUDIT.SOLR.FILE_SPOOL_DIR=/var/log/hadoop/hdfs/audit/solr/spool 
 
- Enable the Ranger HBase plug-in. 
- Restart the HBase component. 

