Writing Ranger Audit Logs for Hive

You can write the ranger audit logs into a simple text file on the Hive cluster’s coordinator node by configuring the required settings described in the following section.

Perform the following steps for a Hadoop (Hive) cluster:

Note

The steps remain the same for any Hive version except for the last step, where you check the logs file.

1. Do these changes in /usr/lib/hive1.2/conf/ranger-hive-audit.xml.

   <!-- Log4j audit provider configuration -->
           <property>
                   <name>xasecure.audit.log4j.is.enabled</name>
                   <value>true</value>
           </property>
           <property>
                   <name>xasecure.audit.destination.log4j</name>
                   <value>true</value>
           </property>
           <property>
                   <name>xasecure.audit.destination.log4j.logger</name>
                   <value>xaaudit</value>
           </property>
   

2. Add these changes in /usr/lib/hive1.2/conf/hive-log4j2.properties:

   1. Add the appender to list of appenders.

      # list of all appenders
      appenders = console, FILE, ..., RANGERAUDIT
      

   2. Add the following after the end of the file appender block.

      # RANGERAUDIT appender
      appender.RANGERAUDIT.type=file
      appender.RANGERAUDIT.name=RANGERAUDIT
      appender.RANGERAUDIT.fileName=${sys:hive.log.dir}/ranger-audit.log
      appender.RANGERAUDIT.filePermissions=rwxrwxrwx
      appender.RANGERAUDIT.layout.type=PatternLayout
      appender.RANGERAUDIT.layout.pattern=%d{ISO8601} %q %5p [%t] %c{2} (%F:%M(%L)) - %m%n
      

   3. Add the logger to list of loggers.

      # list of all loggers
      loggers = HadoopIPC, ....., HiveMetaStore.audit, Ranger
      

   4. Add the following before the root logger properties that is after the logger.ObjectStore block which is present near the end of the file.

      logger.Ranger.name = xaaudit
      logger.Ranger.level = INFO
      logger.Ranger.appenderRefs = RANGERAUDIT
      logger.Ranger.appenderRef.RANGERAUDIT.ref = RANGERAUDIT
      

3. Restart HiveServer2 by running these commands for the above configuration to be effective.

   sudo monit stop hs2
   sudo monit start hs2
   

4. After restarting HiveServer2, you can see the audit info being written into /media/ephemeral0/logs/<hive version>/ranger-audit.log as illustrated below.

   [root@ip-10-136-233-168 conf]# ls -lrt /media/ephemeral0/logs/<hive version>/
   total 704
   -rwxrwxrwx 1 root     root      33168 Apr  2 09:20 hive_ms.log
   -rwxrwxrwx 1 ec2-user ec2-user   2315 Apr  2 09:42 ranger-audit.log
   -rwxrwxrwx 1 ec2-user ec2-user 673675 Apr  2 10:06 hive.log