Auditing events on the gateway are informational, the default auditing level is informational (INFO) and it cannot be changed.
The Audit logs located at
/var/log/knox/gateway-audit.log
have the following structure:
EVENT_PUBLISHING_TIME ROOT_REQUEST_ID|PARENT_REQUEST_ID|REQUEST_ID|LOGGER_NAME|TARGET_SERVICE_NAME|USER_NAME|PROXY_USER_NAME|SYSTEM_USER_NAME|ACTION|RESOURCE_TYPE|RESOURCE_NAME|OUTCOME|LOGGING_MESSAGE
where:
EVENT_PUBLISHING_TIME: contains the timestamp when record was written.ROOT_REQUEST_ID: Reserved, the field is empty.PARENT_REQUEST_ID: Reserved, the field is empty.REQUEST_ID: contains a unique value representing the request.LOGGER_NAME: contains the logger name. For exampleaudit.TARGET_SERVICE_NAME: contains the name of Hadoop service. Empty indicates that the audit record is not linked to a Hadoop service. For example, an audit record for topology deployment.USER_NAME: contains the ID of the user who initiated session with Knox Gateway.PROXY_USER_NAME: contains the effective user name.SYSTEM_USER_NAME: Reserved, field is empty.ACTION: contains the executed action type. The value is either authentication, authorization, redeploy, deploy, undeploy, identity-mapping, dispatch, or access.RESOURCE_TYPEcontains the resource type of the action. The value is eitheruri,topology, orprincipal.RESOURCE_NAME: contains the process name of the resource. For example,topologyshows the inbound or dispatch request path andprincipalshows the name of mapped user.OUTCOMEcontains the action results,success,failure, orunavailable.LOGGING_MESSAGEcontains additional tracking information, such as the HTTP status code.
