Auditing events on the gateway are informational, the default auditing level is informational (INFO) and it cannot be changed.
The Audit logs located at
/var/log/knox/gateway-audit.log
have the following structure:
EVENT_PUBLISHING_TIME ROOT_REQUEST_ID|PARENT_REQUEST_ID|REQUEST_ID|LOGGER_NAME|TARGET_SERVICE_NAME|USER_NAME|PROXY_USER_NAME|SYSTEM_USER_NAME|ACTION|RESOURCE_TYPE|RESOURCE_NAME|OUTCOME|LOGGING_MESSAGE
where:
EVENT_PUBLISHING_TIME
: contains the timestamp when record was written.ROOT_REQUEST_ID
: Reserved, the field is empty.PARENT_REQUEST_ID
: Reserved, the field is empty.REQUEST_ID
: contains a unique value representing the request.LOGGER_NAME
: contains the logger name. For exampleaudit
.TARGET_SERVICE_NAME
: contains the name of Hadoop service. Empty indicates that the audit record is not linked to a Hadoop service. For example, an audit record for topology deployment.USER_NAME
: contains the ID of the user who initiated session with Knox Gateway.PROXY_USER_NAME
: contains the effective user name.SYSTEM_USER_NAME
: Reserved, field is empty.ACTION
: contains the executed action type. The value is either authentication, authorization, redeploy, deploy, undeploy, identity-mapping, dispatch, or access.RESOURCE_TYPE
contains the resource type of the action. The value is eitheruri
,topology
, orprincipal
.RESOURCE_NAME
: contains the process name of the resource. For example,topology
shows the inbound or dispatch request path andprincipal
shows the name of mapped user.OUTCOME
contains the action results,success
,failure
, orunavailable
.LOGGING_MESSAGE
contains additional tracking information, such as the HTTP status code.