Troubleshoot Using Ranger Audit Logs

Pulse enables you to view, search, and analyze Ranger audit logs for security, access monitoring, and compliance purposes.

These logs capture activities related to authorization and policy enforcement, helping you detect unauthorized access or unusual operations across your cluster.

Access Ranger Audit Logs

In the Pulse UI, select Logs from the left navigation bar.
Click the Ranger Audit tab.
On the Ranger Logs page, set the time range – select Today, Last 12 Hours, Last 3 Months, or define a custom period, then click Apply.

The Ranger Audit logs appear on the screen.

Features and Functionality

Search Logs

On the Logs > Ranger Audit page, select a search type:

Standard Search: Use built-in filters to quickly search logs by the fields above:
- Timestamp, Host Name, Resource Type, Event Time, Resource, Component, Action, Request Data, Client Type, Client IP, Result, Agent Host, Cluster Name, Log File Path
Elastic QS Search: Use Elastic Query Syntax (QS) to create search queries.

In the search bar, enter your query, and Pulse displays the matching logs within the selected time range.

Best practices:

Use exact values for accurate results.
Combine multiple parameters to refine your search.
For guidelines and examples of standard search queries, see Search and Analyse Records.
For guidelines and examples of Elastic Search queries, see Sample Elasticsearch Queries for Searching Logs.

Filter Logs

On the Logs > Ranger Audit page, apply filters to refine the logs displayed:

Service, Host, or Log Level: Focus on specific components.
Command (CMD): Filter logs by executed commands.
Protocol (Proto): Filter by network protocol.
Allowed: Select True or False to see allowed or denied operations.
Time Range: Choose a preset range or define a custom period.
Multiple Filters: Apply multiple filters simultaneously.

Filtered logs update automatically in visualizations and detailed message panels.

Visual Log Insights

On the Logs > Ranger Audit page, Pulse provides interactive visualizations for trend analysis:

Time Histograms: View logs over time by severity or service.

Visualizations update automatically when filters or search queries are applied.

Detailed Log Messages

On the Logs > Ranger Audit page, review full details of Ranger audit events:

Message Details: View log time, UGI, command, source, destination, permissions, allowed status, IP, protocol, caller context, service, and host.
View in Context: See related logs before and after a selected event for full context.
Copy Messages: Copy logs to the clipboard for reporting, offline analysis, or troubleshooting.
Search messages – Enter keywords to quickly find specific log messages.

Detailed messages update automatically as you apply filters or search queries, helping you troubleshoot issues efficiently.

For more details about the Log Messages, see Ranger Audit Logs.

Group and Export Logs

On the Logs > Ranger Audit page, organize and export Ranger audit logs for structured analysis:

Group Logs: Group by Trace, “Level or Severity”, or Host to identify patterns efficiently.
Export Logs: Download logs in .xlsx or .logs format. You can specify the number of rows to download.

Grouped and exported logs reflect applied filters and search queries, ensuring you capture relevant data effectively.

Last updated on

Was this page helpful?