Follow below steps to get Hdfs authorization logs monitoring running
/usr/hdp/2.2.4.2-2/kafka/bin/kafka-topics.sh --create --topic sandbox_hbase_audit_log --partitions 2 --replication-factor 1 --zookeeper localhost:2181
/usr/hdp/2.2.4.2-2/kafka/bin/kafka-console-consumer.sh --topic sandbox_hbase_audit_log --zookeeper sandbox.hortonworks.com:2181
download logstash 2.3.x
input { file { type => "hbase-auditlog" path => "/var/log/hbase/SecurityAuth.audit" start_position => end sincedb_path => "/var/log/logstash/hbase-auditlog-sincedb" } } output { if [type] == "hbase-auditlog" { kafka { codec => plain { format => "%{message}" } bootstrap_servers => "sandbox.hortonworks.com:6667" topic_id => "sandbox_hbase_audit_log" acks => "0" timeout_ms => 10000 retries => 3 retry_backoff_ms => 100 batch_size => 16384 send_buffer_bytes => 131072 client_id => "hbase-auditlog" } # stdout { codec => rubydebug } } }
bin/logstash -f hbase-auditlog.conf
/usr/hdp/2.2.4.2-2/kafka/bin/kafka-topics.sh --create --topic sandbox_hbase_audit_log_parsed --partitions 2 --replication-factor 1 --zookeeper localhost:2181
/usr/hdp/2.2.4.2-2/kafka/bin/kafka-console-consumer.sh --topic sandbox_hbase_audit_log_parsed --zookeeper sandbox.hortonworks.com:2181
find eagle-webservice project, run it
find org.apache.eagle.security.hbase.HBaseAuditLogMonitoringMain, run it
find org.apache.eagle.alert.engine.UnitTopologyMain, run it
/usr/hdp/2.2.4.2-2/kafka/bin/kafka-console-producer.sh --topic sandbox_hbase_audit_log --broker-list sandbox.hortonworks.com:6667
/usr/hdp/2.2.4.2-2/kafka/bin/kafka-console-producer.sh --topic sandbox_hbase_audit_log_parsed --broker-list sandbox.hortonworks.com:6667