Follow below steps to get Hdfs authorization logs monitoring running
/usr/hdp/2.2.4.2-2/kafka/bin/kafka-topics.sh --create --topic sandbox_hdfs_auth_log --partitions 2 --replication-factor 1 --zookeeper localhost:2181
/usr/hdp/2.2.4.2-2/kafka/bin/kafka-console-consumer.sh --topic sandbox_hdfs_auth_log --zookeeper sandbox.hortonworks.com:2181
download logstash 2.3.x
input { file { type => "hdfs-authlog" path => "/var/log/hadoop/hdfs/SecurityAuth.audit" start_position => end sincedb_path => "/var/log/logstash/hdfs-authlog-sincedb" } } output { if [type] == "hdfs-authlog" { kafka { codec => plain { format => "%{message}" } bootstrap_servers => "sandbox.hortonworks.com:6667" topic_id => "sandbox_hdfs_auth_log" acks => "0" timeout_ms => 10000 retries => 3 retry_backoff_ms => 100 batch_size => 16384 send_buffer_bytes => 131072 client_id => "hdfs-authlog" } # stdout { codec => rubydebug } } }
bin/logstash -f hdfs-authlog.conf
/usr/hdp/2.2.4.2-2/kafka/bin/kafka-topics.sh --create --topic sandbox_hdfs_auth_log_parsed --partitions 2 --replication-factor 1 --zookeeper localhost:2181
/usr/hdp/2.2.4.2-2/kafka/bin/kafka-console-consumer.sh --topic sandbox_hdfs_auth_log_parsed --zookeeper sandbox.hortonworks.com:2181
find eagle-webservice project, run it
find org.apache.eagle.security.securitylog.HdfsAuthLogMonitoringMain, run it
find org.apache.eagle.alert.engine.UnitTopologyMain, run it
/usr/hdp/2.2.4.2-2/kafka/bin/kafka-console-producer.sh --topic sandbox_hdfs_auth_log --broker-list sandbox.hortonworks.com:6667
/usr/hdp/2.2.4.2-2/kafka/bin/kafka-console-producer.sh --topic sandbox_hdfs_auth_log_parsed --broker-list sandbox.hortonworks.com:6667