Categories
DevOps

How to enable ZooKeeper audit logging

Enable ZooKeeper audit logging.

Inspect audit log settings.

$ sudo -u zookeeper cat /opt/zookeeper/zookeeper/conf/log4j.properties
[...]
#
# zk audit logging
#
zookeeper.auditlog.file=zookeeper_audit.log
zookeeper.auditlog.threshold=INFO
audit.logger=INFO, RFAAUDIT
log4j.logger.org.apache.zookeeper.audit.Log4jAuditLogger=${audit.logger}
log4j.additivity.org.apache.zookeeper.audit.Log4jAuditLogger=false
log4j.appender.RFAAUDIT=org.apache.log4j.RollingFileAppender
log4j.appender.RFAAUDIT.File=${zookeeper.log.dir}/${zookeeper.auditlog.file}
log4j.appender.RFAAUDIT.layout=org.apache.log4j.PatternLayout
log4j.appender.RFAAUDIT.layout.ConversionPattern=%d{ISO8601} %p %c{2}: %m%n
log4j.appender.RFAAUDIT.Threshold=${zookeeper.auditlog.threshold}
[...]

Enable audit logging inside zoo.cfg configuration file.

$ sudo -u zookeeper cat /opt/zookeeper/zookeeper/conf/zoo.cfg 
tickTime=2000
initLimit=10
syncLimit=5
dataDir=/opt/zookeeper/zookeeper/data
clientPort=2181
server.1=zookeeper1.example.org:2888:3888
server.2=zookeeper2.example.org:2888:3888
server.3=zookeeper3.example.org:2888:3888

audit.enable=true 

Alternatively use JVMFLAGS.

$ sudo -u zookeeper cat /opt/zookeeper/zookeeper/conf/zookeeper-env.sh
JVMFLAGS="-Dzookeeper.audit.enable=true"

Restart ZooKeeper service.

$ systemctl restart zookeeper.service

Inspect audit log.

$ tail -f  /opt/zookeeper/zookeeper/logs/zookeeper_audit.log 
2021-06-11 20:10:18,348 INFO audit.Log4jAuditLogger: user=zookeeper     operation=serverStart   result=success
2021-06-11 20:12:12,541 INFO audit.Log4jAuditLogger: session=0x100003494750000  user=0:0:0:0:0:0:0:1    ip=0:0:0:0:0:0:0:1      operation=create        znode=/app/master       znode_type=persistent   result=success
2021-06-11 20:12:29,911 ERROR audit.Log4jAuditLogger: session=0x100003494750000 user=0:0:0:0:0:0:0:1    ip=0:0:0:0:0:0:0:1      operation=delete        znode=/app      result=failure
2021-06-11 20:12:39,081 INFO audit.Log4jAuditLogger: session=0x100003494750000  user=0:0:0:0:0:0:0:1    ip=0:0:0:0:0:0:0:1      operation=delete        znode=/app/master       result=success
2021-06-11 20:12:40,278 INFO audit.Log4jAuditLogger: session=0x100003494750000  user=0:0:0:0:0:0:0:1    ip=0:0:0:0:0:0:0:1      operation=delete        znode=/app      result=success
2021-06-11 20:12:55,253 INFO audit.Log4jAuditLogger: session=0x100003494750000  user=0:0:0:0:0:0:0:1    ip=0:0:0:0:0:0:0:1      operation=create        znode=/app      znode_type=persistent   result=success
2021-06-11 20:13:23,383 INFO audit.Log4jAuditLogger: session=0x100003494750000  user=0:0:0:0:0:0:0:1    ip=0:0:0:0:0:0:0:1      operation=setData       znode=/app      result=success