You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by Nigel Jones <jo...@uk.ibm.com> on 2017/03/06 17:28:56 UTC

Auditing using Solr

I'm planning to use Solr for audit (easy searching, aggregation) and 
trying to understand failure modes....

If solr is not ready when the plugin starts up I assume we'll try to 
connect (1s?) then wait for a period (30s) then retry

However this is on an async thread, and meanwhile audit events are 
queues in memory locally ... so

* If solr starts after the plugin, initial events are delayed but then 
will log
* if solr breaks, events will temporarily pause, but then resume once 
solr back up
* unless the queue size is exceeded in which case events are lost

is my understanding correct?

Thanks :-)
Nigel.

Re: Auditing using Solr

Posted by Nigel Jones <jo...@uk.ibm.com>.

On 06/03/2017 18:02, Lal,Alok(allal) wrote:
 >>  is my understanding correct?
 >
 > Yes.
 >
 > For completeness, I would like to point out that during outage of an 
audit sink (in your example solr) there\u2019s also a provision to spool to 
local disk which should reduce the likelihood of lost events.  For more 
details refer:
 > 
https://cwiki.apache.org/confluence/display/RANGER/Ranger+0.5+Audit+Configuration#Ranger0.5AuditConfiguration-AuditQueues
 > 
https://cwiki.apache.org/confluence/display/RANGER/Ranger+0.5+Audit+Configuration#Ranger0.5AuditConfiguration-ConfigurationrelatedtoFilespooling

Super - thanks all for the clarifications.

Re: Auditing using Solr

Posted by "Lal,Alok(allal)" <al...@ebay.com>.

>  is my understanding correct?

Yes.

For completeness, I would like to point out that during outage of an audit sink (in your example solr) there’s also a provision to spool to local disk which should reduce the likelihood of lost events.  For more details refer:
https://cwiki.apache.org/confluence/display/RANGER/Ranger+0.5+Audit+Configuration#Ranger0.5AuditConfiguration-AuditQueues
https://cwiki.apache.org/confluence/display/RANGER/Ranger+0.5+Audit+Configuration#Ranger0.5AuditConfiguration-ConfigurationrelatedtoFilespooling

HTH

On 3/6/17, 9:28 AM, "Nigel Jones" <jo...@uk.ibm.com> wrote:

    I'm planning to use Solr for audit (easy searching, aggregation) and 
    trying to understand failure modes....
    
    If solr is not ready when the plugin starts up I assume we'll try to 
    connect (1s?) then wait for a period (30s) then retry
    
    However this is on an async thread, and meanwhile audit events are 
    queues in memory locally ... so
    
    * If solr starts after the plugin, initial events are delayed but then 
    will log
    * if solr breaks, events will temporarily pause, but then resume once 
    solr back up
    * unless the queue size is exceeded in which case events are lost
    
    is my understanding correct?
    
    Thanks :-)
    Nigel.

Re: Auditing using Solr

Posted by Ramesh Mani <rm...@hortonworks.com>.

Nigel,

There is one option which introduced by
https://issues.apache.org/jira/browse/RANGER-1310.

This will enable you to always spool to local disk first before the audit
is pushed to the destinations. This guarantees that the audit data is not
lost if the memory queue is destroyed by the restart of of the any
components.

Thanks,
Ramesh

On 3/6/17, 9:31 AM, "Don Bosco Durai" <bo...@apache.org> wrote:

>All your assumptions are correct, except.
>
>>    * unless the queue size is exceeded in which case events are lost
>The audit framework will automatically start spooling to file if:
>- Queue size is exceeded
>- Destination is down for extended period (I think 10 minutes, but need
>to verify)
>
>Bosco
>
>On 3/6/17, 9:28 AM, "Nigel Jones" <jo...@uk.ibm.com> wrote:
>
>    I'm planning to use Solr for audit (easy searching, aggregation) and
>    trying to understand failure modes....
>    
>    If solr is not ready when the plugin starts up I assume we'll try to
>    connect (1s?) then wait for a period (30s) then retry
>    
>    However this is on an async thread, and meanwhile audit events are
>    queues in memory locally ... so
>    
>    * If solr starts after the plugin, initial events are delayed but
>then 
>    will log
>    * if solr breaks, events will temporarily pause, but then resume once
>    solr back up
>    * unless the queue size is exceeded in which case events are lost
>    
>    is my understanding correct?
>    
>    Thanks :-)
>    Nigel.
>    
>    
>
>
>

Re: Auditing using Solr

Posted by Don Bosco Durai <bo...@apache.org>.

All your assumptions are correct, except.

>    * unless the queue size is exceeded in which case events are lost
The audit framework will automatically start spooling to file if:
- Queue size is exceeded
- Destination is down for extended period (I think 10 minutes, but need to verify)

Bosco

On 3/6/17, 9:28 AM, "Nigel Jones" <jo...@uk.ibm.com> wrote:

    I'm planning to use Solr for audit (easy searching, aggregation) and 
    trying to understand failure modes....
    
    If solr is not ready when the plugin starts up I assume we'll try to 
    connect (1s?) then wait for a period (30s) then retry
    
    However this is on an async thread, and meanwhile audit events are 
    queues in memory locally ... so
    
    * If solr starts after the plugin, initial events are delayed but then 
    will log
    * if solr breaks, events will temporarily pause, but then resume once 
    solr back up
    * unless the queue size is exceeded in which case events are lost
    
    is my understanding correct?
    
    Thanks :-)
    Nigel.