You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@eagle.apache.org by "Senthilkumar (JIRA)" <ji...@apache.org> on 2016/02/02 09:14:39 UTC

[jira] [Commented] (EAGLE-144) Support activity monitoring for Knox

    [ https://issues.apache.org/jira/browse/EAGLE-144?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15127876#comment-15127876 ] 

Senthilkumar commented on EAGLE-144:
------------------------------------

Comments from John Scheibmeir:

Brainstorming a little here with regard to desired end state.

Knox proxy is employed on several hosts behind a load balancer.

Each proxy instance forwards its auditing data to a central activity monitor (ala Eagle). Eagle may treat the multiple inputs as single logical stream for criteria evaluation.

Eagle would understand the Knox audit file format.

Within Eagle I would either leverage standard activity monitor patterns if they exist or code new items for Knox.

Example patterns could include:
1) more than x failed logon attempts for same user within y amount of time from same endpoint (knox client) [brute force password]
2) more than x failed logon attempts for mutliple users within y amount of time from same endpoint (knox client) [brute force user/password]
3) more than x permission errors for single user or single endpoint within y amount of time [probing data paths potentially for data to steal]
4) more than x bytes transferred out via knox (?? - is this audited in knox) [improperly extracting or stealing data]

Eagle may also reformat logs into standard format (e.g. Splunk) and forward accordingly such that other systems may also leverage data/etc


> Support activity monitoring for Knox
> ------------------------------------
>
>                 Key: EAGLE-144
>                 URL: https://issues.apache.org/jira/browse/EAGLE-144
>             Project: Eagle
>          Issue Type: New Feature
>            Reporter: Senthilkumar
>
> The Knox Gateway provides a single access point for all REST interactions with Hadoop clusters. It will be valuable to monitor the access events happening in knox gateway and see if there is an anomaly and generate an alert.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)