[ https://issues.apache.org/jira/browse/EAGLE-476?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15431766#comment-15431766 ]
ASF GitHub Bot commented on EAGLE-476: -------------------------------------- Github user yonzhang commented on the issue: https://github.com/apache/incubator-eagle/pull/363 great fix and merged > Outdated HBase audit log parser > ------------------------------- > > Key: EAGLE-476 > URL: https://issues.apache.org/jira/browse/EAGLE-476 > Project: Eagle > Issue Type: Bug > Reporter: Peter Kim > > The parsing logic for HBase audit logs (security logs) fails for some of the > newly formatted hbase audit logs. Obviously, this can cause the eagle service > to overlook these log lines, and fail to generate alerts, which can have a > severe outcome in terms of security. For example: > 2016-08-17 14:09:52,232 TRACE > SecurityLogger.org.apache.hadoop.hbase.security.access.AccessController: > Access allowed for user petkim; reason: Table permission granted; remote > address: /127.0.0.1; request: flush; context: (user=petkim, scope=hbase:meta, > params=[table=hbase:meta],action=ADMIN) > 2016-08-17 14:04:27,042 TRACE > SecurityLogger.org.apache.hadoop.hbase.security.access.AccessController: > Access allowed for user petkim; reason: All users allowed; remote address: > /111.1.1.1; request: scan; context: (user=petkim, scope=hbase:meta, > family=info, params=[table=hbase:meta,family=info],action=READ) > These log lines are not parsed correctly as the fields that the current regex > matches are static. The first log does not have the field "family" and the > second one has a new field named "params". So, the parsing logic fails here. > To fix this and ensure scalability (reliable no matter how many fields are > omitted or added), I will extend the current parsing logic to more reliable. -- This message was sent by Atlassian JIRA (v6.3.4#6332)