[ https://issues.apache.org/jira/browse/EAGLE-476?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jayesh resolved EAGLE-476. -------------------------- Resolution: Fixed > Outdated HBase audit log parser > ------------------------------- > > Key: EAGLE-476 > URL: https://issues.apache.org/jira/browse/EAGLE-476 > Project: Eagle > Issue Type: Bug > Reporter: Peter Kim > Priority: Major > Fix For: v0.5.0 > > > The parsing logic for HBase audit logs (security logs) fails for some of the > newly formatted hbase audit logs. Obviously, this can cause the eagle service > to overlook these log lines, and fail to generate alerts, which can have a > severe outcome in terms of security. For example: > 2016-08-17 14:09:52,232 TRACE > SecurityLogger.org.apache.hadoop.hbase.security.access.AccessController: > Access allowed for user petkim; reason: Table permission granted; remote > address: /127.0.0.1; request: flush; context: (user=petkim, scope=hbase:meta, > params=[table=hbase:meta],action=ADMIN) > 2016-08-17 14:04:27,042 TRACE > SecurityLogger.org.apache.hadoop.hbase.security.access.AccessController: > Access allowed for user petkim; reason: All users allowed; remote address: > /111.1.1.1; request: scan; context: (user=petkim, scope=hbase:meta, > family=info, params=[table=hbase:meta,family=info],action=READ) > These log lines are not parsed correctly as the fields that the current regex > matches are static. The first log does not have the field "family" and the > second one has a new field named "params". So, the parsing logic fails here. > To fix this and ensure scalability (reliable no matter how many fields are > omitted or added), I will extend the current parsing logic to more reliable. -- This message was sent by Atlassian JIRA (v7.6.3#76005)