AuditEventLog
The AuditEventLog contains information about audit events from different Deephaven processes. A variety of Deephaven processes can write to the AuditEventLog. For example, workers will write details about events such as table access and client requests.
The following processes write audit logs.
| Process | Main Class Name |
|---|---|
| ACL Write Server | DbAclWriteServer |
| Authentication Server | AuthenticationServer |
| Data Import Server | DataImportServer |
| Local Table Data Server | LocalTableDataServer |
| Log Aggregator Service | LogAggregatorService |
| Persistent Query Controller | PersistentQueryController |
| Workers | Main |
| Legacy Workers | RemoteQueryProcessor |
| Remote Query Dispatcher (includes query and merge servers) | RemoteQueryDispatcher |
| Remote User Table Server | RemoteUserTableServer |
| Table Data Cache Proxy | TableDataCacheProxy |
| Tailer | LogtailerMain |
Columns
Not all columns apply to all events; only those applicable for a given event will be filled in, and the rest will contain null values. For example, client hostnames and ports are only populated by events that apply to client requests.
| Column Name | Column Type | Description |
|---|---|---|
Date | String | The date on which the audit event was generated. This is the partitioning column. |
Timestamp | DateTime | The timestamp for the event. |
ClientHost | String | The client's host name. |
ClientPort | int | The client's port ID. |
ServerHost | String | The server's host name. |
ServerPort | int | The server's port ID. |
Process | String | The process name generating the event. This will be either the value retrieved from the process.name property or the main class name. |
ProcessInfoId | String | The unique process info id of the process generating the event. |
AuthenticatedUser | String | If available, the authenticated user for the logged event. |
EffectiveUser | String | If available, the effective user for the logged event. |
ProcessUser | String | If per-user-workers is enabled, the system user of the worker that logged the event. |
Namespace | String | If applicable, the namespace for the logged event. |
ProcessUser | String | If per-user-workers is enabled, the system user of the worker that logged the event. |
Id | int | If applicable, the ID for the logged event. |
Event | String | The name of the event. See Auditable events by process for information on each event type. |
Details | String | Further details on the logged event. |
Auditable events by process
Each process logs specific events by name; this section defines the names in the Event column and what each name means.
All processes writing audit events will write the following events. Some processes will also write them during startup and shutdown.
RUNNING- the process is running and starting to process normally.SHUTTING_DOWN- the process is shutting down.
ACL Write Server
| Event | Description |
|---|---|
Add ACL | Add an ACL. |
Add group strategy | Add a group to a strategy. |
Add input table editor | Add an input table editor group. |
Add member | Add a member to one or more groups. |
Add strategy account | Add an account to a strategy. |
Add user | Add a new user. |
Change password | Change a user's password. |
Delete ACL | Delete an ACL. |
Delete group | Delete a group. |
Delete group strategy | Remove a group from a strategy. |
Delete strategy account | Delete an account from a strategy. |
Delete input table editor | Delete an input table editor group. |
Delete user | Delete a user. |
Remove member | Remove a member from one or more groups. |
Starting server | A server starts to listen for ACL requests. |
Update ACL | Update an ACL. |
Update input table editor | Update an input table editor group. |
Authentication Server
| Event | Description |
|---|---|
Expired | An authentication token expired. |
Invalidated | A client invalidated its credentials. |
Failed to invalidate | An attempt to invalidate client credentials failed. |
Logged in | A client log in attempt succeeded. |
Failed login | A client log in attempt failed. |
getToken | A token was retrieved for a handshake. |
getTokenAs | A token for an operate-as user was retrieved for a handshake. |
verifyToken succeeded | A token verification succeeded. |
verifyToken failed | A token verification failed. |
Persistent Query Controller
| Event | Description |
|---|---|
Add Query Failure | A Persistent Query addition failed. |
Add Query Request | A client requested to add a Persistent Query. |
Add Query Success | A Persistent Query addition completed successfully. |
Client authentication | A client attempted to authenticate. |
Client registration | A client registered with the Persistent Query Controller. |
Client termination | A client terminated. |
Configuration Request | A client requested the current controller configuration. |
Determine dispatcher Request | When automated server selection is enabled, a request was received to determine the dispatcher for a worker. ) |
Get Script | A client requested a script. |
Get Script Paths | A client requested the script paths. |
Modify Query Request | A client requested to modify a Persistent Query. |
Publish Status Update | A client published a query status update. |
Reload Configuration | A client requested the controller to reload its configuration. |
Remove Query Request | A client requested to remove a Persistent Query. |
Restart Query Request | A client requested to restart a Persistent Query. |
Restart Replica Request | A client requested to restart a Persistent Query replica. |
Send script | A Persistent Query script is being sent to a client. |
Server selection administrative request | When automated server selection is enabled, a server administrative request was received. |
Server selection status request | When automated server selection is enabled, a server status request was received. |
Stop Query Request | A client requested to stop a Persistent Query. |
Remote Query Dispatcher
| Event | Description |
|---|---|
Classpath additions | The classpath additions used for a worker start. |
Extra JVM arguments | Any extra JVM arguments being used to start a worker. |
Pushed classes | The classes being pushed to a starting worker. |
Starting worker | A worker is being started. |
Workers (Main)
Worker events refer to the events generated either by a Persistent Query's script or by a client of that worker.
| Event | Description |
|---|---|
Historical Table Access | Requesting a historical table. |
Live Table Access | Requesting a live table. |
Historical Partitioned Table Access | Requesting a historical partitioned table. |
Live Partitioned Table Access | Requesting a live partitioned table. |
Unpartitioned User Table Write | Writing an unpartitioned user table. |
Unpartitioned User Table Deletion | Deleting an unpartitioned user table. |
Partitioned User Table Schema Addition | Adding a partitioned user table schema. |
Partitioned User Table Schema Update | Updating a partitioned user table's schema. |
Partitioned User Table Partition Write | Writing a direct partition to a partitioned user table. |
Partitioned User Table Partition Deletion | Deleting a direct partition from a partitioned user table. |
Live User Table Append | Appending rows to a live partition from a partitioned user table. |
Live User Table Incremental Updates | Appending rows incrementally to a live partition from a partitioned user table. |
Live User Table Partition Deletion | Deleting a live partition from a partitioned user table. |
Partitioned User Table Deletion | Deleting a partitioned user table, including its schema, direct partitions, and live partitions. |
The "Details" column provides additional information, such as whether an operation was allowed, rejected, or completed, or the column partition value associated with an operation.
Workspaces
These events are generated from WorkspaceData table update failures; successful writes are not audited, as they have been written to the WorkspaceData table.
| Event | Description |
|---|---|
WorkspaceData Authorization Failure | An unauthorized user tried to publish a change to the WorkspaceData table. |
WorkspaceData Write Failure | An unexpected error occurred writing a record to the WorkspaceData table. |
Configuration
Any process that can write to the Audit Event Log can override several configuration items. All configuration overrides should be based on the process name or main class name. These properties also impact events written to the Process Event Log.
| Configuration Property | Description |
|---|---|
<process name>.useLas | If true, then events will be written through the Log Aggregator Service; if false, then events will be written directly to binary log files. |
<process name>.useMainClassNameForLogs | Whether to use the class name for log entries; if false, then the retrieved value from the process.name property will be used instead of the class name. |
<process name>.useLas | If true, then events will be written through the Log Aggregator Service; if false, then events will be written directly to binary log files. |
In addition, for workers the property RemoteQueryProcessor.logCommands defines whether all received commands are logged. The default value is false.
Related documentation
- Internal tables overview
PersistentQueryConfigurationLogPersistentQueryStateLogProcessEventLogIndexProcessEventLogProcessInfoProcessMetricsQueryOperationPerformanceLogIndexQueryOperationPerformanceLogQueryPerformanceLogQueryUserAssignmentLogResourceUtilizationServerStateLogIndexServerStateLogUpdatePerformanceLogIndexUpdatePerformanceLogWorkspaceDataSnapshotWorkspaceData