AuditEventLog

The AuditEventLog contains information about audit events from different Deephaven processes. A variety of Deephaven processes can write to the AuditEventLog. For example, workers will write details about events such as table access and client requests.

The following processes write audit logs.

ProcessMain Class Name
ACL Write ServerDbAclWriteServer
Authentication ServerAuthenticationServer
Data Import ServerDataImportServer
Local Table Data ServerLocalTableDataServer
Log Aggregator ServiceLogAggregatorService
Persistent Query ControllerPersistentQueryController
WorkersMain
Legacy WorkersRemoteQueryProcessor
Remote Query Dispatcher (includes query and merge servers)RemoteQueryDispatcher
Remote User Table ServerRemoteUserTableServer
Table Data Cache ProxyTableDataCacheProxy
TailerLogtailerMain

Columns

Not all columns apply to all events; only those applicable for a given event will be filled in, and the rest will contain null values. For example, client hostnames and ports are only populated by events that apply to client requests.

Column NameColumn TypeDescription
DateStringThe date on which the audit event was generated. This is the partitioning column.
TimestampDateTimeThe timestamp for the event.
ClientHostStringThe client's host name.
ClientPortintThe client's port ID.
ServerHostStringThe server's host name.
ServerPortintThe server's port ID.
ProcessStringThe process name generating the event. This will be either the value retrieved from the process.name property or the main class name.
ProcessInfoIdStringThe unique process info id of the process generating the event.
AuthenticatedUserStringIf available, the authenticated user for the logged event.
EffectiveUserStringIf available, the effective user for the logged event.
ProcessUserStringIf per-user-workers is enabled, the system user of the worker that logged the event.
NamespaceStringIf applicable, the namespace for the logged event.
ProcessUserStringIf per-user-workers is enabled, the system user of the worker that logged the event.
IdintIf applicable, the ID for the logged event.
EventStringThe name of the event. See Auditable events by process for information on each event type.
DetailsStringFurther details on the logged event.

Auditable events by process

Each process logs specific events by name; this section defines the names in the Event column and what each name means.

All processes writing audit events will write the following events. Some processes will also write them during startup and shutdown.

  • RUNNING - the process is running and starting to process normally.
  • SHUTTING_DOWN - the process is shutting down.

ACL Write Server

EventDescription
Add ACLAdd an ACL.
Add group strategyAdd a group to a strategy.
Add input table editorAdd an input table editor group.
Add memberAdd a member to one or more groups.
Add strategy accountAdd an account to a strategy.
Add userAdd a new user.
Change passwordChange a user's password.
Delete ACLDelete an ACL.
Delete groupDelete a group.
Delete group strategyRemove a group from a strategy.
Delete strategy accountDelete an account from a strategy.
Delete input table editorDelete an input table editor group.
Delete userDelete a user.
Remove memberRemove a member from one or more groups.
Starting serverA server starts to listen for ACL requests.
Update ACLUpdate an ACL.
Update input table editorUpdate an input table editor group.

Authentication Server

EventDescription
ExpiredAn authentication token expired.
InvalidatedA client invalidated its credentials.
Failed to invalidateAn attempt to invalidate client credentials failed.
Logged inA client log in attempt succeeded.
Failed loginA client log in attempt failed.
getTokenA token was retrieved for a handshake.
getTokenAsA token for an operate-as user was retrieved for a handshake.
verifyToken succeededA token verification succeeded.
verifyToken failedA token verification failed.

Persistent Query Controller

EventDescription
Add Query FailureA Persistent Query addition failed.
Add Query RequestA client requested to add a Persistent Query.
Add Query SuccessA Persistent Query addition completed successfully.
Client authenticationA client attempted to authenticate.
Client registrationA client registered with the Persistent Query Controller.
Client terminationA client terminated.
Configuration RequestA client requested the current controller configuration.
Determine dispatcher RequestWhen automated server selection is enabled, a request was received to determine the dispatcher for a worker. )
Get ScriptA client requested a script.
Get Script PathsA client requested the script paths.
Modify Query RequestA client requested to modify a Persistent Query.
Publish Status UpdateA client published a query status update.
Reload ConfigurationA client requested the controller to reload its configuration.
Remove Query RequestA client requested to remove a Persistent Query.
Restart Query RequestA client requested to restart a Persistent Query.
Restart Replica RequestA client requested to restart a Persistent Query replica.
Send scriptA Persistent Query script is being sent to a client.
Server selection administrative requestWhen automated server selection is enabled, a server administrative request was received.
Server selection status requestWhen automated server selection is enabled, a server status request was received.
Stop Query RequestA client requested to stop a Persistent Query.

Remote Query Dispatcher

EventDescription
Classpath additionsThe classpath additions used for a worker start.
Extra JVM argumentsAny extra JVM arguments being used to start a worker.
Pushed classesThe classes being pushed to a starting worker.
Starting workerA worker is being started.

Workers (Main)

Worker events refer to the events generated either by a Persistent Query's script or by a client of that worker.

EventDescription
Historical Table AccessRequesting a historical table.
Live Table AccessRequesting a live table.
Historical Partitioned Table AccessRequesting a historical partitioned table.
Live Partitioned Table AccessRequesting a live partitioned table.
Unpartitioned User Table WriteWriting an unpartitioned user table.
Unpartitioned User Table DeletionDeleting an unpartitioned user table.
Partitioned User Table Schema AdditionAdding a partitioned user table schema.
Partitioned User Table Schema UpdateUpdating a partitioned user table's schema.
Partitioned User Table Partition WriteWriting a direct partition to a partitioned user table.
Partitioned User Table Partition DeletionDeleting a direct partition from a partitioned user table.
Live User Table AppendAppending rows to a live partition from a partitioned user table.
Live User Table Incremental UpdatesAppending rows incrementally to a live partition from a partitioned user table.
Live User Table Partition DeletionDeleting a live partition from a partitioned user table.
Partitioned User Table DeletionDeleting a partitioned user table, including its schema, direct partitions, and live partitions.

The "Details" column provides additional information, such as whether an operation was allowed, rejected, or completed, or the column partition value associated with an operation.

Workspaces

These events are generated from WorkspaceData table update failures; successful writes are not audited, as they have been written to the WorkspaceData table.

EventDescription
WorkspaceData Authorization FailureAn unauthorized user tried to publish a change to the WorkspaceData table.
WorkspaceData Write FailureAn unexpected error occurred writing a record to the WorkspaceData table.

Configuration

Any process that can write to the Audit Event Log can override several configuration items. All configuration overrides should be based on the process name or main class name. These properties also impact events written to the Process Event Log.

Configuration PropertyDescription
<process name>.useLasIf true, then events will be written through the Log Aggregator Service; if false, then events will be written directly to binary log files.
<process name>.useMainClassNameForLogsWhether to use the class name for log entries; if false, then the retrieved value from the process.name property will be used instead of the class name.
<process name>.useLasIf true, then events will be written through the Log Aggregator Service; if false, then events will be written directly to binary log files.

In addition, for workers the property RemoteQueryProcessor.logCommands defines whether all received commands are logged. The default value is false.