David Mollitor created RANGER-3532:
--------------------------------------
Summary: Delete Archived Spooled Audit Logs Based on TTL
Key: RANGER-3532
URL: https://issues.apache.org/jira/browse/RANGER-3532
Project: Ranger
Issue Type: Improvement
Components: audit
Reporter: David Mollitor
As I understand it,...
When an audit destination (HDFS/SOLR) is offline, Ranger plugin can spool audit
messages to the local disk. Once the destination comes back online, the Ranger
plugin will resume transmitting audit messages. Once all audit messages are
transmitted, the log file containing the message is sent to the audit 'archive'
directory. From there, if there are more than (configurable) 100 archived
audit log files, then some number of files are deleted to bring that number
down to 100.
This can be problematic if the number of audits is very large (and therefore
spooled audit log files are very large) and they can sit in the archive
directory for very long periods of time. As I understand it, the only way for
them to be deleted is if another outage event occurs and more files are
created, always keeping the total number of files at 100.
Please add an additional criteria for deleting files: TTL
Delete archived audit files which are older than (configurable) a week.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
