Kaspersky Next XDR Expert
1.1.9

Contents

Configuring receipt of Apache Cassandra events

KUMA allows receiving information about Apache Cassandra events.

Configuring event receiving consists of the following steps:

  1. Configuring Apache Cassandra event logging in KUMA.
  2. Creating a KUMA collector for Apache Cassandra events.

    To receive Apache Cassandra events, in the KUMA Collector Installation Wizard, at the Transport step, select a file type connector; at the Event parsing step, in the Normalizer field, select [OOTB] Apache Cassandra file.

  3. Installing a collector in the KUMA network infrastructure.
  4. Verifying receipt of Apache Cassandra events in the KUMA collector.

    To verify that the Apache Cassandra event source server is configured correctly, you can search for related events.

Page top
[Topic 264848]

Configuring Apache Cassandra event logging in KUMA

To configuring Apache Cassandra event logging in KUMA:

  1. Make sure that the server where Apache Cassandra is installed has 5 GB of free disk space.
  2. Connect to the Apache Cassandra server using an account with administrator rights.
  3. Before making changes, create backup copies of the following configuration files:
    • /etc/cassandra/cassandra.yaml
    • /etc/cassandra/logback.xml
  4. Make sure that the settings in the /etc/cassandra/cassandra.yaml configuration file have the following values; make changes if necessary:
    1. in the audit_logging_options section, set the enabled setting to true.
    2. in the logger section, set the class_name setting to FileAuditLogger.
  5. Add the following lines to the /etc/cassandra/logback.xml configuration file:

    <!-- Audit Logging (FileAuditLogger) rolling file appender to audit.log -->

    <appender name="AUDIT" class="ch.qos.logback.core.rolling.RollingFileAppender">

    <file>${cassandra.logdir}/audit/audit.log</file>

    <rollingPolicy class="ch.qos.logback.core.rolling.SizeAndTimeBasedRollingPolicy">

    <!-- rollover daily -->

    <fileNamePattern>${cassandra.logdir}/audit/audit.log.%d{yyyy-MM-dd}.%i.zip</fileNamePattern>

    <!-- each file should be at most 50MB, keep 30 days worth of history, but at most 5GB -->

    <maxFileSize>50MB</maxFileSize>

    <maxHistory>30</maxHistory>

    <totalSizeCap>5GB</totalSizeCap>

    </rollingPolicy>

    <encoder>

    <pattern>%-5level [%thread] %date{ISO8601} %F:%L - %replace(%msg){'\n', ' '}%n</pattern>

    </encoder>

    </appender>

    <!-- Audit Logging additivity to redirect audt logging events to audit/audit.log -->

    <logger name="org.apache.cassandra.audit" additivity="false" level="INFO">

    <appender-ref ref="AUDIT"/>

    </logger>

  6. Save changes to the configuration file.
  7. Restart the Apache Cassandra service using the following commands:
    1. sudo systemctl stop cassandra.service
    2. sudo systemctl start cassandra.service
  8. After restarting, check the status of Apache Cassandra using the following command:

    sudo systemctl status cassandra.service

    Make sure that the command output contains the following sequence of characters:

    Active: active (running)

Apache Cassandra event export is configured. Events are located in the /var/log/cassandra/audit/ directory, in the audit.log file (${cassandra.logdir}/audit/audit.log).

Page top
[Topic 264849]