This article is for giving list of fields used for storing Audits to various sources (DB / HDFS / Solr).  

Audit to HDFS

Audit to HDFSDescriptionSample ValueData TypeIntroduced in Version
idUnique Id or Row id of audit log event85f0f6d7-2415-44e6-b277-6751d6c86ac7-3Number/String0.5
policy versionPolicy Version which is used in the authorization numeric valueNumber/String0.6 
resultAccess result1 (Allowed) or 0 (Denied)Number0.5
accessAccess type of executed eventREAD/WRITE/SELECT etc.String0.5
cliTypeClient TypeHiveServer, HiveMetaStoreString0.6
agentplugin involved in authorizationhdfs, hiveserver2, hbase..etcString0.5
enforcerAccess enforcerhadoop-acl/ranger-aclString0.5
sessSession Id606b0764-7914-4f32-8343-04d8be6e5bd5String 0.5
cliIPIp address of machine from where event was performed10.0.0.1String0.5
policyPolicy id of the resource on which access event was executed1Number0.5
repoRepository NamehadoopdevString0.5
repoTypeRepository TypeHDFS/HIVE/HBaseNumber0.5
reason
testdb/testtable/column1String0.5
evtTimeevent request timestamp2016-10-12 6:11:45datetime0.5
reqUseruser who requested the accessrangerString0.5
actionoperation performedQUERY/writeString0.6 onwards
resourceresource pathtestdb/testtable/column1String0.5
resTypeType of accessed resource@columnString0.5
seq_numsequence number of audit log1Number0.5
event_countno of similar event executed in specific interval3Number0.5
event_dur_msevent execution time in ms10Number0.5
tagstag details associated with respective resource/policyPCIarray[string]0.6 onwards
additional_infoadditional informations are stored in this field.like forwarded address, remote address, accessType list etc.Map<String,String> 0.6
cluster_namecluster name where the request came fromCluster 1String0.6
zone_nameZone name when zone policy authorized the request
String0.6
agentHosthostname of agenttest-hbase-0710-1.openstacklocal
0.5
logType
RangerAudit
0.5


Audit to Solr

Audit to SOLRDescriptionSample ValueData TypeIntroduced in Version
idUnique Id or Row id of audit log event85f0f6d7-2415-44e6-b277-6751d6c86ac7-3Number/String0.5
policy versionPolicy Version which is used in the authorization numeric valueNumber/String0.6 
resultAccess result1(Allowed) or 0 (Denied)Number0.5
accessAccess type of executed eventREAD/WRITE/SELECT etc.String0.5
cliTypeClient TypeHiveServer, HiveMetaStoreString0.6
agentplugin involved in authorizationhdfs, hiveserver2, hbase..etcString0.5
enforcerAccess enforcerhadoop-acl/ranger-aclString0.5
sessSession Id606b0764-7914-4f32-8343-04d8be6e5bd5String 0.5
cliIPIp address of machine from where event was performed10.0.0.1String0.5
policyPolicy id of the resource on which access event was executed1Number0.5
repoRepository NamehadoopdevString0.5
repoTypeRepository TypeHDFS/HIVE/HBaseNumber0.5
reason
testdb/testtable/column1String0.5
evtTimeevent request timestamp2016-10-12 6:11:45datetime0.5
reqUseruser who requested the accessrangerString0.5
actionoperation performedQUERY/writeString0.6 onwards
resourceresource pathtestdb/testtable/column1String0.5
resTypeType of accessed resource@columnString0.5
seq_numsequence number of audit log1Number0.5
event_countno of similar event executed in specific interval3Number0.5
event_dur_msevent execution time in ms10Number0.5
tagstag details associated with respective resource/policyPCIarray[string]0.6 onwards
additional_infoadditional informations are stored in this field.like forwarded address, remote address etc.Map<String,String> 0.6
cluster_namecluster name where the request came fromCluster 1String0.6
zone_nameZone name when zone policy authorized the request
String0.6
agentHosthostname of agenttest-hbase-0710-1.openstacklocalString0.5
logTypeLog TypeRangerAuditString0.5
_ttl_Time to live+90DAYSString0.5
_expire_at_Expiry Time Stamp of Audit Event2017-02-12T11:39:44.839ZString0.5
_version_Version1550973492097187800Number0.5