By default there are 3 main storage layer abstractions in Log Search:
- Service logs (default name:
hadoop_logs) - Audit logs (default name:
audit_logs) - Metadata (default name:
logsearch_metadata)
Service logs collection is responsible to store most of the logs (by type), except audit related data, for those use the audit logs collection. The metadata collection is used to store Log Search UI related (dynamic) configurations/settings.
Minimal required service log fields in Solr to make it work with the UI:
- id (string, unique - identifier for Solr doc)
- log_message
- type (string - log type)
- logtime (timestamp)
- seq_num (numeric - sequence number for log events, useful to not sort only by date)
- level (string - log level for logs, e.g.: WARN)
- host (string)
- cluster (string)
see more: Service logs schema
Minimal required audit log fields in Solr to make it work with the UI:
- id (string, unique - identifier for Solr doc)
- evtTime (timestamp)
- repo (string - represents the audit source type)
- seq_num (numeric - sequence number for log events, useful to not sort only by date)
see more: Audit logs schema
Fields for metadata:
- id (string, unique - identifier for Solr doc)
- name (string - metadata identifier)
- username (string - for identify user related data)
- type (string - type of the metadata)
- value (string - can be anything)
Field name labels on the UI can be customized in logsearch.properties, see: AMBARI-22842