Cassandra Connector
Connect DB Audit to your Apache Cassandra clusters for comprehensive CQL query monitoring, authentication tracking, and compliance reporting across distributed nodes.
Cluster-Aware
Monitors all nodes in your distributed cluster
Native Audit Logging
Leverages Cassandra's built-in audit log
<1% Performance Impact
Async logging with minimal overhead
What You Can Monitor
CQL Query Monitoring
Capture every CQL query executed against your Cassandra cluster with full query text and timing.
Authentication Tracking
Track all user logins, failed authentication attempts, and role-based access control changes.
Schema Change Detection
Detect and alert on keyspace and table modifications, including CREATE, ALTER, and DROP operations.
Distributed Activity
Monitor activity across all nodes in your Cassandra cluster with coordinated timestamp tracking.
Requirements
Configuration Reference
Basic Connection
| Field | Type | Required | Description |
|---|---|---|---|
name | string | Yes | A unique name to identify this connection |
contact_points | string | Yes | Comma-separated list of Cassandra node hostnames or IPs |
port | number | Yes | Native CQL port |
datacenter | string | Yes | Local datacenter name for connection routing |
keyspace | string | No | Default keyspace to connect to |
username | string | Yes | Cassandra username for authentication |
password | password | Yes | Cassandra password (stored encrypted) |
SSL/TLS Configuration
| Field | Type | Default | Description |
|---|---|---|---|
ssl_enabled | boolean | false | Enable SSL/TLS encryption |
ssl_ca_cert | string | - | CA certificate for server verification |
ssl_client_cert | string | - | Client certificate for mutual TLS |
ssl_client_key | password | - | Client private key (stored encrypted) |
ssl_verify | boolean | true | Verify server certificate |
Log Collection
| Field | Type | Default | Description |
|---|---|---|---|
log_collection_type | select | native_audit | Method for collecting audit logs |
polling_interval | number | 5 | Seconds between log collection polls |
batch_size | number | 100 | Maximum events per batch |
Log Collection Methods
DB Audit supports multiple methods for collecting audit logs from Apache Cassandra clusters.
Native Audit Log
RecommendedDirect integration with Cassandra's built-in audit logging for comprehensive activity tracking.
Full Query Logging (FQL)
Cassandra 4.0+ Full Query Logging provides detailed query capture with timing information.
Create Audit Role
Create a dedicated read-only role for DB Audit. This role only needs SELECT access to system keyspaces.
-- Create a dedicated audit user with minimal privileges
CREATE ROLE dbaudit_reader WITH PASSWORD = 'your_secure_password' AND LOGIN = true;
-- Grant read access to system keyspaces
GRANT SELECT ON KEYSPACE system TO dbaudit_reader;
GRANT SELECT ON KEYSPACE system_auth TO dbaudit_reader;
GRANT SELECT ON KEYSPACE system_schema TO dbaudit_reader;
-- Grant DESCRIBE permission for schema discovery
GRANT DESCRIBE ON ALL KEYSPACES TO dbaudit_reader;
-- For audit log access (if using cassandra-audit)
GRANT SELECT ON KEYSPACE audit TO dbaudit_reader;Enable Audit Logging
Configure Cassandra's built-in audit logging on each node in your cluster.
# Enable audit logging in cassandra.yaml
# Add to cassandra.yaml on each node:
audit_logging_options:
enabled: true
logger:
- class_name: FileAuditLogger
included_keyspaces: # Leave empty for all keyspaces
excluded_keyspaces:
- system
- system_schema
- system_distributed
included_categories:
- AUTH
- DDL
- DML
- DCL
- QUERY
included_users: # Leave empty for all users
excluded_users:
- cassandra_monitoring
# For Cassandra 4.0+ Full Query Logging:
full_query_logging_options:
log_dir: /var/log/cassandra/fql
roll_cycle: HOURLY
block: true
max_queue_weight: 268435456
max_log_size: 17179869184
archive_command:
max_archive_retries: 10Apply these settings to cassandra.yaml on every node and perform a rolling restart to enable audit logging across the cluster.
Configure DB Audit Collector
Add your Cassandra cluster connection to the DB Audit configuration. Include multiple contact points for high availability.
databases:
- name: production-cassandra
type: cassandra
contact_points:
- node1.cassandra.example.com
- node2.cassandra.example.com
- node3.cassandra.example.com
port: 9042
datacenter: dc1
username: dbaudit_reader
password: ${CASSANDRA_PASSWORD}
# SSL Configuration (recommended for production)
ssl:
enabled: true
ca_cert: /etc/dbaudit/certs/ca.pem
verify: true
# Connection settings
connect_timeout: 10
request_timeout: 30
# Monitoring options
options:
track_queries: true
track_connections: true
track_ddl: true
track_dml: true
consistency_level: LOCAL_ONETest Connection
Verify your configuration before deploying.
# Test connection with cqlsh
cqlsh node1.cassandra.example.com 9042 -u dbaudit_reader -p
# Test with SSL
cqlsh node1.cassandra.example.com 9042 -u dbaudit_reader -p \
--ssl --cqlshrc ~/.cassandra/cqlshrc
# Verify audit logging is enabled
cqlsh -e "SELECT * FROM system_views.settings WHERE name = 'audit_logging_enabled';"
# Check audit log status
nodetool getauditlog
# Verify DB Audit collector can connect
dbaudit-collector test-connections --config /etc/dbaudit/config.yamlCompliance Support
DB Audit's Cassandra connector helps you meet audit requirements for major compliance frameworks.
Troubleshooting
All hosts are unreachable
Verify that at least one contact point is reachable and accepting connections on port 9042. Check firewall rules and native_transport_port in cassandra.yaml.
Authentication failed
Verify credentials are correct and the role has LOGIN permission. Check authenticator setting in cassandra.yaml matches your auth method.
Audit log not generating
Verify audit_logging_options.enabled: true is set and Cassandra was restarted. Check nodetool getauditlog output.
Ready to Audit Your Cassandra Cluster?
Start monitoring your Cassandra databases in minutes with distributed audit logging.