Help Center/ TaurusDB/ User Guide/ Log Management/ Enabling SQL Audit
Updated on 2025-08-21 GMT+08:00
View PDF
Share

Enabling SQL Audit

If you enable the SQL audit function, all SQL operations will be logged for your download and query.

By default, SQL audit is disabled because enabling this function may affect database performance. This section describes how to enable, modify, or disable SQL audit.

Supported Kernel Versions

The kernel version must be 2.0.60.241200 or later. If your DB engine version is too early, upgrade it to the latest version by referring to Upgrading the Minor Version of a DB Instance. For details about how to check the kernel version, see How Can I Check the Version of a TaurusDB Instance?

Constraints

Table 1 Audit log constraints

Audit Log Type

Constraint

SQL audit logs
  • This function is available to TaurusDB Enterprise Edition instances and serverless instances, but not to multi-primary instances.
  • Only SQL statements that have been executed in the kernel are logged.
  • During specification changes, configurations need to be synchronized. As a result, some SQL operations are not logged.
  • SQL audit logs use the Coordinated Universal Time (UTC) time, which is not affected by the time zone configuration.
  • After SQL audit is enabled, TaurusDB records SQL operations in audit logs. The generated audit logs are temporarily stored in the instance and then uploaded to OBS and stored in the backup space.
  • SQL audit logs that are beyond the retention period are cleared every hour. If you change the retention period of audit logs, expired audit logs will be deleted one hour later.

Audit logs reported to LTS
  • To configure audit log reporting to LTS, submit a service ticket to apply for the required permissions.
  • After this function is enabled, audit logs record all requests sent to your instance and are stored in LTS.
  • Once configured, there is a delay of approximately 10 minutes before the changes are applied.
  • You will be billed for enabling this function. For details, see LTS Pricing Details.
  • After this function is enabled, all audit policies are reported by default.
  • Keep the following points in mind before you enable audit logging or audit log reporting to LTS:
    • Enabling audit logging or audit log reporting to LTS generates audit logs and the sensitive information in the audit logs is not anonymized.
    • If you enable audit logging first and then enable audit log reporting to LTS, LTS reuses the audit policy set for your instance and you will also be billed for reporting audit logs to LTS. Only after you disable audit logging, billing for audit logging will be terminated.
    • If you enable audit logging first and then enable audit log reporting to LTS, you are not advised to disable audit logging before audit log reporting to LTS is running properly.
  • Audit logs may be lost while being uploaded to LTS in certain situations. If audit logging is enabled, you can download all audit logs from OBS.
    • Some logs may be lost when the service traffic is heavy, audit logs are generated too fast, or the LTS service fails.
    • Each audit log record uploaded to LTS cannot exceed 512 KB. Larger records will be truncated.
  • If log reporting is disabled, logs generated for the DB instance will not be reported to LTS.
  • The request for disabling log reporting is not applied immediately. There is a delay of about 10 minutes.

Configuring Audit Logs

  1. Log in to the management console.
  2. Click in the upper left corner and select a region and project.
  3. Click in the upper left corner of the page and choose Databases > TaurusDB.
  4. On the Instances page, click the instance name.
  5. In the navigation pane, choose SQL Audits. On the displayed page, click Set SQL Audit above the list. In the displayed dialog box, configure information as required and click OK.

    • Enabling or setting SQL audit
      • To enable SQL audit, toggle (disabled) to (enabled).
      • Audit logs can be retained from 1 to 732 days and are retained for 7 days by default.
      Figure 1 Setting SQL audit

      The SQL statements executed by PreparedStatement and scheduled tasks through a MySQL client will be treated as PREPARED_STATEMENT and CREATE, respectively. However, the SQL statements executed by PreparedStatement through JDBC will not be recorded.

      You can change the value of the audit_log_buffer_size parameter on the console to adjust the size of the audit log buffer. For details, see Modifying Parameters of a DB Instance.

      Table 2 Parameter description

      Parameter

      Level

      Description

      audit_log_buffer_size

      GLOBAL

      Size of the audit log buffer, in bytes.

      Default value: 1048576

      After SQL audit is enabled, Data Definition Language (DDL), Data Manipulation Language (DML), Data Control Language (DCL), and other operation types are supported. The details are as follows:

      Table 3 DDL types and operations

      Type

      Operation

      CREATE

      create_db, create_event, create_function, create_index, create_procedure, create_table, create_trigger, create_udf, create_view

      ALTER

      alter_db, alter_db_upgrade, alter_event, alter_function, alter_instance, alter_procedure, alter_table, alter_tablespace

      DROP

      drop_db, drop_event, drop_function, drop_index, drop_procedure, drop_table, drop_trigger, drop_view

      RENAME

      rename_table

      TRUNCATE

      truncate

      REPAIR

      repair

      OPTIMIZE

      optimize
      Table 4 DML types and operations

      Type

      Operation

      INSERT

      insert, insert_select

      DELETE

      delete, delete_multi

      UPDATE

      update, update_multi

      REPLACE

      replace, replace_select

      SELECT

      select
      Table 5 DCL types and operations

      Type

      Operation

      CREATE_USER

      create_user

      DROP_USER

      drop_user

      RENAME_USER

      rename_user

      GRANT

      grant_roles, grant

      REVOKE

      revoke, revoke_all, revoke_roles

      ALTER_USER

      alter_user

      ALTER_USER_DEFAULT_ROLE

      alter_user_default_role
      Table 6 Other types and operations

      Type

      Operation

      BEGIN/COMMIT/ROLLBACK

      begin, commit, release_savepoint, rollback, rollback_to_savepoint, savepoint

      PREPARED_STATEMENT

      execute_sql, prepare_sql, dealloc_sql

      CALL_PROCEDURE

      call_procedure

      KILL

      kill

      SET_OPTION

      set_option

      CHANGE_DB

      change_db

      UNINSTALL_PLUGIN

      uninstall_plugin

      INSTALL_PLUGIN

      install_plugin

      SHUTDOWN

      shutdown

      SLAVE_START

      slave_start

      SLAVE_STOP

      slave_stop

      LOCK_TABLES

      lock_tables

      UNLOCK_TABLES

      unlock_tables

      FLUSH

      flush

      XA

      xa_commit, xa_end, xa_prepare, xa_recover, xa_rollback, xa_start
    • Disabling SQL audit

      To disable SQL audit, toggle (enabled) to (disabled).

      If you select the check box "I acknowledge that after audit log is disabled, all audit logs are deleted." and click OK, all audit logs will be deleted.

      Deleted audit logs cannot be recovered. Exercise caution when performing this operation.

  1. Log in to the management console.
  2. Click in the upper left corner and select a region and project.
  3. Click in the upper left corner of the page and choose Databases > TaurusDB.
  4. On the Instances page, click the instance name.
  5. In the navigation pane, choose SQL Audits.
  6. Click next to Report Audit Logs to LTS.
  7. In the displayed dialog box, select a log group and log stream, and click OK.

    Figure 2 Reporting audit logs to LTS

  8. To change the log group and log stream, click Edit.

    Figure 3 Changing the log group and log stream

  9. In the displayed dialog box, click OK.

Disabling Audit Log Reporting

  1. Log in to the management console.
  2. Click in the upper left corner and select a region and project.
  3. Click in the upper left corner of the page and choose Databases > TaurusDB.
  4. On the Instances page, click the instance name.
  5. In the navigation pane, choose SQL Audits.
  6. Click next to Report Audit Logs to LTS.
  7. In the displayed dialog box, click Yes.

    Figure 4 Disabling audit log reporting

Parent Topic: Log Management