Audit Logging Levels

Warning

As of the time of this publication, audit logging features are made available and licensed only as part of the MemSQL Advanced Security Option. Before using or implementing this functionality, please consult with your enterprise’s licensing administrator to confirm that your enterprise has purchased the necessary Advanced Security Option license from MemSQL.

There are 11 logging levels that can be specified by the auditlog_level variable in a node’s memsql.cnf file. These levels can be organized into three categories, each with increasing verbosity:

  • Logging is disabled:
    • OFF
  • Log only valid statements and queries:
    • ADMIN-ONLY
    • WRITES-ONLY
    • ALL-QUERIES
    • ALL-QUERIES-PLAINTEXT
    • ALL-RESULTS
  • Log valid and invalid statements and queries:
    • ADMIN-ONLY-INCLUDING-PARSE-FAILS
    • WRITES-ONLY-INCLUDING-PARSE-FAILS
    • ALL-QUERIES-INCLUDING-PARSE-FAILS
    • ALL-QUERIES-PLAINTEXT-INCLUDING-PARSE-FAILS
    • ALL-RESULTS-INCLUDING-PARSE-FAILS

A valid statement or query is one that can be successfully parsed by MemSQL. Invalid statements or queries include those with misspellings or improper syntax.

Alert

When invalid statements cannot be parsed, the literal query text is included in the log entry. This text may contain sensitive information. For example, if a user attempts to connect to the database with an invalid statement that contains their username and password, these values will be logged in plain text. Before selecting any level that specifies INCLUDING-PARSE-FAILS, ensure that the log file location is secured appropriately and that extra precaution is taken when processing the logs.

If your cluster has strict mode enabled, the lowest logging level you can set is ADMIN-ONLY or ADMIN-ONLY-INCLUDING-PARSE-FAILS.

OFF

The OFF level is the default setting and prevents any logs from being created.

If your cluster has strict mode enabled, this logging level cannot be set because audit logging must also be enabled.

ADMIN-ONLY and ADMIN-ONLY-INCLUDING-PARSE-FAILS

The ADMIN-ONLY level will only log statements that require administrator permissions, namely DDL operations such as CREATE, DROP, ALTER, etc. Additionally, if a query contains passwords (such as SET PASSWORD), the password’s value will be omitted from the log.

The ADMIN-ONLY-INCLUDING-PARSE-FAILS level is inclusive of ADMIN-ONLY but also logs invalid statements that fail to parse. These invalid statements may include sensitive information that would normally be obfuscated in a log entry.

If your cluster has strict mode enabled, you must select either of these levels or a more verbose level.

WRITES-ONLY and WRITES-ONLY-INCLUDING-PARSE-FAILS

The WRITES-ONLY level is inclusive of ADMIN-ONLY but also logs DML operations such as INSERT, DELETE, UPDATE, with one exception: SELECT queries are not logged.

The WRITES-ONLY-INCLUDING-PARSE-FAILS level is inclusive of WRITES-ONLY but also logs invalid statements that fail to parse. These invalid statements may include sensitive information that would normally be obfuscated in a log entry.

ALL-QUERIES and ALL-QUERIES-INCLUDING-PARSE-FAILS

The ALL-QUERIES level is inclusive of WRITES-ONLY but also logs read operations such as SELECT statements.

The ALL-QUERIES-INCLUDING-PARSE-FAILS level is inclusive of ALL-QUERIES but also logs invalid statements that fail to parse. These invalid statements may include sensitive information that would normally be obfuscated in a log entry.

ALL-QUERIES-PLAINTEXT and ALL-QUERIES-PLAINTEXT-INCLUDING-PARSE-FAILS

The ALL-QUERIES-PLAINTEXT level is inclusive of ALL-QUERIES but also logs the entire literal query, not just the parameterized version without literal strings and numbers.

The ALL-QUERIES-PLAINTEXT-INCLUDING-PARSE-FAILS level is inclusive of ALL-QUERIES-PLAINTEXT but also logs invalid statements that fail to parse. These invalid statements may include sensitive information that would normally be obfuscated in a log entry.

ALL-RESULTS and ALL-RESULTS-INCLUDING-PARSE-FAILS

The ALL-RESULTS level is inclusive of ALL-QUERIES-PLAINTEXT but also logs the database’s responses. This is the most verbose logging level available, and accordingly it produces a large number of log entries.

When this level is selected, the entry ID for a query is shared with the results entries. For more information, see the Schema for ALL-RESULTS Database Responses section of the Audit Log File Format topic.

The ALL-RESULTS-INCLUDING-PARSE-FAILS level is inclusive of ALL-RESULTS but also logs invalid statements that fail to parse. These invalid statements may include sensitive information that would normally be obfuscated in a log entry.

Was this article useful?