Audit Log Filter quickstart¶

Use the following steps after you install the Audit Log Filter component and tables. See install the audit log filter when the component is not yet installed.

You need AUDIT_ADMIN. Changing audit_log_filter.disable at runtime also requires SYSTEM_VARIABLES_ADMIN.

Quickstart

Optional: run SHOW GLOBAL STATUS LIKE 'audit_log_filter_events_written'; and note the counter.

Run these five statements in order:

SET GLOBAL audit_log_filter.disable = false;
SELECT audit_log_filter_set_filter('log_all', '{ "filter": { "log": true } }');
SELECT audit_log_filter_set_user('%', 'log_all');
SELECT audit_log_filter_flush();
SELECT 1;

Run SHOW GLOBAL STATUS LIKE 'audit_log_filter_events_written'; again. The counter should increase. When the counter does not increase, verify that the component loaded, the tables exist, and audit_log_filter.disable is false.

With the default JSONL audit_log_filter.format, read events with audit_log_read(). See Reading Audit Log Filter files. You can also inspect the file named by audit_log_filter.file on the server. The JSON format uses the same reader. The NEW (XML) format is read directly from the log file.

Next steps¶

After the catch-all log_all rule works, replace the rule with a tighter JSON filter. Scope the filter by user, database, table, or event class.

Call the filter UDFs to apply changes:

Author rules in Write audit_log_filter definitions. Compare assignment to JSON rules in Filter the Audit Log Filter logs. Validate names in Audit Log Filter definition fields.

When you switch to JSON or JSONL, read Audit Log Filter file format overview and Reading Audit Log Filter files.

For production, plan path, rotation, and retention with:

Audit Log Filter quickstart¶

Next steps¶

Additional reading¶