I want to see the Audit Logs for any Executed query and also how I can see those audit logs.
@subrato see here, for answers ScyllaDB Auditing Guide | ScyllaDB Docs
Note that Audit is a Scylla Enterprise-only feature.
I want to see the Audit Logs for any Executed query and also how I can see those audit logs.
This will have a significant performance impact. Every read (query) will be followed by a write (to the audit log).
Tzach
what will be the parameters of audit logs and how to see the audit logs of executed query??
Here is an example.
I use the following config in scylla.yaml for Scylla Enterprise:
# audit setting
# by default, Scylla does not audit anything.
# It is possible to enable auditing to the following places:
# - audit.audit_log column family by setting the flag to "table"
audit: "table"
#
# List of statement categories that should be audited.
audit_categories: "QUERY"
#
#List of tables that should be audited.
audit_tables: "mykeyspace.heartrate_v10"
Created a keyspace mykeyspace and a table heartrate_v10
CREATE TABLE heartrate_v10 (
pet_chip_id uuid,
owner uuid,
time timestamp,
heart_rate int,
PRIMARY KEY (pet_chip_id, time)
);
run a SELECT commands:
SELECT * FROM heartrate_v10;
Looking at the audit table I see:
cqlsh:mykeyspace> SELECT * from audit.audit_log;
date | node | event_time | category | consistency | error | keyspace_name | operation | source | table_name | username
---------------------------------+------------+--------------------------------------+----------+-------------+-------+---------------+------------------------------+------------+---------------+-----------
2023-11-29 00:00:00.000000+0000 | 172.17.0.2 | c6915149-8e9a-11ee-9a3d-f082b39a6071 | QUERY | ONE | False | mykeyspace | SELECT * FROM heartrate_v10; | 172.17.0.2 | heartrate_v10 | anonymous
1 Like
Scylla Enterprise, we need to purchase this for enable audit log or it comes with by default feature of enable audit log.
Audit is part of Scylla Enterprise.
You need to configure it per the keyspace/table/audit level you need.
1 Like
Thank You so much for your help I am able to understand.
I have one last question, suppose I want to capture all audit logs DDL, DML, DDL etc. for any keyspace/table, because every time It is not possible to configure for which Keyspace or table I want to see audit logs. So I want to capture all audit logs does not matter which keyspace or table.
Then What would be the configuration??
First, it’s impossible to enable for all use cases. You must list all relevant use cases.
Second, audits for every operation, including QUERY, will have a huge performance impact. Can you explain why you need such a level of audit?
There may be alternative solutions.
1 Like
Actually, our use case is that we want to enable auditing for all operation, so that we will get all the information about the executed operations perform by user on ScyllaDB and capture those audit log on our system (Windows or Linux).