From 36b33c790b72a1ba038c0b00506085baef155936 Mon Sep 17 00:00:00 2001 From: shiyuhang <1136742008@qq.com> Date: Thu, 13 Mar 2025 15:31:44 +0800 Subject: [PATCH 1/5] audit log --- tidb-cloud/serverless-audit-logging.md | 72 ++++++++++++++++++++++++++ 1 file changed, 72 insertions(+) create mode 100644 tidb-cloud/serverless-audit-logging.md diff --git a/tidb-cloud/serverless-audit-logging.md b/tidb-cloud/serverless-audit-logging.md new file mode 100644 index 0000000000000..a996a0ada9b97 --- /dev/null +++ b/tidb-cloud/serverless-audit-logging.md @@ -0,0 +1,72 @@ +--- +title: TiDB Cloud Serverless Database Audit Logging +summary: Learn about how to audit a serverless cluster in TiDB Cloud. +--- + +# TiDB Cloud Serverless Database Audit Logging + +TiDB Cloud Serverless provides you with a database audit logging feature to record a history of user access details (such as any SQL statements executed) in logs. + +To assess the effectiveness of user access policies and other information security measures of your organization, it is a security best practice to conduct a periodic analysis of the database audit logs. + +The audit logging feature is disabled by default. To audit a cluster, you need to enable the audit logging. + +## Enable audit logging + +To enable the audit logging for a TiDB Cloud Serverless cluster, using the [TiDB Cloud CLI](/tidb-cloud/cli-reference.md) + +```shell +ticloud serverless audit-log enable --cluster-id +``` + +To disable the audit logging for a TiDB Cloud Serverless cluster, using the [TiDB Cloud CLI](/tidb-cloud/cli-reference.md) + +```shell +ticloud serverless audit-log disable --cluster-id +``` + +## Configure audit logging + +### Redacted + +TiDB Cloud redacts sensitive data in the audit logs by default. For example, the following SQL statement: + +```sql +INSERT INTO `test`.`users` (`id`, `name`, `password`) VALUES (1, 'Alice', '123456'); +``` + +is redacted as follows: + +```sql +INSERT INTO `test`.`users` (`id`, `name`, `password`) VALUES ( ... ); +``` + +If you want to disable the redaction, using the [TiDB Cloud CLI](/tidb-cloud/cli-reference.md) + +```shell +ticloud serverless audit-log config --cluster-id --unredacted +``` + +### Rotation + +TiDB Cloud will start to generate a new audit log file when one of the following conditions is met: + +- The audit log file reaches 100 MB. +- The time interval reaches 1 hour. Note that the audit log files may not be generated exactly at the time interval of 1 hour, it may be delayed for a few minutes depending on the underlying schedule. + +## View audit logs + +TiDB Cloud audit logs are readable text files named `YYYY-MM-DD-.log`. You can download the audit logs by [TiDB Cloud CLI](/tidb-cloud/cli-reference.md) to view them. + +```shell +ticloud serverless audit-log download --cluster-id --output-path --start-day --end-day +``` + +> **Note:** +> TiDB Cloud will save your audit logs for xx days. + +## Audit logging limitations + +- The audit logging is only available for TiDB Cloud CLI, the support of TiDB Cloud Console will be available soon. +- The audit logging can only be generated in the TiDB Cloud, the support of external storage will be available soon. +- TiDB Cloud does not guarantee the sequential order of the audit logs, which means you might have to review all log files to see the latest events. To order the logs, you can use the `TIMESTAMP` field in the event records. \ No newline at end of file From 816f18b83cec85f8a288f815c4690d0633a3dc77 Mon Sep 17 00:00:00 2001 From: shiyuhang <1136742008@qq.com> Date: Thu, 13 Mar 2025 15:33:21 +0800 Subject: [PATCH 2/5] toc --- TOC-tidb-cloud.md | 3 ++- tidb-cloud/tidb-cloud-auditing.md | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/TOC-tidb-cloud.md b/TOC-tidb-cloud.md index f773c538f6fbd..7c7c0c6fbd9c5 100644 --- a/TOC-tidb-cloud.md +++ b/TOC-tidb-cloud.md @@ -321,7 +321,8 @@ - Database Access Control - [Configure Cluster Password Settings](/tidb-cloud/configure-security-settings.md) - Audit Management - - [Database Audit Logging](/tidb-cloud/tidb-cloud-auditing.md) + - [TiDB Cloud Dedicated Database Audit Logging](/tidb-cloud/tidb-cloud-auditing.md) + - [TiDB Cloud Serverless Database Audit Logging](/tidb-cloud//serverless-audit-logging.md) - [Console Audit Logging](/tidb-cloud/tidb-cloud-console-auditing.md) - Billing - [Invoices](/tidb-cloud/tidb-cloud-billing.md#invoices) diff --git a/tidb-cloud/tidb-cloud-auditing.md b/tidb-cloud/tidb-cloud-auditing.md index d6c00b8b49cef..87a79d4007719 100644 --- a/tidb-cloud/tidb-cloud-auditing.md +++ b/tidb-cloud/tidb-cloud-auditing.md @@ -1,9 +1,9 @@ --- -title: Database Audit Logging +title: TiDB Cloud Dedicated Database Audit Logging summary: Learn about how to audit a cluster in TiDB Cloud. --- -# Database Audit Logging +# TiDB Cloud Dedicated Database Audit Logging TiDB Cloud provides you with a database audit logging feature to record a history of user access details (such as any SQL statements executed) in logs. From 2d7e0b3f9a28491f86179f6a267575a683d6cd78 Mon Sep 17 00:00:00 2001 From: shiyuhang <1136742008@qq.com> Date: Thu, 13 Mar 2025 15:37:01 +0800 Subject: [PATCH 3/5] fix --- tidb-cloud/serverless-audit-logging.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tidb-cloud/serverless-audit-logging.md b/tidb-cloud/serverless-audit-logging.md index a996a0ada9b97..aabace2932461 100644 --- a/tidb-cloud/serverless-audit-logging.md +++ b/tidb-cloud/serverless-audit-logging.md @@ -29,7 +29,7 @@ ticloud serverless audit-log disable --cluster-id ### Redacted -TiDB Cloud redacts sensitive data in the audit logs by default. For example, the following SQL statement: +TiDB Cloud Serverless redacts sensitive data in the audit logs by default. For example, the following SQL statement: ```sql INSERT INTO `test`.`users` (`id`, `name`, `password`) VALUES (1, 'Alice', '123456'); @@ -49,14 +49,14 @@ ticloud serverless audit-log config --cluster-id --unredacted ### Rotation -TiDB Cloud will start to generate a new audit log file when one of the following conditions is met: +TiDB Cloud Serverless will start to generate a new audit log file when one of the following conditions is met: - The audit log file reaches 100 MB. - The time interval reaches 1 hour. Note that the audit log files may not be generated exactly at the time interval of 1 hour, it may be delayed for a few minutes depending on the underlying schedule. ## View audit logs -TiDB Cloud audit logs are readable text files named `YYYY-MM-DD-.log`. You can download the audit logs by [TiDB Cloud CLI](/tidb-cloud/cli-reference.md) to view them. +TiDB Cloud Serverless audit logs are readable text files named `YYYY-MM-DD-.log`. You can download the audit logs by [TiDB Cloud CLI](/tidb-cloud/cli-reference.md) to view them. ```shell ticloud serverless audit-log download --cluster-id --output-path --start-day --end-day @@ -69,4 +69,4 @@ ticloud serverless audit-log download --cluster-id --output-path Date: Thu, 13 Mar 2025 17:07:38 +0800 Subject: [PATCH 4/5] fix --- tidb-cloud/serverless-audit-logging.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/tidb-cloud/serverless-audit-logging.md b/tidb-cloud/serverless-audit-logging.md index aabace2932461..00fc346987364 100644 --- a/tidb-cloud/serverless-audit-logging.md +++ b/tidb-cloud/serverless-audit-logging.md @@ -7,6 +7,10 @@ summary: Learn about how to audit a serverless cluster in TiDB Cloud. TiDB Cloud Serverless provides you with a database audit logging feature to record a history of user access details (such as any SQL statements executed) in logs. +> **Note:** +> +> Currently, the database audit logging feature is only available upon request. To request this feature, click **?** in the lower-right corner of the [TiDB Cloud console](https://tidbcloud.com) and click **Request Support**. Then, fill in "Apply for TiDB Cloud Serverless database audit logging" in the **Description** field and click **Submit**. + To assess the effectiveness of user access policies and other information security measures of your organization, it is a security best practice to conduct a periodic analysis of the database audit logs. The audit logging feature is disabled by default. To audit a cluster, you need to enable the audit logging. @@ -63,7 +67,7 @@ ticloud serverless audit-log download --cluster-id --output-path **Note:** -> TiDB Cloud will save your audit logs for xx days. +> TiDB Cloud only download your audit logs within xx days. ## Audit logging limitations From 242a4c8b9063fd12bee1156eb578da3434444a9b Mon Sep 17 00:00:00 2001 From: shiyuhang <1136742008@qq.com> Date: Thu, 13 Mar 2025 17:09:26 +0800 Subject: [PATCH 5/5] fix --- tidb-cloud/serverless-audit-logging.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tidb-cloud/serverless-audit-logging.md b/tidb-cloud/serverless-audit-logging.md index 00fc346987364..4a5fcd0e71333 100644 --- a/tidb-cloud/serverless-audit-logging.md +++ b/tidb-cloud/serverless-audit-logging.md @@ -67,7 +67,7 @@ ticloud serverless audit-log download --cluster-id --output-path **Note:** -> TiDB Cloud only download your audit logs within xx days. +> TiDB Cloud only save your audit logs xx days. ## Audit logging limitations