TiDB Cloud Serverless database audit logging #20526
+80
−3
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
| @@ -0,0 +1,76 @@ | ||||||
| --- | ||||||
| title: TiDB Cloud Serverless Database Audit Logging | ||||||
| summary: Learn about how to audit a serverless cluster in TiDB Cloud. | ||||||
| --- | ||||||
|
|
||||||
| # TiDB Cloud Serverless Database Audit Logging | ||||||
|
|
||||||
| TiDB Cloud Serverless provides you with a database audit logging feature to record a history of user access details (such as any SQL statements executed) in logs. | ||||||
|
|
||||||
| > **Note:** | ||||||
| > | ||||||
| > Currently, the database audit logging feature is only available upon request. To request this feature, click **?** in the lower-right corner of the [TiDB Cloud console](https://tidbcloud.com) and click **Request Support**. Then, fill in "Apply for TiDB Cloud Serverless database audit logging" in the **Description** field and click **Submit**. | ||||||
|
|
||||||
| To assess the effectiveness of user access policies and other information security measures of your organization, it is a security best practice to conduct a periodic analysis of the database audit logs. | ||||||
|
|
||||||
| The audit logging feature is disabled by default. To audit a cluster, you need to enable the audit logging. | ||||||
|
|
||||||
| ## Enable audit logging | ||||||
|
|
||||||
| To enable the audit logging for a TiDB Cloud Serverless cluster, using the [TiDB Cloud CLI](/tidb-cloud/cli-reference.md) | ||||||
|
|
||||||
| ```shell | ||||||
| ticloud serverless audit-log enable --cluster-id <cluster-id> | ||||||
| ``` | ||||||
|
|
||||||
| To disable the audit logging for a TiDB Cloud Serverless cluster, using the [TiDB Cloud CLI](/tidb-cloud/cli-reference.md) | ||||||
|
There was a problem hiding this comment. Consider adding a link to the specific CLI command documentation for
Suggested change
|
||||||
|
|
||||||
| ```shell | ||||||
| ticloud serverless audit-log disable --cluster-id <cluster-id> | ||||||
| ``` | ||||||
|
|
||||||
| ## Configure audit logging | ||||||
|
|
||||||
| ### Redacted | ||||||
|
|
||||||
| TiDB Cloud Serverless redacts sensitive data in the audit logs by default. For example, the following SQL statement: | ||||||
|
|
||||||
| ```sql | ||||||
| INSERT INTO `test`.`users` (`id`, `name`, `password`) VALUES (1, 'Alice', '123456'); | ||||||
| ``` | ||||||
|
|
||||||
| is redacted as follows: | ||||||
|
|
||||||
| ```sql | ||||||
| INSERT INTO `test`.`users` (`id`, `name`, `password`) VALUES ( ... ); | ||||||
| ``` | ||||||
|
|
||||||
| If you want to disable the redaction, using the [TiDB Cloud CLI](/tidb-cloud/cli-reference.md) | ||||||
|
There was a problem hiding this comment. Consider adding a link to the specific CLI command documentation for
Suggested change
|
||||||
|
|
||||||
| ```shell | ||||||
| ticloud serverless audit-log config --cluster-id <cluster-id> --unredacted | ||||||
| ``` | ||||||
|
|
||||||
| ### Rotation | ||||||
|
|
||||||
| TiDB Cloud Serverless will start to generate a new audit log file when one of the following conditions is met: | ||||||
|
|
||||||
| - The audit log file reaches 100 MB. | ||||||
| - The time interval reaches 1 hour. Note that the audit log files may not be generated exactly at the time interval of 1 hour, it may be delayed for a few minutes depending on the underlying schedule. | ||||||
|
|
||||||
| ## View audit logs | ||||||
|
|
||||||
| TiDB Cloud Serverless audit logs are readable text files named `YYYY-MM-DD-<uuid>.log`. You can download the audit logs by [TiDB Cloud CLI](/tidb-cloud/cli-reference.md) to view them. | ||||||
|
There was a problem hiding this comment. Consider adding a link to the specific CLI command documentation for
Suggested change
There was a problem hiding this comment. It might be helpful to verify that this link is up to date and points to the correct location for the TiDB Cloud CLI documentation. |
||||||
|
|
||||||
| ```shell | ||||||
| ticloud serverless audit-log download --cluster-id <cluster-id> --output-path <output-path> --start-day <start-day> --end-day <end-day> | ||||||
| ``` | ||||||
|
|
||||||
| > **Note:** | ||||||
| > TiDB Cloud only save your audit logs xx days. | ||||||
|
There was a problem hiding this comment. This note is incomplete. Please fill in the number of days that TiDB Cloud saves audit logs. For example:
Suggested change
|
||||||
|
|
||||||
| ## Audit logging limitations | ||||||
|
|
||||||
| - The audit logging is only available for TiDB Cloud CLI, the support of TiDB Cloud Console will be available soon. | ||||||
|
Check warning on line 74 in tidb-cloud/serverless-audit-logging.md
|
||||||
| - The audit logging can only be generated in the TiDB Cloud, the support of external storage will be available soon. | ||||||
| - TiDB Cloud Serverless does not guarantee the sequential order of the audit logs, which means you might have to review all log files to see the latest events. To order the logs, you can use the `TIME` field in the event records. | ||||||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Consider adding a link to the specific CLI command documentation for
ticloud serverless audit-log enablefor more detailed information.