Audit logs

All schema changes (successful and unsuccessful) and ACL changes are recorded in audit logs.

Audit log format

A log event consists of comma-separated key: value fields:

2022-08-03T22:41:43.860439Z node 1 :FLAT_TX_SCHEMESHARD NOTICE: AUDIT: txId: 281474976710670, database: /Root, subject: no subject, status: StatusSuccess, operation: MODIFY ACL, path: Root, add access: +(CT):user0@builtin, protobuf request: WorkingDir: "" OperationType: ESchemeOpModifyACL ModifyACL { Name: "Root" DiffACL: "\n\031\010\000\022\025\010\001\020@\032\ruser0@builtin \003" }

2022-08-03T22:41:43.931561Z node 1 :FLAT_TX_SCHEMESHARD NOTICE: AUDIT: txId: 281474976710672, database: /Root, subject: user0@builtin, status: StatusAccepted, operation: DROP TABLE, path: /Root/Test1234/KeyValue, protobuf request: WorkingDir: "/Root/Test1234" OperationType: ESchemeOpDropTable Drop { Name: "KeyValue" }

2022-08-03T22:41:43.895591Z node 1 :FLAT_TX_SCHEMESHARD NOTICE: AUDIT: txId: 281474976710671, database: /Root, subject: user0@builtin, status: StatusAccepted, operation: CREATE DIRECTORY, path: /Root/Test1234, protobuf request: WorkingDir: "/Root" OperationType: ESchemeOpMkDir MkDir { Name: "Test1234" } FailOnExist: true, operation: CREATE TABLE, path: /Root/Test1234/KeyValue, protobuf request: WorkingDir: "/Root/Test1234" OperationType: ESchemeOpCreateTable CreateTable { Name: "KeyValue" Columns { Name: "Key" Type: "Uint32" NotNull: false } Columns { Name: "Value" Type: "String" NotNull: false } KeyColumnNames: "Key" PartitionConfig { ColumnFamilies { Id: 0 StorageConfig { SysLog { PreferredPoolKind: "test" } Log { PreferredPoolKind: "test" } Data { PreferredPoolKind: "test" } } } } } FailOnExist: false

One event describes one transaction. An event can describe several operations performed within a single transaction. In this case, some of the fields will describe transaction events and some of the fields will describe operation events within a transaction.

Transaction fields

  • txId: (mandatory) The unique transaction ID.
  • database: (optional) The path to the database.
  • subject: (mandatory) The event source SID (<login>@<subsystem> format). If not specified, the value is no subject.
  • status: (mandatory) The transaction completion status.
  • reason: (optional) An error message.

Operation fields

  • operation: (mandatory) The operation name.
  • path: (optional) The path to the change object.
  • src path: (optional) The path to the source object (for copy and move operations).
  • dst path: (optional) The path to the target object (for copy and move operations).
  • no path: (optional) If there is no change object, the value is no path.
  • set owner: (optional) The new owner when changing ACL.
  • add access: (optional) Add access when changing ACL. The field can be repeated.
  • remove access: (optional) Remove access when changing ACL. The field can be repeated.
  • protobuf request: (optional) A description of a schema or ACL change in protobuf format.