Audit logs
All schema changes (successful and unsuccessful) and ACL changes are recorded in audit logs.
Enabling audit logs
Audit logs are provided as part of YDB component logging.
To enable audit logs, you need to change the logging level:
-
Follow the link in the format
http://<endpoint>:8765/cms
The
Cluster Management System
page opens. -
On the Configs tab, click on the
LogConfigItems
line. -
Under
Component log settings
, find theFLAT_TX_SCHEMESHARD
component. Set this component's logging level toNOTICE
or higher. -
To save changes, click
Submit
Audit logs are written together with other YDB logs.
Audit log format
A log event consists of comma-separated key: value
fields:
2022-08-03T22:41:43.860439Z node 1 :FLAT_TX_SCHEMESHARD NOTICE: AUDIT: txId: 281474976710670, database: /Root, subject: no subject, status: StatusSuccess, operation: MODIFY ACL, path: Root, add access: +(CT):user0@builtin, protobuf request: WorkingDir: "" OperationType: ESchemeOpModifyACL ModifyACL { Name: "Root" DiffACL: "\n\031\010\000\022\025\010\001\020@\032\ruser0@builtin \003" }
2022-08-03T22:41:43.931561Z node 1 :FLAT_TX_SCHEMESHARD NOTICE: AUDIT: txId: 281474976710672, database: /Root, subject: user0@builtin, status: StatusAccepted, operation: DROP TABLE, path: /Root/Test1234/KeyValue, protobuf request: WorkingDir: "/Root/Test1234" OperationType: ESchemeOpDropTable Drop { Name: "KeyValue" }
2022-08-03T22:41:43.895591Z node 1 :FLAT_TX_SCHEMESHARD NOTICE: AUDIT: txId: 281474976710671, database: /Root, subject: user0@builtin, status: StatusAccepted, operation: CREATE DIRECTORY, path: /Root/Test1234, protobuf request: WorkingDir: "/Root" OperationType: ESchemeOpMkDir MkDir { Name: "Test1234" } FailOnExist: true, operation: CREATE TABLE, path: /Root/Test1234/KeyValue, protobuf request: WorkingDir: "/Root/Test1234" OperationType: ESchemeOpCreateTable CreateTable { Name: "KeyValue" Columns { Name: "Key" Type: "Uint32" NotNull: false } Columns { Name: "Value" Type: "String" NotNull: false } KeyColumnNames: "Key" PartitionConfig { ColumnFamilies { Id: 0 StorageConfig { SysLog { PreferredPoolKind: "test" } Log { PreferredPoolKind: "test" } Data { PreferredPoolKind: "test" } } } } } FailOnExist: false
One event describes one transaction. An event can describe several operations performed within a single transaction. In this case, some of the fields will describe transaction events and some of the fields will describe operation events within a transaction.
Transaction fields
txId
: (mandatory) The unique transaction ID.database
: (optional) The path to the database.subject
: (mandatory) The event source SID (<login>@<subsystem>
format). If not specified, the value isno subject
.status
: (mandatory) The transaction completion status.reason
: (optional) An error message.
Operation fields
operation
: (mandatory) The operation name.path
: (optional) The path to the change object. This field might change during a transaction.src path
: (optional) The path to the source object (for copy and move operations).dst path
: (optional) The path to the target object (for copy and move operations).no path
: (optional) If there is no change object, the value isno path
.set owner
: (optional) The new owner when changing ACL.add access
: (optional) Add access when changing ACL. The field can be repeated.remove access
: (optional) Remove access when changing ACL. The field can be repeated.protobuf request
: (optional) A description of a schema or ACL change in protobuf format.