View audit records|V4.2.5| docs|Distributed Database

View audit records

Last Updated：2025-01-02 01:58:40 Updated

Audit records can be persisted only through logging. At present, audit records are written to system logs. Each business tenant has a background thread for generating audit logs.

Applicability

This topic applies only to OceanBase Database Enterprise Edition. OceanBase Database Community Edition does not support security audit.

Format of audit logs

Here is a sample audit log file:

"xx.xx.xx.xx",57000,0,3615915,"",3221487702,"xx.xx.xx.xx",33281,1006,"audit_mysql",1006,500002,"admin",0,"xx.xx.xx.xx",500001,"test","B9DBED5D556A12ADAE8EB1650B9761E9","table_access","        SELECT id, k, c, pad\n          FROM sbtest\n          WHERE k IN (78154, 78112, 77817, 78105, 78504, 78111, 78155, 78141, 78145, 78113)\n        ",324,0,10,2,0,0,0,0,0,0,0,0,0,1,0,0,1,1700012758556689,364,0,1,46,1,47,259,0,0,0,0,10,0,20,0,0,0,3,0,20,10,10,20,10,0,0,0,139264,0,0,"",0,-1,-1,0,1700012758543334815,2,0,"",-7363743333437867606,0,"","",1,0,0,"00060a27-1096-5dc2-fa04-cea1f06b019a"
"xx.xx.xx.xx",57000,0,3615914,"",3221487709,"xx.xx.xx.xx",33293,1006,"audit_mysql",1006,500002,"admin",0,"xx.xx.xx.xx",500001,"test","B9DBED5D556A12ADAE8EB1650B9761E9","table_access","        SELECT id, k, c, pad\n          FROM sbtest\n          WHERE k IN (34851, 34386, 34384, 34393, 34974, 34566, 34397, 34379, 33844, 34353)\n        ",324,0,10,2,0,0,0,0,0,0,0,0,0,1,0,0,1,1700012758556662,417,0,1,7,1,37,362,0,0,0,0,10,0,20,0,0,0,3,0,20,10,10,20,10,0,0,0,131072,0,0,"",0,-1,-1,0,1700012758543334815,2,0,"",-7363743333437867606,0,"","",1,0,0,"00060a27-1096-5dc2-131b-e7f9c98dd9d9"

Log fields

The fields of the audit records are extracted from the [G]V$OB_SQL_AUDIT view with the following modifications:

The EVENT_CLASS field is added to identify the type of an audit event. Valid values are connection, table_access, and general. The values are defined in the same way as those defined for filters.
Only session requests of users are recorded, and the SQL statements internally initiated are not logged.
SQL query statements are converted into the utf8 format and escaped for output. Login and logout events are recorded as LOGON and LOGOFF, respectively.
When the system asynchronously generates logs for extra-long SQL statements, it uses the allocator of the current thread to allocate memory and switches to synchronous logging.

The following table describes the fields of audit logs. The type of the field affects only the log output format. Two types are supported: string and integer. The value of a string-type field is enclosed in quotation marks (" ").

Field	Type	Description
SVR_IP	varchar(46)	The IP address of the OBServer node.
SVR_PORT	bigint(20)	The port number of the OBServer node.
REQUEST_ID	bigint(20)	The ID of the request.
SQL_EXEC_ID	bigint(20)	The ID of the execution, which monotonically increases on a single OBServer node.
TRACE_ID	varchar(128)	The trace ID of the statement.
SID	bigint(20) unsigned	The ID of the session connection.
CLIENT_IP	varchar(46)	When the client is connected to the OBServer node by using OceanBase Database Proxy (ODP), this field indicates the IP address of the ODP instance that forwarded the request. When the client is directly connected to the OBServer node, this field indicates the IP address of the client that sent the request.
CLIENT_PORT	bigint(20)	The port number of the client that sent the request.
TENANT_ID	bigint(20)	The ID of the tenant that sent the request.
TENANT_NAME	varchar(64)	The name of the tenant that sent the request.
EFFECTIVE_TENANT_ID	bigint(20)	The ID of the tenant.
USER_ID	bigint(20)	The ID of the user that sent the request.
USER_NAME	varchar(64)	The name of the user that sent the request.
USER_GROUP	bigint(20)	The ID of the resource group to which the user belongs.
USER_CLIENT_IP	varchar(46)	The IP address of the client that sent the request.
EVENT_CLASS	varchar(128)	The event type, which is used to identify non-SQL statements.
DB_ID	bigint(20) unsigned	The ID of the database.
DB_NAME	varchar(128)	The name of the database.
SQL_ID	varchar(32)	The ID of the SQL statement.
QUERY_SQL	longtext	The actual SQL statement.
PLAN_ID	bigint(20)	The ID of the execution plan.
AFFECTED_ROWS	bigint(20)	The number of rows affected.
RETURN_ROWS	bigint(20)	The number of rows returned.
PARTITION_CNT	bigint(20)	The number of partitions scanned by the request.
RET_CODE	bigint(20)	The return code of the execution. Valid values: `0`: indicates that the statement is successfully executed without errors. Other return codes: indicates that OceanBase Database has encountered an error.
QC_ID	bigint(20) unsigned	The ID of the scheduler in the parallel execution scenario.
DFO_ID	bigint(20)	The ID of the sub-plan being executed in the parallel execution scenario.
SQC_ID	bigint(20)	The ID of the local coordinator in the parallel execution scenario.
WORKER_ID	bigint(20)	The ID of the worker thread in the parallel execution scenario.
EVENT	varchar(64)	The name of the wait event with the longest wait time.
P1TEXT	varchar(64)	The first parameter of the wait event.
P1	bigint(20) unsigned	The value of the first parameter of the wait event.
P2TEXT	varchar(64)	The second parameter of the wait event.
P2	bigint(20) unsigned	The value of the second parameter of the wait event.
P3TEXT	varchar(64)	The third parameter of the wait event.
P3	bigint(20) unsigned	The value of the third parameter of the wait event.
LEVEL	bigint(20)	The level of the wait event.
WAIT_CLASS_ID	bigint(20)	The ID of the class to which the wait event belongs.
WAIT_CLASS#	bigint(20)	The subscript of the class to which the wait event belongs.
WAIT_CLASS	varchar(64)	The name of the class to which the wait event belongs.
STATE	varchar(19)	The status of the wait event.
WAIT_TIME_MICRO	bigint(20)	The amount of wait time of the wait event, in microseconds.
TOTAL_WAIT_TIME_MICRO	bigint(20)	The total amount of wait time during execution, in microseconds.
TOTAL_WAITS	bigint(20)	The total number of waits during the execution.
RPC_COUNT	bigint(20)	The number of remote procedure calls (RPCs) sent.
PLAN_TYPE	bigint(20)	The type of the execution plan. Valid values: local remote distribute
IS_INNER_SQL	tinyint(4)	Indicates whether the request is an internal SQL request.
IS_EXECUTOR_RPC	tinyint(4)	Indicates whether the current request is an RPC request.
IS_HIT_PLAN	tinyint(4)	Indicates whether the plan cache is hit.
REQUEST_TIME	bigint(20)	The time when the execution starts, in microseconds.
ELAPSED_TIME	bigint(20)	The amount of time elapsed from when the request was received to when the execution of the request ended, in microseconds.
NET_TIME	bigint(20)	The amount of time consumed from RPC sending to request reception, in microseconds.
NET_WAIT_TIME	bigint(20)	The amount of time consumed from the reception of a request to the start of queuing, in microseconds.
QUEUE_TIME	bigint(20)	The amount of wait time of the request in the queue, in microseconds.
DECODE_TIME	bigint(20)	The amount of decoding time of the request after it left the queue, in microseconds.
GET_PLAN_TIME	bigint(20)	The amount of time elapsed from when the processing started to when the plan was obtained, in microseconds.
EXECUTE_TIME	bigint(20)	The amount of time consumed for plan execution, in microseconds.
APPLICATION_WAIT_TIME	bigint(20) unsigned	The total amount of wait time of application wait events, in microseconds.
CONCURRENCY_WAIT_TIME	bigint(20) unsigned	The total amount of wait time of concurrency wait events, in microseconds.
USER_IO_WAIT_TIME	bigint(20) unsigned	The total amount of wait time of user I/O wait events, in microseconds.
SCHEDULE_TIME	bigint(20) unsigned	The total amount of wait time of schedule wait events, in microseconds.
ROW_CACHE_HIT	bigint(20)	The number of row cache hits.
BLOOM_FILTER_CACHE_HIT	bigint(20)	The number of Bloom filter cache hits.
BLOCK_CACHE_HIT	bigint(20)	The number of block cache hits.
DISK_READS	bigint(20)	The number of physical reads.
RETRY_CNT	bigint(20)	The number of retries.
TABLE_SCAN	tinyint(4)	Indicates whether the request contains a full table scan.
CONSISTENCY_LEVEL	bigint(20)	The consistency level. Valid values: `-1`: indicates that the consistency level is invalid. `1`: indicates to read data stored in SSTables. `2`: indicates weak-consistency read. `3`: indicates strong-consistency read.
MEMSTORE_READ_ROW_COUNT	bigint(20)	The number of rows read in the MemStore.
SSSTORE_READ_ROW_COUNT	bigint(20)	The number of rows read in the SSStore.
DATA_BLOCK_READ_CNT	bigint(20)	The number of data microblocks accessed.
DATA_BLOCK_CACHE_HIT	bigint(20)	The number of data microblock cache hits.
INDEX_BLOCK_READ_CNT	bigint(20)	The number of intermediate-layer microblocks accessed.
INDEX_BLOCK_CACHE_HIT	bigint(20)	The number of intermediate-layer microblock cache hits.
BLOCKSCAN_BLOCK_CNT	bigint(20)	The number of data microblocks scanned during a unilateral scan.
BLOCKSCAN_ROW_CNT	bigint(20)	The number of data rows scanned during a unilateral scan.
PUSHDOWN_STORAGE_FILTER_ROW_CNT	bigint(20)	The number of rows that remain after the filter condition is pushed down to and applied in the storage layer.
REQUEST_MEMORY_USED	bigint(20)	The memory consumed by the request.
EXPECTED_WORKER_COUNT	bigint(20)	The number of worker threads expected by the request.
USED_WORKER_COUNT	bigint(20)	The number of worker threads used by the request.
SCHED_INFO	varchar(16384)	The scheduling information about the request.
FUSE_ROW_CACHE_HIT	bigint(20)	At present, this field is not supported and the value is `NULL` by default.
PS_CLIENT_STMT_ID	bigint(20)	The ID of the prepared statement corresponding to the request. Valid values: `-1`: indicates that the prepared statement (PS) protocol is not used in the SQL statement. Value other than `-1`: indicates that the PS protocol is used in the SQL statement. It also indicates the unique identifier returned by the protocol on the client for the statement.
PS_INNER_STMT_ID	bigint(20)	The ID of the prepared statement corresponding to the request. Valid values: `-1`: indicates that the PS protocol is not used in the SQL statement. Value other than `-1`: indicates that the PS protocol is used in the SQL statement. It also indicates the unique identifier returned by the protocol for the statement.
TX_ID	bigint(20)	The hash value of the transaction corresponding to the request.
SNAPSHOT_VERSION	bigint(20)unsigned	The snapshot read version of the current statement.
REQUEST_TYPE	bigint(20)	The type of the request. Valid values: `0`: indicates an invalid request. `1`: indicates an internal request. `2`: indicates a local request such as a local plan. `3`: indicates a remote request. `4`: indicates a distributed request. `5`: indicates an SQL PREPARE request. `6`: indicates an SQL Execute Stmt request. `7`: indicates an SQL Fetch request. `8`: indicates an SQL `send_piece` request. `9`: indicates an SQL `get_piece` request. `10`: indicates an SQL `send_long_data` request. `11`: indicates an inner SQL statement called in PL.
IS_BATCHED_MULTI_STMT	tinyint(4)	Indicates whether optimization has been performed for batch execution of multiple statements.
OB_TRACE_INFO	varchar(4096)	The trace information configured by the user.
PLAN_HASH	bigint(20) unsigned	The hash value of the execution plan.
LOCK_FOR_READ_TIME	bigint(20)	The amount of time spent on waiting for locked data to be unlocked before it can be read, in microseconds.
PARAMS_VALUE	longtext	Parameter values bound to the prepared statement during its execution.
FLT_TRACE_ID	varchar(1024)	The trace ID of this record in end-to-end diagnostics. If this field is left empty, the record is not monitored in end-to-end diagnostics. The value is a universally unique identifier (UUID), which is different from a trace. The format is similar to `000600d6-a5de-038c-6c80-df07e4e79149`.