Enable security auditing|V4.4.2|OceanBase Database| docs|Distributed Database

Enable security auditing

Last Updated：2026-05-12 02:23:53 Updated

A series of filters are used to audit specific events.

Applicability

This topic applies only to OceanBase Database Enterprise Edition. OceanBase Database Community Edition does not support the auditing feature.

Auditing scope

Filters can be applied based on dimensions such as account, event type, event attributes, and more. For each filter, you can choose whether to audit the filtered events.

Limitations and considerations

An expression must be placed directly and uniquely in an output column (select item) of a SELECT statement, and cannot have a parent expression.
Expressions cannot be used in subqueries.
After defining a filter, you must assign it to a user for it to take effect.
A filter can be assigned to multiple users, but each user can have only one filter.
When a connection is established, the current session determines which auditing filter to use, and this filter remains unchanged throughout the session lifecycle.

Encrypt audit logs

Note

Audit log encryption is supported from V4.4.2 BP1.

MySQL-compatible tenant audit logs support recording data in plaintext or encrypted format. For details, see the related topics at the end of this topic.

Create a filter

You can create a filter to enable the auditing mode for a MySQL-compatible tenant. The filter supports filtering based on event types (Class) and further filtering by event types (Event Type) or event fields (Event Field) in the specified event types. It also supports combining multiple event fields with AND or OR logic.

Note

Support for fine-grained event type filtering, field filtering, and logical combination of fields is introduced in V4.4.2 BP1. V4.4.2 does not support fine-grained event type filtering, field filtering, or logical combination of fields.

Syntax

Create a filter by using the AUDIT_LOG_FILTER_SET_FILTER function. The syntax is as follows:

AUDIT_LOG_FILTER_SET_FILTER('filter_name', 'definition_of_filters');

The following table describes the parameters.

Field	Description
filter_name	The name of the filter. Note The `AUDIT_LOG_FILTER_SET_FILTER` function has the same semantics as the `CREATE OR REPLACE` statement. When you execute a DDL statement on an existing object, the new object will overwrite the existing one.
definition_of_filters	The specific configurations of the auditing filter, which is in the JSON string format. You can configure specific event types in the specified event type and further filter event fields in the specified event types. You can also use `AND` or `OR` to combine multiple event fields.

The following table describes the parameters of the filtering configurations.

Event type filtering: You can specify the event types to filter further by using the event parameter in the class parameter in the JSON string. For example, you can specify {"class": [{"name": "connection", "event": [{"name": "disconnect"}]}]} to specify the disconnect sub-type in the connection event type.
Event field filtering: You can specify the fields to filter by using the field parameter in the event parameter in the JSON string. For example, you can specify "event": [{"name": "read", "log": {"field": {"name": "table_name", "value": "t1"}}}] to specify the table_name field of the read sub-type in the connection event type.
Logical combination: You can use AND or OR to combine multiple fields.

The supported sub-types of the event type filtering are as follows:

Event Type (Class)	Description	Supported Sub-Type (Event Type)
connection	Login and logout statements	connect: Establish a connection disconnect: Terminate a connection
general	All non-DML statements	status: Session status
table_access	All DML statements	read: Read operations insert: Insert operations delete: Delete operations update: Update operations

The supported fields for event field filtering are as follows:

The following table describes the supported fields for the connection, general, and table_access event types.

Event Type	Event Field (Event Field)	Data Type	Description
connection	connection_id	Int	The unique identifier of the connection.
connection	user	String	The username to be audited.
connection	database	String	The name of the database at the time of connection.
connection	ip	String	The IP address of the client used to connect to the user.
connection	server_ip	String	The service IP address of the OBServer.
connection	server_host	String	The host name of the OBServer.
general	general_user	String	The username to be audited.
general	general_sql_command	String	The type of the SQL command to be audited. All non-DML statements are supported. For details about the supported statements, see the description of the `general_sql_command` column below.
table_access	table_database	String	The name of the database where the event occurs.
table_access	table_name	String	The table related to the event. Valid values are as follows: Specify only the table name. In this case, all tables with the same name across databases are audited. Specify the `table_database` field and the table name. In this case, you can use the `AND` or `OR` operator to specify a specific table in a database.

For more information about the supported SQL types for the general_sql_command field, see the related topics at the end of this topic.

Hierarchical structure, differences, and default behavior of the `log` field

The log record behavior depends on the value of the log field and whether a class or event item is specified.

Level	Value	Description	Default Behavior
`filter.log`	true/false	The default switch of the filter. The value of the field specifies whether all events are recorded or not.	If the `class` or `event` item is not specified, the default value of `true` is used.
`filter.class[].log`	true/false/JSON string	The local switch or conditional filter of a single `class` entry.	This parameter can be explicitly specified. If the `class` item is not specified, the value of the upper-level filter is used.
`filter.class[].event[].log`	true/false/JSON string	The local switch or conditional filter of a single `event` entry.	This parameter can be explicitly specified. If the `event` item is not specified, the value of the upper-level filter is used.

Other notes:

The column of Level in the preceding table is an abbreviation for the hierarchical structure. The parameters in the hierarchical structure are as follows:
- filter.log indicates the log attribute under the filter object, for example, {"filter": {"log": true}}.
- filter.class[].log indicates the log attribute in a single element of the class array under the filter object, for example, {"filter": {"class": [{"log": true}]}}.
- filter.class[].event[].log indicates the log attribute in a single element of the event array under a single element of the class array under the filter object, for example, {"filter":{"class":[{"name":"table_access","event":[{"name":"read","log":true}]}]}}.
The following statement in the documentation is not repeated configuration: the configuration of the outer log field is the total switch, and the configuration of the log field of the class or event level is the override or condition filter.

Here are some simple JSON filter examples. For more filter examples, see the topic about the AUDIT_LOG_FILTER_SET_FILTER function in the related topics at the end of this topic.

The log field is set to true to record all events (equivalent to recording all classes):
```
{ "filter": { "log": true } }
```
Specify the event parameter to filter for connect events (the connection type is specified only for establishing a connection, not for disconnect events):
```
{
  "filter": {
    "log": true,
    "class": [ { "name": "connection", "event": [ { "name": "connect" } ] } ]
  }
}
```

Example

In this example, we create a filter named log_all to record all events.

Create a filter named log_all to record all events.

obclient [test]>SELECT AUDIT_LOG_FILTER_SET_FILTER('log_all', '{ "filter": { "log": true } }');

When the DDL statement is executed successfully, the expression returns OK.

+-------------------------------------------------------------------------+
| AUDIT_LOG_FILTER_SET_FILTER('log_all', '{ "filter": { "log": true } }') |
+-------------------------------------------------------------------------+
| OK                                                                      |
+-------------------------------------------------------------------------+
1 row in set

When the DDL statement fails, the SELECT statement still succeeds, and the output result is an error message.

obclient [test]>SELECT AUDIT_LOG_FILTER_SET_FILTER('log_err', '1');

The return result is as follows:

+---------------------------------------------+
| AUDIT_LOG_FILTER_SET_FILTER('log_err', '1') |
+---------------------------------------------+
| ERROR: JSON parsing error.                  |
+---------------------------------------------+
1 row in set

View the definition of the filter in the mysql.audit_log_filter view. For the full syntax and examples, see the related topics at the end of this topic.

obclient [test]> select * from mysql.audit_log_filter;

The return result is as follows:

+---------+-------------------------------+
| NAME    | FILTER                        |
+---------+-------------------------------+
| log_all | { "filter": { "log": true } } |
+---------+-------------------------------+
1 row in set (0.003 sec)

The following table describes the columns.

Column Name	Description
NAME	The name of the filter.
FILTER	The definition of the filter.

Configure filters

After you configure filters for the corresponding users, the background thread can print auditing logs.

Syntax

Set a filter on a user by using the AUDIT_LOG_FILTER_SET_USER function.

AUDIT_LOG_FILTER_SET_USER('user_name', 'filter_name');

The following table describes the fields.

Field	Description
user_name	Specifies the user name Note The `AUDIT_LOG_FILTER_SET_USER` statement does not require the specified `user@host` to be an existing user. You can use wildcards or specify users that do not exist. When a non-existent user is specified, it can take effect during login auditing. The `user_name` field has the following restrictions: `user` only supports a wildcard for the entire field, such as `%` Specifying the `host` field or using partial wildcards such as `test_%` is not supported. If `host` or `test_%` is specified, the filter cannot be created
filter_name	Specifies the filter name Note `AUDIT_LOG_FILTER_SET_USER` uses `CREATE OR REPLACE` semantics. Executing DDL on an existing object will overwrite it. If the specified `filter_name` does not exist, the DDL has no effect but will not return an error

Field

Description

user_name

Specifies the user name

Note

The AUDIT_LOG_FILTER_SET_USER statement does not require the specified user@host to be an existing user. You can use wildcards or specify users that do not exist. When a non-existent user is specified, it can take effect during login auditing. The user_name field has the following restrictions:

user only supports a wildcard for the entire field, such as %
Specifying the host field or using partial wildcards such as test_% is not supported. If host or test_% is specified, the filter cannot be created

filter_name

Specifies the filter name

Note

AUDIT_LOG_FILTER_SET_USER uses CREATE OR REPLACE semantics. Executing DDL on an existing object will overwrite it. If the specified filter_name does not exist, the DDL has no effect but will not return an error

Example

Assign the log_all filter to the user001 user.

obclient [test]> SELECT AUDIT_LOG_FILTER_SET_USER('user001', 'log_all');

When the DDL statement is executed successfully, the expression returns OK.

+-------------------------------------------------+
| AUDIT_LOG_FILTER_SET_USER('user001', 'log_all') |
+-------------------------------------------------+
| OK                                              |
+-------------------------------------------------+
1 row in set

When the DDL statement fails, the SELECT statement still succeeds, and the output result of the expression is an error message.

obclient [test]>SELECT AUDIT_LOG_FILTER_SET_USER('log_err', '1');

The return result is as follows:

+--------------------------------------------+
| AUDIT_LOG_FILTER_SET_USER('log_err', '1')  |
+--------------------------------------------+
| ERROR: Invalid character in the user name. |
+--------------------------------------------+
1 row in set (0.001 sec)

View the mapping between auditing filters and users in the mysql.audit_log_user view. For more information, see the related documentation at the end of this topic.

obclient [test]> select * from mysql.audit_log_user;

The return result is as follows:

+---------+------+------------+
| USER    | HOST | FILTERNAME |
+---------+------+------------+
| user001 | %    | log_all    |
+---------+------+------------+
1 row in set (0.003 sec)

The following table describes the fields in the query result.

Field	Description
USER	The username.
HOST	The hostname.
FILTERNAME	The filter name.

Enable auditing

Enable the auditing feature for the MySQL-compatible tenant by setting the parameter audit_log_enable. For more information, see the related documentation at the end of this topic.

obclient> ALTER SYSTEM SET audit_log_enable=TRUE;

References

Set an auditing log policy, including writing, compression, rotation, cleanup, and encryption: Set an auditing rule
Filter creation function: AUDIT_LOG_FILTER_SET_FILTER
Filter configuration function: AUDIT_LOG_FILTER_SET_USER
Filter view: mysql.audit_log_filter
Filter user mapping view: mysql.audit_log_user
Enable auditing parameter: audit_log_enable
List of general_sql_command statement types: Appendix: Complete list of SQL types supported by general_sql_command

OceanBase

Customer Stories

Documentation

Enable security auditing

Applicability

Auditing scope

Limitations and considerations

Encrypt audit logs

Note

Create a filter

Note

Syntax

Note

Hierarchical structure, differences, and default behavior of the `log` field

Example

Configure filters

Syntax

Note

Note

Example

Enable auditing

References

OceanBase

Customer Stories

Documentation

Enable security auditing

Applicability

Auditing scope

Limitations and considerations

Encrypt audit logs

Note

Create a filter

Note

Syntax

Note

Hierarchical structure, differences, and default behavior of the log field

Example

Configure filters

Syntax

Note

Note

Example

Enable auditing

References

Hierarchical structure, differences, and default behavior of the `log` field