- How to turn audit logging on and off.
- Where the audit log files live.
- What the audit log files look like.
File format
Audit log messages, like all , consist of two sections:- A payload that contains notable events structured in JSON. These can include information such as the application name, full text of the query (which may contain PII), user account that triggered the event, number of rows produced (e.g., for
SELECT) or processed (e.g., forINSERTorUPDATE), status of the query, and more. For more information on the possible event types logged to theSENSITIVE_ACCESSchannel, see . - An envelope that contains event metadata (e.g., severity, date, timestamp, channel). Depending on the log format you specify when , the envelope can be formatted either as JSON or as a flat prefix to the message.
File storage location
By , audit logs are prefixedcockroach-sql-audit and are stored in the as the other logs generated by CockroachDB.
To store the audit log files in a specific directory, with a custom dir path.
Performance considerations
To ensure non-repudiation in audit logs, we recommend for theSENSITIVE_ACCESS channel. CockroachDB will then synchronously log all of the activity of every user on a cluster in a way that is durable to system failures. Note that every query that causes a logging event must access the disk of the node on which audit logging is enabled. As a result, enabling auditable on a logging channel negatively impacts performance, and we recommend using this setting for security purposes only.
For debugging and troubleshooting on production clusters, the most performant way to log all queries is to enable the SQL_EXEC logging channel. For details, see .
Example
Step 1. Create sample tables
Use the statements below to create:- A
customerstable which contains PII such as name, address, etc. - An
orderstable with a foreign key intocustomers, which does not expose any PII
customers table.
Step 2. Turn on auditing for the customers table
We turn on auditing for a table using the subcommand of .
customers table into the logging channel.
To turn on auditing for more than one table, issue a separate
ALTER statement for each table.Step 3. Populate the customers table
Now that we have auditing turned on, let’s add some customer data:
Step 4. Check the audit log
By , events in theSENSITIVE_ACCESS channel are output to a log file that is prefixed cockroach-sql-audit and stored in the as the other logs generated by CockroachDB.
To store the audit log files in a specific directory, with a custom dir path. Like the other log files, it’s rotated according to the .
When we look at the audit log for this example, we see the following lines showing every command we’ve run so far, as expected.
The above example shows the default log format. This can be changed to another format (e.g., JSON). For details, see .
Step 5. Populate the orders table
Unlike the customers table, orders doesn’t have any PII, just a Product ID and a delivery status.
Let’s populate the orders table with some placeholder data using :
Step 6. Check the audit log again
Because we used aSELECT against the customers table to generate the placeholder data for orders, those queries will also show up in the audit log.
Note that two log entries are created for each query: one entry for the SELECT subquery, and one entry for the foreign key check on customer_id. Since the customers table is read twice with each query, the TableName and TxnCounter values will be duplicated across entries:

