Audit Log Plugin
This plugin can regularly import the audit logs of FE into a specified system table, making it convenient for users to view and analyze audit logs through SQL.
Using the Audit Log Pluginβ
Starting from Doris 2.1, the audit log plugin is integrated directly into the Doris kernel as a built-in plugin. Users do not need to install the plugin separately.
After the cluster starts, a system table named audit_log
will be created under the __internal_schema
database to store audit logs.
For versions prior to Doris 2.1, please refer to the 2.0 version documentation.
After upgrading to version 2.1, the original audit log plugin will be unavailable. Refer to the Audit Log Migration section to see how to migrate audit log table data.
Enabling the Pluginβ
The audit log plugin can be enabled or disabled at any time using the global variable enable_audit_plugin
(default is disabled), for example:
set global enable_audit_plugin = true;
Once enabled, Doris will write the enabled audit logs to the audit_log
table.
The audit log plugin can be disabled at any time:
set global enable_audit_plugin = false;
After disabling, Doris will stop writing to the audit_log
table. The existing audit logs will not be affected.
Audit log tableβ
With the upgrade of Doris version, the fields of the audit log table will also increase. For details, please refer to audit_log
Starting from version 2.1.8 and 3.0.3, the audit_log
system table will automatically add new fields of audit_log
table as the Doris version is upgraded.
In previous versions, users need to manually add fields to the audit_log
system table through the ALTER TABLE
command.
Related configurationsβ
The audit log table is a dynamic partitioned table, partitioned by day, and retains data for the last 30 days by default.
The following global variables can control some writing behaviors of the audit log table:
audit_plugin_max_batch_interval_sec
: The maximum write interval for the audit log table. Default is 60 seconds.audit_plugin_max_batch_bytes
: The maximum amount of data written per batch to the audit log table. Default is 50MB.audit_plugin_max_sql_length
: The maximum length of statements recorded in the audit log table. Default is 4096.audit_plugin_load_timeout
: Default timeout for the audit log import job. Default is 600 seconds.
These can be set using set global xxx=yyy
.
FE Configuration:
skip_audit_user_list
(supported since 3.0.1)If you do not want the operations of certain users to be recorded in the audit log, you can modify this configuration.
skip_audit_user_list=root
-- or
skip_audit_user_list=user1,user2
Audit Log Migrationβ
After upgrading to version 2.1, the original audit log plugin will be unavailable. This section explains how to migrate data from the original audit log table to the new audit log table.
Confirm the field information of the old and new audit log tables.
The default audit log table should be
doris_audit_db__
.doris_audit_log_tbl__
.The new audit log table is
__internal_schema
.audit_log
.You can check if the field information of the two tables matches by using the
DESC table_name
command. Typically, the fields of the old table should be a subset of the new table.Migrate Audit Log Table Data
You can use the following statement to migrate data from the original table to the new table:
INSERT INTO __internal_schema.audit_log (
query_id ,
time ,
client_ip ,
user ,
db ,
state ,
error_code ,
error_message ,
query_time ,
scan_bytes ,
scan_rows ,
return_rows ,
stmt_id ,
is_query ,
frontend_ip ,
cpu_time_ms ,
sql_hash ,
sql_digest ,
peak_memory_bytes,
stmt
)
SELECT
query_id ,
time ,
client_ip ,
user ,
db ,
state ,
error_code ,
error_message ,
query_time ,
scan_bytes ,
scan_rows ,
return_rows ,
stmt_id ,
is_query ,
frontend_ip ,
cpu_time_ms ,
sql_hash ,
sql_digest ,
peak_memory_bytes,
stmt
FROM doris_audit_db__.doris_audit_log_tbl__;Remove Original Plugin
After migration, you can remove the original plugin by using the
UNINSTALL PLUGIN AuditLoader;
command.
FAQβ
No data in the audit log table, or no new data is being ingested after running for a period of time
You can troubleshoot by following these steps:
Check if partitions are created correctly
The audit log table is a dynamic partition table partitioned by day. By default, it creates partitions for the next 3 days and retains historical partitions for 30 days. Data can only be written to the audit log if partitions are created correctly.
You can check the scheduling status of dynamic partitions by using
show dynamic partition tables from __internal_schema
and troubleshoot based on error reasons. Possible error reasons may include:Number of nodes is less than the required replication number: The audit log table defaults to 3 replicas, so at least 3 BE nodes are required. You can modify the replication number using the
alter table
statement, for example:alter table __internal_schema.audit_log set ("dynamic_partition.replication_num" = "2")
No suitable storage medium: You can check the
storage_medium
property by usingshow create table __internal_schema.audit_log
. If there is no corresponding storage medium on the BE, partition creation may fail.No suitable resource group: The audit log table defaults to the default resource group. You can check if the resource group has enough node resources by using the
show backends
command.
Search for
AuditLoad
in thefe.log
on the Master FE to see if there are any related error logsThe audit log is imported into the table through internal stream load operations. If there are issues with the import process, error logs will be printed in the
fe.log
.