From 0d74757b8e2b19eab37958749f48c930dcef7751 Mon Sep 17 00:00:00 2001 From: qqqdan Date: Mon, 20 Apr 2026 11:31:22 -0700 Subject: [PATCH 1/4] Update tidb-cloud-auditing-premium.md --- .../premium/tidb-cloud-auditing-premium.md | 112 ++++++++++-------- 1 file changed, 64 insertions(+), 48 deletions(-) diff --git a/tidb-cloud/premium/tidb-cloud-auditing-premium.md b/tidb-cloud/premium/tidb-cloud-auditing-premium.md index 4da0eb58a9ec0..e966257eb90ca 100644 --- a/tidb-cloud/premium/tidb-cloud-auditing-premium.md +++ b/tidb-cloud/premium/tidb-cloud-auditing-premium.md @@ -233,54 +233,70 @@ If you no longer want to audit an instance, go to the page of the instance, clic > > Each time the size of the log file reaches 10 MiB, the log file is pushed to the cloud storage bucket. Therefore, after audit logging is disabled, the log file whose size is smaller than 10 MiB will not be automatically pushed to the cloud storage bucket. To get the log file in this situation, contact [TiDB Cloud Support](/tidb-cloud/tidb-cloud-support.md). -## Audit log fields - -For each database event record in audit logs, TiDB provides the following fields: +## Audit logging fields + +For each database event record in audit logs, TiDB Cloud provides the following fields: + +### General information + +All classes of audit logs contain the following information: + +| Field | Description | +|---------------|-----------------------------------------------------------------------------------------------| +| `ID` | The unique identifier that identifies the audit record of an operation. | +| `TIME` | The timestamp of the audit record. | +| `EVENT` | The event classes of the audit record. Multiple event types are separated by commas (`,`). | +| `USER` | The username of the audit record. | +| `ROLES` | The roles of the user at the time of the operation. | +| `CONNECTION_ID` | The identifier of the user's connection. | +| `TABLES` | The accessed tables related to this audit record. | +| `STATUS_CODE` | The status code of the audit record. `1` means success, and `0` means failure. | +| `KEYSPACE_NAME` | The keyspace name of the audit record. | +| `SERVERLESS_TENANT_ID` | The ID of the serverless tenant that the {{{ .essential }}} instance belongs to. | +| `SERVERLESS_PROJECT_ID` | The ID of the serverless project that the {{{ .essential }}} instance belongs to. | +| `SERVERLESS_CLUSTER_ID` | The ID of the serverless {{{ .essential }}} instance that the audit record belongs to. | +| `REASON` | The error message of the audit record. Only recorded when an error occurs during the operation.| + +### SQL statement information + +When the event class is `QUERY` or a subclass of `QUERY`, the audit logs contain the following information: + +| Field | Description | +|----------------|---------------------------------------------------------------------------------------------------------------| +| `CURRENT_DB` | The name of the current database. | +| `SQL_TEXT` | The executed SQL statements. If audit log redaction is enabled, the redacted SQL statements are recorded. | +| `EXECUTE_PARAMS` | The parameters for the `EXECUTE` statements. Recorded only when the event classes include `EXECUTE` and redaction is disabled. | +| `AFFECTED_ROWS` | The number of affected rows of the SQL statements. Recorded only when the event classes include `QUERY_DML`. | + +### Connection information + +When the event class is `CONNECTION` or a subclass of `CONNECTION`, the audit logs contain the following information: + +| Field | Description | +|-----------------|-----------------------------------------------------------------------------------------------| +| `CURRENT_DB` | The name of the current database. When the event classes include DISCONNECT, this information is not recorded. | +| `CONNECTION_TYPE` | The type of connection, including Socket, UnixSocket, and SSL/TLS. | +| `PID` | The process ID of the current connection. | +| `SERVER_VERSION` | The current version of the connected TiDB server. | +| `SSL_VERSION` | The current version of SSL in use. | +| `HOST_IP` | The current IP address of the connected TiDB server. | +| `HOST_PORT` | The current port of the connected TiDB server. | +| `CLIENT_IP` | The current IP address of the client. | +| `CLIENT_PORT` | The current port of the client. | > **Note:** > -> In the following tables, the empty maximum length of a field means that the data type of this field has a well-defined constant length (for example, 4 bytes for INTEGER). - -| Col # | Field name | TiDB data type | Maximum length | Description | -|---|---|---|---|---| -| 1 | N/A | N/A | N/A | Reserved for internal use | -| 2 | N/A | N/A | N/A | Reserved for internal use | -| 3 | N/A | N/A | N/A | Reserved for internal use | -| 4 | ID | INTEGER | | Unique event ID | -| 5 | TIMESTAMP | TIMESTAMP | | Time of event | -| 6 | EVENT_CLASS | VARCHAR | 15 | Event type | -| 7 | EVENT_SUBCLASS | VARCHAR | 15 | Event subtype | -| 8 | STATUS_CODE | INTEGER | | Response status of the statement | -| 9 | COST_TIME | FLOAT | | Time consumed by the statement | -| 10 | HOST | VARCHAR | 16 | Server IP | -| 11 | CLIENT_IP | VARCHAR | 16 | Client IP | -| 12 | USER | VARCHAR | 17 | Login username | -| 13 | DATABASE | VARCHAR | 64 | Event-related database | -| 14 | TABLES | VARCHAR | 64 | Event-related table name | -| 15 | SQL_TEXT | VARCHAR | 64 KB | Masked SQL statement | -| 16 | ROWS | INTEGER | | Number of affected rows (`0` indicates that no rows are affected) | - -Depending on the EVENT_CLASS field value set by TiDB, database event records in audit logs also contain additional fields as follows: - -- If the EVENT_CLASS value is `CONNECTION`, database event records also contain the following fields: - - | Col # | Field name | TiDB data type | Maximum length | Description | - |---|---|---|---|---| - | 17 | CLIENT_PORT | INTEGER | | Client port number | - | 18 | CONNECTION_ID | INTEGER | | Connection ID | - | 19 | CONNECTION_TYPE | VARCHAR | 12 | Connection via `socket` or `unix-socket` | - | 20 | SERVER_ID | INTEGER | | TiDB server ID | - | 21 | SERVER_PORT | INTEGER | | The port that the TiDB server uses to listen to client communication via the MySQL protocol | - | 22 | SERVER_OS_LOGIN_USER | VARCHAR | 17 | The username of the TiDB process startup system | - | 23 | OS_VERSION | VARCHAR | N/A | The version of the operating system where the TiDB server is located | - | 24 | SSL_VERSION | VARCHAR | 6 | The current SSL version of TiDB | - | 25 | PID | INTEGER | | The PID of the TiDB process | - -- If the EVENT_CLASS value is `TABLE_ACCESS` or `GENERAL`, database event records also contain the following fields: - - | Col # | Field name | TiDB data type | Maximum length | Description | - |---|---|---|---|---| - | 17 | CONNECTION_ID | INTEGER | | Connection ID | - | 18 | COMMAND | VARCHAR | 14 | The command type of the MySQL protocol | - | 19 | SQL_STATEMENT | VARCHAR | 17 | The SQL statement type | - | 20 | PID | INTEGER | | The PID of the TiDB process | +> To improve traffic visibility, `CLIENT_IP` now displays the real client IP address for connections via AWS PrivateLink, instead of the Load Balancer (LB) IP. Currently, this feature is in beta and is available only in the AWS region `Frankfurt (eu-central-1)`. + +### Audit operation information + +When the event class is `AUDIT` or a subclass of `AUDIT`, the audit logs contain the following information: + +| Field | Description | +|----------------|---------------------------------------------------------------------------------------------------------------| +| `AUDIT_OP_TARGET`| The objects of the setting related to TiDB Cloud database auditing. | +| `AUDIT_OP_ARGS` | The arguments of the setting related to TiDB Cloud database auditing. | + +## Audit logging limitations + +{{{ .essential }}} does not guarantee the sequential order of audit logs, which means that you might have to review all log files find the most recent events. To sort the logs chronologically, you can use the `TIME` field in the audit logs. From f2488a9a13db494a1ef01047fb4557b5a1d287ab Mon Sep 17 00:00:00 2001 From: qqqdan Date: Tue, 21 Apr 2026 19:20:10 -0700 Subject: [PATCH 2/4] Apply suggestions from code review Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> --- tidb-cloud/premium/tidb-cloud-auditing-premium.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tidb-cloud/premium/tidb-cloud-auditing-premium.md b/tidb-cloud/premium/tidb-cloud-auditing-premium.md index e966257eb90ca..527d60863381a 100644 --- a/tidb-cloud/premium/tidb-cloud-auditing-premium.md +++ b/tidb-cloud/premium/tidb-cloud-auditing-premium.md @@ -274,7 +274,7 @@ When the event class is `CONNECTION` or a subclass of `CONNECTION`, the audit lo | Field | Description | |-----------------|-----------------------------------------------------------------------------------------------| -| `CURRENT_DB` | The name of the current database. When the event classes include DISCONNECT, this information is not recorded. | +| `CURRENT_DB` | The name of the current database. When the event classes include `DISCONNECT`, this information is not recorded. | | `CONNECTION_TYPE` | The type of connection, including Socket, UnixSocket, and SSL/TLS. | | `PID` | The process ID of the current connection. | | `SERVER_VERSION` | The current version of the connected TiDB server. | From ee10bc227f9c5b5b41ce8b587c89c7e624e12c08 Mon Sep 17 00:00:00 2001 From: qqqdan Date: Tue, 21 Apr 2026 19:20:27 -0700 Subject: [PATCH 3/4] Apply suggestions from code review Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> --- tidb-cloud/premium/tidb-cloud-auditing-premium.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tidb-cloud/premium/tidb-cloud-auditing-premium.md b/tidb-cloud/premium/tidb-cloud-auditing-premium.md index 527d60863381a..55bc79b5dc861 100644 --- a/tidb-cloud/premium/tidb-cloud-auditing-premium.md +++ b/tidb-cloud/premium/tidb-cloud-auditing-premium.md @@ -299,4 +299,4 @@ When the event class is `AUDIT` or a subclass of `AUDIT`, the audit logs contain ## Audit logging limitations -{{{ .essential }}} does not guarantee the sequential order of audit logs, which means that you might have to review all log files find the most recent events. To sort the logs chronologically, you can use the `TIME` field in the audit logs. +{{{ .premium }}} does not guarantee the sequential order of audit logs, which means that you might have to review all log files to find the most recent events. To sort the logs chronologically, you can use the `TIME` field in the audit logs. From 8c499e57ae1fbb7892805c1c1de878c892405e8f Mon Sep 17 00:00:00 2001 From: qqqdan Date: Tue, 21 Apr 2026 19:21:28 -0700 Subject: [PATCH 4/4] Update tidb-cloud-auditing-premium.md --- tidb-cloud/premium/tidb-cloud-auditing-premium.md | 5 ----- 1 file changed, 5 deletions(-) diff --git a/tidb-cloud/premium/tidb-cloud-auditing-premium.md b/tidb-cloud/premium/tidb-cloud-auditing-premium.md index e966257eb90ca..0bb2a37ebbb6c 100644 --- a/tidb-cloud/premium/tidb-cloud-auditing-premium.md +++ b/tidb-cloud/premium/tidb-cloud-auditing-premium.md @@ -244,17 +244,12 @@ All classes of audit logs contain the following information: | Field | Description | |---------------|-----------------------------------------------------------------------------------------------| | `ID` | The unique identifier that identifies the audit record of an operation. | -| `TIME` | The timestamp of the audit record. | | `EVENT` | The event classes of the audit record. Multiple event types are separated by commas (`,`). | | `USER` | The username of the audit record. | | `ROLES` | The roles of the user at the time of the operation. | | `CONNECTION_ID` | The identifier of the user's connection. | | `TABLES` | The accessed tables related to this audit record. | | `STATUS_CODE` | The status code of the audit record. `1` means success, and `0` means failure. | -| `KEYSPACE_NAME` | The keyspace name of the audit record. | -| `SERVERLESS_TENANT_ID` | The ID of the serverless tenant that the {{{ .essential }}} instance belongs to. | -| `SERVERLESS_PROJECT_ID` | The ID of the serverless project that the {{{ .essential }}} instance belongs to. | -| `SERVERLESS_CLUSTER_ID` | The ID of the serverless {{{ .essential }}} instance that the audit record belongs to. | | `REASON` | The error message of the audit record. Only recorded when an error occurs during the operation.| ### SQL statement information