Audit_log_filter (8.4): How to capture queries + user in one entry

MySQL & MariaDB Percona Server for MySQL 8.0
1

Hello everbody,

we are currently migrating from 8.0 to 8.4 and therefore need to switch from the legacy Audit Log Plugin to modern Audit Log Filter Component.
And although the component is much better and can do more, I can’t manage to implement a possible simple thing.

I want to log certain queries for a list of users. In the old plugin it was quite easy to do this:
audit_log_include_commands = select
audit_log_include_accounts = 'sebastian@localhost'

this has created the desired entries:
"Query","<...>","<...>","<...>","<...>",0,"select ...","sebastian[sebastian] @ [10.20.108.132]","","","10.20.108.132",""

I’m unable to do that in the new component. What I have tried up so far:

  • filter on class “table_access”. This works, but does not log the exact statements.

    {
    “timestamp”: “2025-07-29 13:07:45”,
    “id”: 50934,
    “class”: “table_access”,
    “event”: “update”,
    “connection_id”: 2815,
    “table_access_data”: {
    “db”: “MYDB”,
    “table”: “MYTABLE”}
    }

  • filter on class “query”. This will log the statements, but does not log the user information (I could only derive this from previous connection/general records).

    {
    “timestamp”: “2025-07-29 13:06:02”,
    “id”: 11241,
    “class”: “query”,
    “event”: “query_start”,
    “connection_id”: 1887,
    “query_data”: {
    “query”: “SELECT 1’”,
    “status”: 0,
    “sql_command”: “select”}
    }

Both classes also do not respect the filter "user": "sebastian" as documented, actions of all users are still being written to log.

Is it possible in the new plugin to output filtered queries together with the user in one record?
To me, this sounds like a simple and often needed requirement that has to work. That’s why I feel pretty stupid right now and would be glad if someone could help me :slight_smile:

have a good day
Sebastian

2

Sebastian,

Unfortunately, this is how upstream (Oracle) created new audit_log_filter event model. We’ve got much more granular event structure and more flexible filtering rules but the downside is that even the basic data can be scattered between multiple records.
So, you will get “connection” event with “host”, “user” and “connection_id” in one record and “sql_command” with the same “connection_id” in another.

As for the filtering by user name (“user”: “sebastian” in your example), try using the “host” parameter as part of your filter as well and make sure that the ‘’@‘’ pair is exactly the same as value returned by CURRENT_USER() MySQL function run from the same context where your real statement are executed.
For instance, you can be connecting as ‘sebastian’@‘localhost’, but real MySQL account associated with this user can be ‘sebastian’@‘%’. So, in this case the filtering rule should be
{"user": "sebastian", "host": "%"}

3

Hi Yura,

lovely, thank you for the confirmation. Then it is indeed the case that we have to gather the information from various records.

The user filtering works as described, but only for events actually containing the user-information (like “connection” but not e.g. “query”)

4

As for the filtering by user, I would also suggest considering a bit different approach. Instead of adding filters for individual record types, try filtering by user on the “rules“ level.

Basically, create a rule definition you need

`SELECT audit_log_filter_set_filter(‘rule_for_sebastian’, @filter);`

and then assign it to this particular user

`SELECT audit_log_filter_set_user(‘senbastian@localhost’, ‘rule_for_sebastian’);`

1 Like