Audit plugin excluded accounts still being logged

Hi,

I am having issues excluding users from Percona’s audit plugin. Users are added to my.cnf via the audit_log_exclude_accounts system variable but still show in the audit log.

audit_log_policy=ALL
audit_log_format=JSON
audit_log_file=/var/log/mysql/audit.log
audit_log_rotate_on_size=10M
audit_log_rotations=10
audit_log_exclude_accounts=''user_brand_stg'@'X.X.20.%','user_brand_stg'@'X.X.30.%','user_track_stg'@'X.X.20.%','user_track_stg'@'X.X.30.%','user@'X.X.%.%'....(19 TOTAL ACCOUNTS in a similar setup)''
audit_log_exclude_commands='show_status,show_processlist'

The users hosts and wildcards match what is in mysql.user for user

MySQL version :
mysqld Ver 5.7.36-39-57 for debian-linux-gnu on x86_64 (Percona XtraDB Cluster (GPL), Release rel39, Revision 5197785, WSREP version 31.55, wsrep_31.55)

Output from variables show

audit_log_include_accounts shows as NULL as well from select @@Global.audit_log_include_accounts

I also see the same issue on another similarly configured server :
mysqld Ver 5.7.34-37-57 for debian-linux-gnu on x86_64 (Percona XtraDB Cluster (GPL), Release rel37, Revision 99b8607, WSREP version 31.51, wsrep_31.51)

Any ideas on what is going wrong here?
Do I need to escape any characters, documentation only mentions comma and using the format ‘user’@‘host’

Regards

Hello Hamza,
Thank you for your question.
As far as I know you need to specify user and host same as you have in mysql.user.
For example, if you have 2 users like:
'percona'@'10.10.%' and 'percona'@'10.11.%'
and you will try to exclude like below - it will not work for you
audit_log_exclude_accounts="'percona'@'10.%'"

you need to provide exact user inside this variable

audit_log_exclude_accounts="'percona'@'10.10.%','percona'@'10.11.%'"

Regards,
Denis Subbota.
Managed Services, Percona.