Can audit plugin include the execute_sql command, but exclude selects running in it?

Hello Percona team!
I read the doc for the audit plugin which you have here:

In our setup we have prepare/execute commands.
We can include the execute statements in the audit.
But its mean that we include everything what we run in execute statements.
The question is: “Can I exclude “selects” which we run in “execute” statement from the audit somehow?”

Hi!

You can exclude commands with “audit_log_exclude_commands” parameter as shown on the official doc: audit_log_exclude_commands

In your case , every select inside an execute statement will also be logged even if you exclude “selects”. Reason is shown with this example:
<AUDIT_RECORD
NAME=“Query”
RECORD=“33_2022-04-13T12:17:04”
TIMESTAMP=“2022-04-13T12:20:06 UTC”
COMMAND_CLASS=“execute_sql”
CONNECTION_ID=“5”
STATUS=“0”
SQLTEXT=“SELECT 25+35 AS SUM”
USER=“root[root] @ localhost
HOST=“localhost”
OS_USER=""
IP=""
DB=""
/>

COMMAND_CLASS column is the value being filtered when excluding commands from the audit log. Since in the above case COMMAND_CLASS is “execute_sql” every SQLTEXT will be audited even if it’s a select.

Regards

1 Like

Yes, This situation I would like to avoid!
I want to log all insert/updated/deletes only.
So I need to log all examples where we have COMMAND_CLASS=“execute_sql” and SQLTEXT=“insert/update/delete%".
So the question is how to exclude from audit selects which goes in the execute_sql?
I’m sorry, but previous answer don’t answer on this question. :frowning:

1 Like

Hi again,

Sorry if I was not clear enough.

You cannot exclude selects that are inside EXECUTE commands. Either you exclude the entire prepared statement execution, or you log everything.

Regards

1 Like

Hi,
I had hope that I missed something in the configuration. :slight_smile:
Thank you very much for your help.

1 Like