Excluding events in the audit plugin log

Helllo, I am configuring the audit_log plugin and it is logging too many events and there seems to be no way to exclude them.

I have configured the plugin with audit_log_exclude_commands to not log any common commands, so that only “unusual” activity is logged. The problem is that the log file is swamped by lines like

{"audit_record":{"name":"Close stmt","record":"3268526_2022-09-15T13:51:06","timestamp":"2022-09-15T14:36:54Z","command_class":"close stmt","connection_id":"11","status":0,"sqltext":"","user":"xxx[xxx] @ []","host":"","os_user":"","ip":"","db":"mydb"}}

The second line above contains a "command_class":"close stmt" (this is JSON output), but I have tried adding “close stmt”, “Close stmt”, “close” and a few other things to audit_log_exclude_commands but cannot suppress the output.

Similarly, the configuration options appear to offer no way of excluding different event types (namely, “Connect” and “Quit”). Given that this server has several thousand connections per second, the amount of logs written to the file is not viable.

Does anyone have an idea how to do this?

I should also point out that I tried reversing the configuration of audit_log_exclude_commands in terms of audit_log_include_commands but the Connect and Quit events are still logged.

As a result, the plugin logs 1 GiB of useless data in 8-9 minutes.

1 Like

Check out the documentation for the values of commands you can exclude:

If _execlude_commands has values, then _include_commands must be NULL and vice versa.

1 Like

I read the documentation. I understand the meaning of excluded or included, and that one of exclude and include must be null.

What I am pointing out is that Connect and Quit events are always logged and, apparently, cannot be turned off. Note that these events are not defined as a statement/sql/something in setup_instruments. This makes sense: when a connect or quit occurs, no statement is being executed.

Unless I am missing something, this makes the plugin unusable on a busy server.

1 Like

Ok. If you then have a repeatable test case, please open a bug report at https://jira.percona.com/ so that our engineers can take a look. Be sure to note in the bug report the specific version of percona server you are running.

1 Like

I figured out what I was doing wrong. I had audit_log_policy set to ALL. Changing it to QUERIES eliminates all the Connect/Traffic. The documentation does not show clearly how these parameters are related.

I will file a bug report though, because as far as I can tell, when using audit_log_exclude_commands there is no way to exclude command_class: close stmt events, so I am forced to deal with a very unwieldy audit_log_include_commands setting (the value is 2194 characters long)

1 Like

I filed a bug report [PS-8404] audit_log plugin cannot exclude "close stmt" command - Percona JIRA

1 Like