Sign inTry Free

Configure Audit Logging

To enable audit logging, configure audit log settings in the globalVariables section of your cluster custom resource (CR).

Add the audit log configuration to your sdb-cluster.yaml:

apiVersion: memsql.com/v1alpha1
kind: MemsqlCluster
metadata:
 name: sdb-cluster
spec:
 license: <license_key>
 adminHashedPassword: "<hashed_password>"


 globalVariables:
   auditlog_level: ADMIN-ONLY
   auditlog_disk_sync: OFF
   auditlog_rotation_size: 134217728
   auditlog_rotation_time: 3600


 nodeImage:
   repository: singlestore/node
   tag: alma-8.7.10-28804d3b1b


 redundancyLevel: 2


 aggregatorSpec:
   count: 2
   cores: 8
   memoryMB: 32768
   storageGB: 256


 leafSpec:
   count: 2
   cores: 8
   memoryMB: 32768
   storageGB: 512

Apply the configuration:

kubectl apply -f sdb-cluster.yaml

You can configure the following audit log variables:

Variable

Description

Default

Example

auditlog_level

Audit logging level. Refer to Audit Logging Levels for more information.

OFF

ADMIN-ONLY, WRITES-ONLY, ALL

auditlog_disk_sync

Sync to disk after each write

ON

OFF

auditlog_retention_period

Retention period (in days) for audit log files. A value of 0 retains log files on the server indefinitely.

0

7, 30, 90

auditlog_rotation_size

Maximum log file size in bytes

134217728

268435456

auditlog_rotation_time

Maximum time in seconds before rotation

3600

7200 

SHOW GLOBAL VARIABLES LIKE 'audit%';

Connect to your cluster and verify the settings:

You can collect audit logs from your Kubernetes cluster using a Kubernetes Job.

To automate report collection and upload to your storage backend, create a Kubernetes Job. This approach works with on-premises storage (NFS, local persistent volumes) and object storage systems (MinIO, S3-compatible storage).

  • Create storage credentials secret (one-time setup)

    For S3-compatible storage:

    kubectl create secret generic aws-credentials \
     --from-literal=access-key-id=YOUR_ACCESS_KEY \
     --from-literal=secret-access-key=YOUR_SECRET_KEY

    For other storage backends, create appropriate secrets for your authentication method.

  • Create cluster-collection-job.yaml

    apiVersion: batch/v1
    kind: Job
    metadata:
      name: singlestore-report-collection
    spec:
      template:
        spec:
          serviceAccountName: tools
          containers:
          - name: report-collector
            image: singlestore/tools:latest
            command: ["/bin/bash", "-c"]
            args:
            - |
              # Collect the cluster report
              sdb-report collect-kube --cluster-name sdb-cluster --namespace default --output-path /tmp/report
              REPORT_FILE=$(ls -t /tmp/report/*.tar.gz | head -1)
    

              # Upload to S3-compatible object storage (e.g., MinIO)
              aws s3 cp $REPORT_FILE s3://${BUCKET_NAME}/cluster-reports/ --endpoint-url ${S3_ENDPOINT}
    

              # On-premises storage options:
              # - NFS: cp $REPORT_FILE /mnt/nfs/cluster-reports/
              # - Local PV: cp $REPORT_FILE /mnt/storage/cluster-reports/
    

            env:
            # S3-compatible storage configuration (e.g., MinIO)
            - name: AWS_ACCESS_KEY_ID
              valueFrom:
                secretKeyRef:
                  name: storage-credentials
                  key: access-key-id
            - name: AWS_SECRET_ACCESS_KEY
              valueFrom:
                secretKeyRef:
                  name: storage-credentials
                  key: secret-access-key
            - name: BUCKET_NAME
              value: "your-bucket-name"
            - name: S3_ENDPOINT
              value: "http://minio:9000"
    

            # Optional: mount on-premises storage
            # volumeMounts:
            # - name: nfs-storage
            #   mountPath: /mnt/nfs
            # - name: local-storage
            #   mountPath: /mnt/storage
    

          restartPolicy: Never
    

          # Optional: define on-premises volumes
          # volumes:
          # - name: nfs-storage
          #   nfs:
          #     server: your-nfs-server
          #     path: /path/to/storage
          # - name: local-storage
          #   hostPath:
          #     path: /path/to/local/storage
          #     type: Directory
    

      backoffLimit: 3

  • Run the job

    kubectl apply -f cluster-collection-job.yaml

  • Check progress and view logs

    # Check job status
    kubectl get jobs
    

    # View logs
    kubectl logs job/singlestore-report-collection
    

    # Verify upload to external storage
    

    # For S3-compatible object storage (for example, MinIO):
    aws s3 ls s3://<your-bucket>/cluster-reports/ --endpoint-url <your-endpoint>
    

    # For NFS or local persistent storage (from a mounted node or pod):
    ls /mnt/nfs/cluster-reports/

  • Clean up (optional)

    kubectl delete job singlestore-report-collection

Note

Ensure the tools service account has the required RBAC permissions. Refer to Create and Apply the Tools RBAC for more information.

Last modified:

Was this article helpful?

Was this article helpful?

Verification instructions

Note: You must install cosign to verify the authenticity of the SingleStore file.

Use the following steps to verify the authenticity of singlestoredb-server, singlestoredb-toolbox, singlestoredb-studio, and singlestore-client SingleStore files that have been downloaded.

You may perform the following steps on any computer that can run cosign, such as the main deployment host of the cluster.

  1. (Optional) Run the following command to view the associated signature files.

    curl undefined

  2. Download the signature file from the SingleStore release server.

    • Option 1: Click the Download Signature button next to the SingleStore file.

    • Option 2: Copy and paste the following URL into the address bar of your browser and save the signature file.

    • Option 3: Run the following command to download the signature file.

      curl -O undefined

  3. After the signature file has been downloaded, run the following command to verify the authenticity of the SingleStore file.

    echo -n undefined |
        cosign verify-blob --certificate-oidc-issuer https://oidc.eks.us-east-1.amazonaws.com/id/CCDCDBA1379A5596AB5B2E46DCA385BC \
          --certificate-identity https://kubernetes.io/namespaces/freya-production/serviceaccounts/job-worker \
          --bundle undefined \
          --new-bundle-format -
    Verified OK

Try Out This Notebook to See What’s Possible in SingleStore

Get access to other groundbreaking datasets and engage with our community for expert advice.

Sign UpLog In