Data Plane Audit Logs
On this page
SingleStore logs database activities and writes the generated logs to an external location.
Forwarding Data Plane Audit Logs
Warning
Including customer credentials or other sensitive or confidential information through Zendesk or email puts both you, our customer, and SingleStore at risk, as the subject credentials may be exposed to unauthorized parties.
Please use a secure secrets management solution when sharing credentials via any means with SingleStore or any other third party.
SingleStore Helios supports forwarding Data Plane audit logs to the following third-party tools/integrations:
-
Amazon CloudWatch
-
Amazon S3
-
Azure Blob
-
Azure Log Analytics
-
Datadog
-
Google Cloud Logging (via Stackdriver)
-
New Relic
-
Splunk
Configure Audit Log Forwarding
Contact SingleStore Support and provide the requested information to configure audit log forwarding, including the audit logging level.
Requirements
Here are the requirements for some common supported third-party integrations:
Amazon CloudWatch
-
Your AWS access key ID and secret access key.
-
log_: The name of the CloudWatch Log Group to send records to.group_ name -
log_: The name of the CloudWatch Log Stream to send records to.stream_ name -
region: The AWS region.
Refer to Amazon CloudWatch for more information.
Amazon S3
-
Your AWS access key ID and secret access key.
-
bucket: The name of your S3 bucket. -
region: The AWS region of your S3 bucket.
Refer to Amazon S3 for more information.
Datadog
-
apikey: Your Datadog API key. -
Host: The Datadog server to send logs to.
-
TLS: Enable/disable end-to-end security communications protocol.
Refer to Datadog for more information.
Access Data Plane Audit Logs
You can view the Data Plane audit logs once they are configured and forwarded to the specified third-party tool.
Audit Log Formats
Data Plane audit logs are parsed and represented as JSON-formatted records in third-party tools.
The following sections describe the corresponding record schema for each audit log type.
First Line Schema
The first line of a log file has a unique schema that describes the event or action that resulted in the creation of a new log file.
|
Field |
Description |
|---|---|
|
|
Represents the unique identifier for the log entry within the scope of a single log file. |
|
|
Specifies the local system time when the file was opened or rotated, using the same timestamp formatting as other audit log records. |
|
|
Describes the reason or event that caused the creation of the log file.
|
|
|
Specifies current audit logging format version. |
|
|
Describes the audit logging state associated with the new file.
|
For example:
{"id": "0","time": "2026-06-21 18:49:25.888","origin": "Log opened on MemSQL startup","version": "Format version 4","action": "Logging at level ADMIN-ONLY-INCLUDING-PARSE-FAILS"}
Login and Logout Schema
Each login attempt and logout event is logged using the following schema:
Note
The logout event log schema does not contain the authtype and status fields.
|
Field |
Description |
|---|---|
|
|
Represents the unique identifier for the log entry within the scope of a single log file. |
|
|
Specifies the node’s local system time when an operation was executed. |
|
|
Specifies the local time zone when the event was logged. |
|
|
Specifies the hostname or IP address of the SingleStore Helios workspace in the |
|
|
Specifies the type of node.
|
|
|
Specifies the login or logout event type.
|
|
|
Specifies the ID of the thread that is running the statement. |
|
|
Specifies the username of the user performing the login or logout. |
|
|
Specifies the hostname or IP address that the client is using to connect to the workspace. |
|
|
Specifies the |
|
(Login attempts only) |
Specifies the authentication method for the user, for example, |
|
(Login attempts only) |
Indicates the success or failure of the login attempt.
|
|
|
Specifies the TLS encryption algorithm used during the session. |
|
|
Specifies the client application name retrieved from the session's |
|
|
Specifies the client OS user retrieved from the session's |
For example:
{"id": "363750385","time": "2026-08-11 18:53:18.150,UTC","endpoint": "c770dd909a9c:3306","nodetype": "agg","type": "USER_LOGIN","threadid": "100000","username": "pac","remotehost": "192.168.0.1","usergrant": "pac@%","authtype": "mysql_native_password","status": "SUCCESS","tlscipher": "ECDHE-RSA-AES256-GCM-SHA384","appname": "mysql","osuser": "osuser"}
Completion Record Schema for Query Execution
Completion records capture the final outcome of a query after execution.id.
|
Field |
Description |
|---|---|
|
|
Specifies the audit-log record ID of the original query record, used to correlate the command completion log to the original query. |
|
|
A record-type marker which indicates a query record. |
|
|
Specifies the final status of the query.
|
|
|
Specifies the number of affected or returned records recorded at completion time. |
For example:
{"id": 123456,"record_type": "C","status": "SUCCESS","records_affected": 42}
Schema for General Entries
Queries are logged as general entries in the following format:
{"id": "28151","endpoint": "node-37775b0a-6feb-4b61-98a7-master-0:3306","nodetype": "agg","aggregatorid": "1","threadid": "99996","username": "root","database": "[unknown]","queryhash": "3505599087362974304","query": "GRANT CREATE LINK\\,DROP LINK\\,SHOW LINK ON *.* TO 'admin'"}
|
Field |
Description |
|---|---|
|
|
Represents the unique identifier for the log entry within the scope of a single log file. |
|
|
Specifies the hostname or IP address of the SingleStore Heliosworkspace. |
|
|
Specifies the type of node. |
|
|
Specifies the ID of the aggregator that is running the query. |
|
|
Specifies the ID of the thread that is running the query. |
|
|
Specifies the username that is running the query. |
|
|
Specifies the database name. |
|
|
Specifies the unique hash of the query signature or the query text. |
|
|
Specifies the query signature or the query text. |
Audit Logging Levels
There are 11 logging levels that are organized into the following categories, each with increasing levels of verbosity:
-
Log only valid statements and queries:
-
LOGINS-ONLY -
ADMIN-ONLY -
WRITES-ONLY -
ALL-QUERIES -
ALL-QUERIES-PLAINTEXT -
ALL-RESULTS
-
-
Log valid and invalid statements and queries:
-
ADMIN-ONLY-INCLUDING-PARSE-FAILS(default) -
WRITES-ONLY-INCLUDING-PARSE-FAILS -
ALL-QUERIES-INCLUDING-PARSE-FAILS -
ALL-QUERIES-PLAINTEXT-INCLUDING-PARSE-FAILS -
ALL-RESULTS-INCLUDING-PARSE-FAILS
-
A valid statement or query is one that can be successfully parsed by SingleStore.
Warning
User credentials and PII information contained in all valid statements and queries is obfuscated in audit logs.
You can optionally filter logs for the root user only and exclude the audit of information schema queries.
LOGINS-ONLY
The LOGINS-ONLY level logs the successful and failed login attempts into the database.LOGINS-ONLY level does not include the PARSE-FAILS option for logins, because this option is reserved for queries.LOGINS-ONLY level is the lowest level of the audit log, i.
ADMIN-ONLY and ADMIN-ONLY-INCLUDING-PARSE-FAILS
The ADMIN-ONLY level is inclusive of the LOGINS-ONLY level logs, and it also logs DDL operations such as CREATE, DROP, ALTER, etc.SET PASSWORD), the password’s value will be omitted from the log.
The ADMIN-ONLY-INCLUDING-PARSE-FAILS level is inclusive of ADMIN-ONLY but also logs invalid statements that fail to parse.
WRITES-ONLY and WRITES-ONLY-INCLUDING-PARSE-FAILS
The WRITES-ONLY level is inclusive of ADMIN-ONLY but also logs DML operations such as INSERT, DELETE, UPDATE, with one exception: SELECT queries are not logged.
The WRITES-ONLY-INCLUDING-PARSE-FAILS level is inclusive of WRITES-ONLY but also logs invalid statements that fail to parse.
ALL-QUERIES and ALL-QUERIES-INCLUDING-PARSE-FAILS
The ALL-QUERIES level is inclusive of WRITES-ONLY but also logs read operations such as SELECT statements.
The ALL-QUERIES-INCLUDING-PARSE-FAILS level is inclusive of ALL-QUERIES but also logs invalid statements that fail to parse.
ALL-QUERIES-PLAINTEXT and ALL-QUERIES-PLAINTEXT-INCLUDING-PARSE-FAILS
The ALL-QUERIES-PLAINTEXT level is inclusive of ALL-QUERIES but also logs the entire literal query, not just the parameterized version without literal strings and numbers.
The ALL-QUERIES-PLAINTEXT-INCLUDING-PARSE-FAILS level is inclusive of ALL-QUERIES-PLAINTEXT but also logs invalid statements that fail to parse.
ALL-RESULTS and ALL-RESULTS-INCLUDING-PARSE-FAILS
The ALL-RESULTS level is inclusive of ALL-QUERIES-PLAINTEXT but also logs the database’s responses.
When this level is selected, the entry ID for a query is shared with the results entries.
The ALL-RESULTS-INCLUDING-PARSE-FAILS level is inclusive of ALL-RESULTS but also logs invalid statements that fail to parse.
Last modified: