Forwarding Audit Logs
SingleStoreDB Cloud supports forwarding audit logs to third-party tools. Here's a list of some common supported third-party tools/integrations:
Amazon CloudWatch
Amazon S3
Azure Blob
Azure Log Analytics
Datadog
Kafka
Loki
New Relic
Slack
Splunk
See Outputs for a list of all the supported integrations.
Prerequisites
Contact SingleStore Support and provide the requested information to configure audit log forwarding.
Requirements
Here are the requirements for some common supported third-party integrations:
Amazon CloudWatch
Your AWS access key ID and secret access key.
log_group_name
: The name of the CloudWatch Log Group to send records to.log_stream_name
: The name of the CloudWatch Log Stream to send records to.region
: The AWS region.
See Amazon CloudWatch for more information.
Amazon S3
Your AWS access key ID and secret access key.
bucket
: The name of your S3 bucket.region
: The AWS region of your S3 bucket.
See Amazon S3 for more information.
Datadog
apikey
: Your Datadog API key.Host: The Datadog server to send logs to.
TLS: Enable/disable end-to-end security communications protocol.
See Datadog for more information.
Audit Log Formats
Audit logs are parsed and represented as JSON formatted records in third-party tools.
Each forwarded audit log record can have one of the following schema:
Schema for First Line
The first line of a log file describes the reason/action that resulted in the creation of a new log file:
{ "id": "0", "time": "2022-06-21 18:49:25.888", "origin": "Log opened on MemSQL startup", "version": "Format version 2", "action": "Logging at level ADMIN-ONLY-INCLUDING-PARSE-FAILS" }
Field | Description |
---|---|
| Represents the unique identifier for the log entry within the scope of a single log file. This value is always |
| Specifies the local timestamp when the action/event occurred. |
| Specifies the reason/event that resulted in the creation of the log file. |
| Specifies the log format version. |
| Specifies the reason/event that opened or rotated the log file. |
Schema for Login Attempt Logs
Each login attempt is logged in the following format:
{ "id": "28179", "endpoint": "node-37775b0a-6feb-4b61-98a7-master-0:3306", "nodetype": "agg", "threadid": "99996", "username": "root", "remotehost": "localhost", "usergrant": "root@%", "authtype": "password", "status": "SUCCESS" }
Field | Description |
---|---|
| Represents the unique identifier for the log entry within the scope of a single log file. |
| Specifies the hostname or IP address of the SingleStoreDB Cloudworkspace. |
| Specifies the type of node. It can have one of the following values: |
| Specifies the ID of the thread that is running the statement. |
| Specifies the username that is trying to log in. |
| Specifies the hostname or IP address that the client is using to connect to the workspace. This value is detected by the server and not reported by the client. |
| The |
| Specifies the authentication method for the user, for example |
| Indicates the |
Schema for General Entries
Queries are logged as general entries in the following format:
{ "id": "28151", "endpoint": "node-37775b0a-6feb-4b61-98a7-master-0:3306", "nodetype": "agg", "aggregatorid": "1", "threadid": "99996", "username": "root", "database": "[unknown]", "queryhash": "3505599087362974304", "query": "GRANT CREATE LINK\\,DROP LINK\\,SHOW LINK ON *.* TO 'admin'" }
Field | Description |
---|---|
| Represents the unique identifier for the log entry within the scope of a single log file. |
| Specifies the hostname or IP address of the SingleStoreDB Cloudworkspace. |
| Specifies the type of node. It can have one of the following values: |
| Specifies the ID of the aggregator that is running the query. |
| Specifies the ID of the thread that is running the query. |
| Specifies the username that is running the query. |
| Specifies the database name. |
| Specifies the unique hash of the query signature or the query text. |
| Specifies the query signature or the query text. |
View Audit Logs
You can view the audit logs once they are configured and forwarded to the specified third-party tool. Here's a sample audit log from a log group configured in Amazon CloudWatch:
![]() |