You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: tidb-cloud/tidb-cloud-auditing.md
+10-12Lines changed: 10 additions & 12 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -7,10 +7,6 @@ summary: Learn about how to audit a cluster in TiDB Cloud.
7
7
8
8
TiDB Cloud provides you with a database audit logging feature to record a history of user access details (such as any SQL statements executed) in logs.
9
9
10
-
> **Note:**
11
-
>
12
-
> Currently, the **audit logging** feature is experimental. The interface and output are subject to change.
13
-
14
10
To assess the effectiveness of user access policies and other information security measures of your organization, it is a security best practice to conduct a periodic analysis of the database audit logs.
15
11
16
12
The audit logging feature is disabled by default. To audit a cluster, you need to enable the audit logging first, and then specify the auditing filter rules.
@@ -21,7 +17,7 @@ The audit logging feature is disabled by default. To audit a cluster, you need t
21
17
22
18
## Prerequisites
23
19
24
-
- You are using a TiDB Cloud Dedicated tier. Audit logging is not available for TiDB Cloud Serverless Tier clusters.
20
+
- You are using a TiDB Cloud Dedicated Tier cluster. Audit logging is not available for TiDB Cloud Serverless Tier clusters.
25
21
- You are the audit administrator of your organization in TiDB Cloud. Otherwise, you cannot see the audit-related options in the TiDB Cloud console. For more information, see [Configure member roles](/tidb-cloud/manage-user-access.md#configure-member-roles).
26
22
27
23
## Enable audit logging for AWS or GCP
@@ -47,18 +43,16 @@ For more information, see [Creating a bucket](https://docs.aws.amazon.com/Amazon
47
43
1. Get the TiDB Cloud account ID and the External ID of the TiDB cluster that you want to enable audit logging.
48
44
49
45
1. In the TiDB Cloud console, choose a project and a cluster deployed on AWS.
50
-
2. Select **Settings** > **Audit Settings**. The **Audit Logging** dialog box is displayed.
51
-
3. In the **Audit Logging** dialog box, click **Show AWS IAM policy settings**. The corresponding TiDB Cloud Account ID and TiDB Cloud External ID of the TiDB cluster are displayed.
46
+
2. Select **Settings** > **Audit Settings**. The **Audit Logging** dialog is displayed.
47
+
3. In the **Audit Logging** dialog, click **Show AWS IAM policy settings**. The corresponding TiDB Cloud Account ID and TiDB Cloud External ID of the TiDB cluster are displayed.
52
48
4. Record the TiDB Cloud Account ID and the External ID for later use.
53
49
54
-
2. In the AWS Management console, go to **IAM** > **Access Management** > **Policies**, and then check whether a storage bucket policy with the `s3:PutObject` write-only permission exists.
50
+
2. In the AWS Management console, go to **IAM** > **Access Management** > **Policies**, and then check whether there is a storage bucket policy with the `s3:PutObject` write-only permission.
55
51
56
52
- If yes, record the matched storage bucket policy for later use.
57
53
- If not, go to **IAM** > **Access Management** > **Policies** > **Create Policy**, and define a bucket policy according to the following policy template.
58
54
59
-
{{< copyable "" >}}
60
-
61
-
```
55
+
```json
62
56
{
63
57
"Version": "2012-10-17",
64
58
"Statement": [
@@ -71,7 +65,7 @@ For more information, see [Creating a bucket](https://docs.aws.amazon.com/Amazon
71
65
}
72
66
```
73
67
74
-
In the template, `<Your S3 bucket ARN>` is the Amazon Resource Name (ARN) of your S3 bucket where the audit log files are to be written. You can go to the **Properties** tab in your S3 bucket and get the Amazon Resource Name (ARN) value in the **Bucket Overview** area. In the `"Resource"` field, you need to add `/*` after the ARN. For example, if the ARN is `arn:aws:s3:::tidb-cloud-test`, you need to configure the value of the `"Resource"` field as `"arn:aws:s3:::tidb-cloud-test/*"`.
68
+
In the template, `<Your S3 bucket ARN>` is the Amazon Resource Name (ARN) of your S3 bucket where the audit log files are to be written. You can go to the **Properties** tab in your S3 bucket and get the ARN value in the **Bucket Overview** area. In the `"Resource"` field, you need to add `/*` after the ARN. For example, if the ARN is `arn:aws:s3:::tidb-cloud-test`, you need to configure the value of the `"Resource"` field as `"arn:aws:s3:::tidb-cloud-test/*"`.
75
69
76
70
3. Go to **IAM** > **Access Management** > **Roles**, and then check whether a role whose trust entity corresponds to the TiDB Cloud Account ID and the External ID that you recorded earlier already exists.
77
71
@@ -189,6 +183,10 @@ For example, `13796619446086334065/tidb-0/tidb-audit-2022-04-21T18-16-29.529.log
189
183
190
184
If you no longer want to audit a cluster, go to the page of the cluster, click **Settings** > **Audit Settings**, and then toggle the audit setting in the upper-right corner to **Off**.
191
185
186
+
> **Note:**
187
+
>
188
+
> Each time the size of the log file reaches 10 MiB, the log file will be pushed to the cloud storage bucket. Therefore, after the audit log is disabled, the log file whose size is smaller than 10 MiB will not be automatically pushed to the cloud storage bucket. To get the log file in this situation, contact [PingCAP support](/tidb-cloud/tidb-cloud-support.md).
189
+
192
190
## Audit log fields
193
191
194
192
For each database event record in audit logs, TiDB provides the following fields:
0 commit comments