Audit Logging in YugabyteDB | YugabyteDB Friday Tech Talks

Yugabyte's session-level and object-level audit logging improves security and compliance

Valerie Parham-Thompson
Database Engineering
Audit Logging in YugabyteDB | YugabyteDB Friday Tech Talks

Audit logging is essential for tracking the “who, what, when, and where” of database access and changes, supporting both security and compliance requirements. It helps organizations know who accessed or modified data, schemas, roles, or grants.

YugabyteDB offers both session-level and object-level audit logging. The system builds upon standard PostgreSQL logging (including the pg-audit extension) but adds distributed system-specific details, such as cloud, region, availability zone, and host information, to distinguish actions across nodes in a distributed environment.

Configuration:

  • Audit logging is enabled via the PG Audit extension, which is included by default. Users only need to create the extension on a node, and it applies cluster-wide.
  • Logs can be customized to capture specific actions (reads, writes, DDL, roles), and users can exclude certain types for clarity.
  • Object-level logging allows for granular tracking, such as monitoring specific tables or columns, managed via roles.

Log structure and aggregation:

  • Logs include session details, location (cloud, region, host), client IP, application name, username, and database.
  • Audit logs are generated per node and should be aggregated externally for a complete view, using log aggregation tools.
  • The logs are comma-separated, making them easy to parse and analyze.

Demo highlights:

  • The demo shows differences between standard logs and audit logs. For example, audit logs only record actual changes (not attempted ones), and provide fully qualified table names, making it easier to track access to critical data.
  • The system captures prepared statements, parameter values, and distinguishes between statements and sub-statements, aiding in tracing complex transactions.
  • Audit logs record actions even within transactions, including rolled-back changes, which is important for forensic analysis.

Audit logs are protected at the file system level. To prevent tampering, it is recommended to store logs outside the database and use file-level protections.

Use cases:

  • Storing logs for compliance (e.g., in cloud storage for 7 years).
  • Integrating with log analysis tools for monitoring and alerting (e.g., alerting on unexpected schema changes).
  • Investigating incidents by correlating session and statement IDs across logs[1].

The video provides a comprehensive overview of how YugabyteDB implements audit logging, emphasizing its flexibility, distributed system enhancements, and practical use for security, compliance, and operational insight.

See the video here: https://www.youtube.com/watch?v=ecYN9Z5_Hzc