diff --git a/src/UserGuide/Master/Table/Reference/System-Config-Manual.md b/src/UserGuide/Master/Table/Reference/System-Config-Manual.md index 660b55b42..d4b1de132 100644 --- a/src/UserGuide/Master/Table/Reference/System-Config-Manual.md +++ b/src/UserGuide/Master/Table/Reference/System-Config-Manual.md @@ -21,3 +21,4 @@ redirectTo: System-Config-Manual_apache.html under the License. --> + diff --git a/src/UserGuide/Master/Table/User-Manual/Audit-Log_timecho.md b/src/UserGuide/Master/Table/User-Manual/Audit-Log_timecho.md index f29a1fa78..791e23770 100644 --- a/src/UserGuide/Master/Table/User-Manual/Audit-Log_timecho.md +++ b/src/UserGuide/Master/Table/User-Manual/Audit-Log_timecho.md @@ -24,29 +24,34 @@ ## 1. Introduction -Audit logs provide a documented record of database activities. Through the audit log feature, you can track operations like data creation, deletion, modification, and querying to ensure information security. IoTDB's audit log functionality supports the following features: +Audit logs serve as the record credentials of a database, enabling tracking of various operations (e.g., create, read, update, delete) to ensure information security. The audit log feature in IoTDB supports the following capabilities: -* Configurable enable/disable of audit logging -* Configurable auditable operation types and privilege levels -* Configurable audit log retention periods using TTL (time-based rolling) and SpaceTL (space-based rolling) -* Default encryption storage for audit logs +* Supports enabling/disabling the audit log functionality through configuration +* Supports configuring operation types and privilege levels to be recorded via parameters +* Supports setting the storage duration of audit log files, including time-based rolling (via TTL) and space-based rolling (via SpaceTL) +* Supports configuring parameters to count slow requests (with write/query latency exceeding a threshold, default 3000 milliseconds) within any specified time period +* Audit log files are stored in encrypted format by default -> Note: This feature is available from version V2.0.8 onwards. +> Note: This feature is available from version V2.0.8-beta onwards. ## 2. Configuration Parameters Edit the `iotdb-system.properties` file to enable audit logging using the following parameters: -| Parameter Name | Description | Data Type | Default Value | Application Method | -|---------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------|----------------------------|--------------------| -| `enable_audit_log` | Enable audit logging. true: enabled. false: disabled. | Boolean | false | Restart Required | -| `auditable_operation_type` | Operation type selection. DML: All DML operations; DDL: All DDL operations; QUERY: All queries; CONTROL: All control statements; | String | DML,DDL,QUERY,CONTROL | Restart Required | -| `auditable_operation_level` | Privilege level selection. global: Record all audit logs; object: Only record audit logs for data instances; Containment relationship: object < global. | String | global | Restart Required | -| `auditable_operation_result` | Audit result selection. success: Only record successful events; fail: Only record failed events; | String | success, fail | Restart Required | -| `audit_log_ttl_in_days` | Audit log TTL (Time To Live) in days. Logs older than this threshold will expire. | Double | -1.0 (never deleted) | Restart Required | -| `audit_log_space_tl_in_GB` | Audit log SpaceTL in GB. When total audit log size exceeds this threshold, log rotation starts deleting oldest files. | Double | 1.0 | Restart Required | -| `audit_log_batch_interval_in_ms` | Batch write interval for audit logs in milliseconds | Long | 1000 | Restart Required | -| `audit_log_batch_max_queue_bytes` | Maximum queue size in bytes for batch processing audit logs. Subsequent writes will be blocked when queue exceeds this value. | Long | 268435456 | Restart Required | +| Parameter Name | Description | Data Type | Default Value | Activation Method | +|-------------------------------------------|------------------------------------------------------------------------------------------------------------|-----------|-------------------------------|-------------------| +| `enable_audit_log` | Whether to enable audit logging. true: enabled. false: disabled. | Boolean | false | Hot Reload | +| `auditable_operation_type` | Operation type selection. DML: all DML operations are logged; DDL: all DDL operations are logged; QUERY: all query operations are logged; CONTROL: all control statements are logged. | String | DML,DDL,QUERY,CONTROL | Hot Reload | +| `auditable_dml_event_type` | Event types for auditing DML operations. `OBJECT_AUTHENTICATION`: object authentication, `SLOW_OPERATION`: slow operation | String | `OBJECT_AUTHENTICATION`,`SLOW_OPERATION` | Hot Reload | +| `auditable_ddl_event_type` | Event types for auditing DDL operations. `OBJECT_AUTHENTICATION`: object authentication, `SLOW_OPERATION`: slow operation | String | `OBJECT_AUTHENTICATION`,`SLOW_OPERATION` | Hot Reload | +| `auditable_query_event_type` | Event types for auditing query operations. `OBJECT_AUTHENTICATION`: object authentication, `SLOW_OPERATION`: slow operation | String | `OBJECT_AUTHENTICATION`,`SLOW_OPERATION` | Hot Reload | +| `auditable_control_event_type` | Event types for auditing control operations. `CHANGE_AUDIT_OPTION`: audit option change, `OBJECT_AUTHENTICATION`: object authentication, `LOGIN`: login, `LOGOUT`: logout, `DN_SHUTDOWN`: data node shutdown, `SLOW_OPERATION`: slow operation | String | `CHANGE_AUDIT_OPTION`,`OBJECT_AUTHENTICATION`,`LOGIN`,`LOGOUT`,`DN_SHUTDOWN`,`SLOW_OPERATION` | Hot Reload | +| `auditable_operation_level` | Permission level selection. global: log all audit events; object: only log events related to data instances. Containment relationship: object < global. For example: when set to global, all audit logs are recorded normally; when set to object, only operations on specific data instances are recorded. | String | global | Hot Reload | +| `auditable_operation_result` | Audit result selection. success: log only successful events; fail: log only failed events | String | success,fail | Hot Reload | +| `audit_log_ttl_in_days` | Audit log TTL (Time To Live). Logs older than this threshold will expire. | Double | -1.0 (never deleted) | Hot Reload | +| `audit_log_space_tl_in_GB` | Audit log SpaceTL. Logs will start rotating when total space reaches this threshold. | Double | 1.0 | Hot Reload | +| `audit_log_batch_interval_in_ms` | Batch write interval for audit logs | Long | 1000 | Hot Reload | +| `audit_log_batch_max_queue_bytes` | Maximum byte size of the queue for batch processing audit logs. Subsequent write operations will be blocked when this threshold is exceeded. | Long | 268435456 | Hot Reload | ## 3. Access Methods @@ -120,4 +125,18 @@ IoTDB:__audit> select time,database,operation_type,log from audit_log where res +-----------------------------+--------+--------------+----------------------------------------------------------------------+ Total line number = 1 It costs 0.011s +``` + + +* Query audit event records with types 'slow operation' and 'login' + +```SQL +IoTDB:__audit> select * from audit_log where audit_event_type='SLOW_OPERATION' or audit_event_type='LOGIN' limit 1 ++-----------------------------+-------+-------+--------+------------+----------------+--------------+--------------+---------------+------+--------+----------+----------------------------------------------------------------------+ +| time|node_id|user_id|username|cli_hostname|audit_event_type|operation_type|privilege_type|privilege_level|result|database|sql_string| log| ++-----------------------------+-------+-------+--------+------------+----------------+--------------+--------------+---------------+------+--------+----------+----------------------------------------------------------------------+ +|2026-01-23T11:47:42.136+08:00| node_1| u_none| user1| 127.0.0.1| LOGIN| CONTROL| null| GLOBAL| false| | |User user1 (ID=-1) login failed with code: 804, Authentication failed.| ++-----------------------------+-------+-------+--------+------------+----------------+--------------+--------------+---------------+------+--------+----------+----------------------------------------------------------------------+ +Total line number = 1 +It costs 0.033s ``` \ No newline at end of file diff --git a/src/UserGuide/Master/Tree/Reference/Common-Config-Manual.md b/src/UserGuide/Master/Tree/Reference/Common-Config-Manual.md index 51f3aef71..cde488ff3 100644 --- a/src/UserGuide/Master/Tree/Reference/Common-Config-Manual.md +++ b/src/UserGuide/Master/Tree/Reference/Common-Config-Manual.md @@ -707,7 +707,7 @@ Different configuration parameters take effect in the following three ways: |:---:|:----------------------------------------| |Description| Time cost(ms) threshold for slow query. | |Type| Int32 | -|Default| 10000 | +|Default| 3000 | |Effective| Trigger | * query\_timeout\_threshold diff --git a/src/UserGuide/Master/Tree/User-Manual/Audit-Log_timecho.md b/src/UserGuide/Master/Tree/User-Manual/Audit-Log_timecho.md index 89b599690..21c45fe37 100644 --- a/src/UserGuide/Master/Tree/User-Manual/Audit-Log_timecho.md +++ b/src/UserGuide/Master/Tree/User-Manual/Audit-Log_timecho.md @@ -19,33 +19,39 @@ --> + # Security Audit ## 1. Introduction -Audit logs provide a documented record of database activities. Through the audit log feature, you can track operations like data creation, deletion, modification, and querying to ensure information security. IoTDB's audit log functionality supports the following features: +Audit logs serve as the record credentials of a database, enabling tracking of various operations (e.g., create, read, update, delete) to ensure information security. The audit log feature in IoTDB supports the following capabilities: -* Ability to enable/disable audit logging through configuration -* Ability to set auditable operation types and privilege levels via parameters -* Ability to configure audit log file retention periods using TTL (time-based rolling) and SpaceTL (space-based rolling) -* Audit logs are encrypted by default +* Supports enabling/disabling the audit log functionality through configuration +* Supports configuring operation types and privilege levels to be recorded via parameters +* Supports setting the storage duration of audit log files, including time-based rolling (via TTL) and space-based rolling (via SpaceTL) +* Supports configuring parameters to count slow requests (with write/query latency exceeding a threshold, default 3000 milliseconds) within any specified time period +* Audit log files are stored in encrypted format by default -> Note: This feature is available from version V2.0.8 onwards. +> Note: This feature is available from version V2.0.8-beta onwards. ## 2. Configuration Parameters Edit the `iotdb-system.properties` file to enable audit logging using the following parameters: -| Parameter Name | Description | Data Type | Default Value | Application Method | -|---------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------|----------------------------|--------------------| -| `enable_audit_log` | Enable audit logging. true: enabled. false: disabled. | Boolean | false | Restart Required | -| `auditable_operation_type` | Operation type selection. DML: All DML operations; DDL: All DDL operations; QUERY: All queries; CONTROL: All control statements; | String | DML,DDL,QUERY,CONTROL | Restart Required | -| `auditable_operation_level` | Privilege level selection. global: Record all audit logs; object: Only record audit logs for data instances; Containment relationship: object < global. | String | global | Restart Required | -| `auditable_operation_result` | Audit result selection. success: Only record successful events; fail: Only record failed events; | String | success, fail | Restart Required | -| `audit_log_ttl_in_days` | Audit log TTL (Time To Live) in days. Logs older than this threshold will expire. | Double | -1.0 (never deleted) | Restart Required | -| `audit_log_space_tl_in_GB` | Audit log SpaceTL in GB. When total audit log size exceeds this threshold, log rotation starts deleting oldest files. | Double | 1.0 | Restart Required | -| `audit_log_batch_interval_in_ms` | Batch write interval for audit logs in milliseconds | Long | 1000 | Restart Required | -| `audit_log_batch_max_queue_bytes` | Maximum queue size in bytes for batch processing audit logs. Subsequent writes will be blocked when queue exceeds this value. | Long | 268435456 | Restart Required | +| Parameter Name | Description | Data Type | Default Value | Activation Method | +|-------------------------------------------|------------------------------------------------------------------------------------------------------------|-----------|-------------------------------|-------------------| +| `enable_audit_log` | Whether to enable audit logging. true: enabled. false: disabled. | Boolean | false | Hot Reload | +| `auditable_operation_type` | Operation type selection. DML: all DML operations are logged; DDL: all DDL operations are logged; QUERY: all query operations are logged; CONTROL: all control statements are logged. | String | DML,DDL,QUERY,CONTROL | Hot Reload | +| `auditable_dml_event_type` | Event types for auditing DML operations. `OBJECT_AUTHENTICATION`: object authentication, `SLOW_OPERATION`: slow operation | String | `OBJECT_AUTHENTICATION`,`SLOW_OPERATION` | Hot Reload | +| `auditable_ddl_event_type` | Event types for auditing DDL operations. `OBJECT_AUTHENTICATION`: object authentication, `SLOW_OPERATION`: slow operation | String | `OBJECT_AUTHENTICATION`,`SLOW_OPERATION` | Hot Reload | +| `auditable_query_event_type` | Event types for auditing query operations. `OBJECT_AUTHENTICATION`: object authentication, `SLOW_OPERATION`: slow operation | String | `OBJECT_AUTHENTICATION`,`SLOW_OPERATION` | Hot Reload | +| `auditable_control_event_type` | Event types for auditing control operations. `CHANGE_AUDIT_OPTION`: audit option change, `OBJECT_AUTHENTICATION`: object authentication, `LOGIN`: login, `LOGOUT`: logout, `DN_SHUTDOWN`: data node shutdown, `SLOW_OPERATION`: slow operation | String | `CHANGE_AUDIT_OPTION`,`OBJECT_AUTHENTICATION`,`LOGIN`,`LOGOUT`,`DN_SHUTDOWN`,`SLOW_OPERATION` | Hot Reload | +| `auditable_operation_level` | Permission level selection. global: log all audit events; object: only log events related to data instances. Containment relationship: object < global. For example: when set to global, all audit logs are recorded normally; when set to object, only operations on specific data instances are recorded. | String | global | Hot Reload | +| `auditable_operation_result` | Audit result selection. success: log only successful events; fail: log only failed events | String | success,fail | Hot Reload | +| `audit_log_ttl_in_days` | Audit log TTL (Time To Live). Logs older than this threshold will expire. | Double | -1.0 (never deleted) | Hot Reload | +| `audit_log_space_tl_in_GB` | Audit log SpaceTL. Logs will start rotating when total space reaches this threshold. | Double | 1.0 | Hot Reload | +| `audit_log_batch_interval_in_ms` | Batch write interval for audit logs | Long | 1000 | Hot Reload | +| `audit_log_batch_max_queue_bytes` | Maximum byte size of the queue for batch processing audit logs. Subsequent write operations will be blocked when this threshold is exceeded. | Long | 268435456 | Hot Reload | ## 3. Access Methods @@ -121,4 +127,17 @@ IoTDB> select database,operation_type,log from root.__audit.log.** where result +-----------------------------+-------------------------------+-----------+--------------+---------------------------------------------------------------------------------+ Total line number = 4 It costs 0.024s +``` + +* Query audit records for user 'u_0' on node 'node_1' with event types 'SLOW_OPERATION' and 'LOGIN' + +```SQL +IoTDB> select * from root.__audit.log.node_1.u_0 where audit_event_type='SLOW_OPERATION' or audit_event_type='LOGIN' limit 1 align by device ++-----------------------------+---------------------------+------+---------------+--------------+--------+--------------+-----------------------------------------------------------------------------------------------+----------+----------------+------------+--------+ +| Time| Device|result|privilege_level|privilege_type|database|operation_type| log|sql_string|audit_event_type|cli_hostname|username| ++-----------------------------+---------------------------+------+---------------+--------------+--------+--------------+-----------------------------------------------------------------------------------------------+----------+----------------+------------+--------+ +|2026-01-23T11:42:23.636+08:00|root.__audit.log.node_1.u_0| true| GLOBAL| null| | CONTROL|IoTDB: Login status: Login successfully. User root (ID=0), opens Session-1-root:127.0.0.1:51308| | LOGIN| 127.0.0.1| root| ++-----------------------------+---------------------------+------+---------------+--------------+--------+--------------+-----------------------------------------------------------------------------------------------+----------+----------------+------------+--------+ +Total line number = 1 +It costs 0.021s ``` \ No newline at end of file diff --git a/src/UserGuide/latest-Table/Reference/System-Config-Manual.md b/src/UserGuide/latest-Table/Reference/System-Config-Manual.md index 660b55b42..d4b1de132 100644 --- a/src/UserGuide/latest-Table/Reference/System-Config-Manual.md +++ b/src/UserGuide/latest-Table/Reference/System-Config-Manual.md @@ -21,3 +21,4 @@ redirectTo: System-Config-Manual_apache.html under the License. --> + diff --git a/src/UserGuide/latest-Table/User-Manual/Audit-Log_timecho.md b/src/UserGuide/latest-Table/User-Manual/Audit-Log_timecho.md index f29a1fa78..c276715a8 100644 --- a/src/UserGuide/latest-Table/User-Manual/Audit-Log_timecho.md +++ b/src/UserGuide/latest-Table/User-Manual/Audit-Log_timecho.md @@ -24,12 +24,13 @@ ## 1. Introduction -Audit logs provide a documented record of database activities. Through the audit log feature, you can track operations like data creation, deletion, modification, and querying to ensure information security. IoTDB's audit log functionality supports the following features: +Audit logs serve as the record credentials of a database, enabling tracking of various operations (e.g., create, read, update, delete) to ensure information security. The audit log feature in IoTDB supports the following capabilities: -* Configurable enable/disable of audit logging -* Configurable auditable operation types and privilege levels -* Configurable audit log retention periods using TTL (time-based rolling) and SpaceTL (space-based rolling) -* Default encryption storage for audit logs +* Supports enabling/disabling the audit log functionality through configuration +* Supports configuring operation types and privilege levels to be recorded via parameters +* Supports setting the storage duration of audit log files, including time-based rolling (via TTL) and space-based rolling (via SpaceTL) +* Supports configuring parameters to count slow requests (with write/query latency exceeding a threshold, default 3000 milliseconds) within any specified time period +* Audit log files are stored in encrypted format by default > Note: This feature is available from version V2.0.8 onwards. @@ -37,16 +38,20 @@ Audit logs provide a documented record of database activities. Through the audit Edit the `iotdb-system.properties` file to enable audit logging using the following parameters: -| Parameter Name | Description | Data Type | Default Value | Application Method | -|---------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------|----------------------------|--------------------| -| `enable_audit_log` | Enable audit logging. true: enabled. false: disabled. | Boolean | false | Restart Required | -| `auditable_operation_type` | Operation type selection. DML: All DML operations; DDL: All DDL operations; QUERY: All queries; CONTROL: All control statements; | String | DML,DDL,QUERY,CONTROL | Restart Required | -| `auditable_operation_level` | Privilege level selection. global: Record all audit logs; object: Only record audit logs for data instances; Containment relationship: object < global. | String | global | Restart Required | -| `auditable_operation_result` | Audit result selection. success: Only record successful events; fail: Only record failed events; | String | success, fail | Restart Required | -| `audit_log_ttl_in_days` | Audit log TTL (Time To Live) in days. Logs older than this threshold will expire. | Double | -1.0 (never deleted) | Restart Required | -| `audit_log_space_tl_in_GB` | Audit log SpaceTL in GB. When total audit log size exceeds this threshold, log rotation starts deleting oldest files. | Double | 1.0 | Restart Required | -| `audit_log_batch_interval_in_ms` | Batch write interval for audit logs in milliseconds | Long | 1000 | Restart Required | -| `audit_log_batch_max_queue_bytes` | Maximum queue size in bytes for batch processing audit logs. Subsequent writes will be blocked when queue exceeds this value. | Long | 268435456 | Restart Required | +| Parameter Name | Description | Data Type | Default Value | Activation Method | +|-------------------------------------------|------------------------------------------------------------------------------------------------------------|-----------|-------------------------------|-------------------| +| `enable_audit_log` | Whether to enable audit logging. true: enabled. false: disabled. | Boolean | false | Hot Reload | +| `auditable_operation_type` | Operation type selection. DML: all DML operations are logged; DDL: all DDL operations are logged; QUERY: all query operations are logged; CONTROL: all control statements are logged. | String | DML,DDL,QUERY,CONTROL | Hot Reload | +| `auditable_dml_event_type` | Event types for auditing DML operations. `OBJECT_AUTHENTICATION`: object authentication, `SLOW_OPERATION`: slow operation | String | `OBJECT_AUTHENTICATION`,`SLOW_OPERATION` | Hot Reload | +| `auditable_ddl_event_type` | Event types for auditing DDL operations. `OBJECT_AUTHENTICATION`: object authentication, `SLOW_OPERATION`: slow operation | String | `OBJECT_AUTHENTICATION`,`SLOW_OPERATION` | Hot Reload | +| `auditable_query_event_type` | Event types for auditing query operations. `OBJECT_AUTHENTICATION`: object authentication, `SLOW_OPERATION`: slow operation | String | `OBJECT_AUTHENTICATION`,`SLOW_OPERATION` | Hot Reload | +| `auditable_control_event_type` | Event types for auditing control operations. `CHANGE_AUDIT_OPTION`: audit option change, `OBJECT_AUTHENTICATION`: object authentication, `LOGIN`: login, `LOGOUT`: logout, `DN_SHUTDOWN`: data node shutdown, `SLOW_OPERATION`: slow operation | String | `CHANGE_AUDIT_OPTION`,`OBJECT_AUTHENTICATION`,`LOGIN`,`LOGOUT`,`DN_SHUTDOWN`,`SLOW_OPERATION` | Hot Reload | +| `auditable_operation_level` | Permission level selection. global: log all audit events; object: only log events related to data instances. Containment relationship: object < global. For example: when set to global, all audit logs are recorded normally; when set to object, only operations on specific data instances are recorded. | String | global | Hot Reload | +| `auditable_operation_result` | Audit result selection. success: log only successful events; fail: log only failed events | String | success,fail | Hot Reload | +| `audit_log_ttl_in_days` | Audit log TTL (Time To Live). Logs older than this threshold will expire. | Double | -1.0 (never deleted) | Hot Reload | +| `audit_log_space_tl_in_GB` | Audit log SpaceTL. Logs will start rotating when total space reaches this threshold. | Double | 1.0 | Hot Reload | +| `audit_log_batch_interval_in_ms` | Batch write interval for audit logs | Long | 1000 | Hot Reload | +| `audit_log_batch_max_queue_bytes` | Maximum byte size of the queue for batch processing audit logs. Subsequent write operations will be blocked when this threshold is exceeded. | Long | 268435456 | Hot Reload | ## 3. Access Methods @@ -120,4 +125,18 @@ IoTDB:__audit> select time,database,operation_type,log from audit_log where res +-----------------------------+--------+--------------+----------------------------------------------------------------------+ Total line number = 1 It costs 0.011s +``` + + +* Query audit event records with types 'slow operation' and 'login' + +```SQL +IoTDB:__audit> select * from audit_log where audit_event_type='SLOW_OPERATION' or audit_event_type='LOGIN' limit 1 ++-----------------------------+-------+-------+--------+------------+----------------+--------------+--------------+---------------+------+--------+----------+----------------------------------------------------------------------+ +| time|node_id|user_id|username|cli_hostname|audit_event_type|operation_type|privilege_type|privilege_level|result|database|sql_string| log| ++-----------------------------+-------+-------+--------+------------+----------------+--------------+--------------+---------------+------+--------+----------+----------------------------------------------------------------------+ +|2026-01-23T11:47:42.136+08:00| node_1| u_none| user1| 127.0.0.1| LOGIN| CONTROL| null| GLOBAL| false| | |User user1 (ID=-1) login failed with code: 804, Authentication failed.| ++-----------------------------+-------+-------+--------+------------+----------------+--------------+--------------+---------------+------+--------+----------+----------------------------------------------------------------------+ +Total line number = 1 +It costs 0.033s ``` \ No newline at end of file diff --git a/src/UserGuide/latest/Reference/Common-Config-Manual.md b/src/UserGuide/latest/Reference/Common-Config-Manual.md index 51f3aef71..cde488ff3 100644 --- a/src/UserGuide/latest/Reference/Common-Config-Manual.md +++ b/src/UserGuide/latest/Reference/Common-Config-Manual.md @@ -707,7 +707,7 @@ Different configuration parameters take effect in the following three ways: |:---:|:----------------------------------------| |Description| Time cost(ms) threshold for slow query. | |Type| Int32 | -|Default| 10000 | +|Default| 3000 | |Effective| Trigger | * query\_timeout\_threshold diff --git a/src/UserGuide/latest/User-Manual/Audit-Log_timecho.md b/src/UserGuide/latest/User-Manual/Audit-Log_timecho.md index 89b599690..484270a82 100644 --- a/src/UserGuide/latest/User-Manual/Audit-Log_timecho.md +++ b/src/UserGuide/latest/User-Manual/Audit-Log_timecho.md @@ -19,16 +19,18 @@ --> + # Security Audit ## 1. Introduction -Audit logs provide a documented record of database activities. Through the audit log feature, you can track operations like data creation, deletion, modification, and querying to ensure information security. IoTDB's audit log functionality supports the following features: +Audit logs serve as the record credentials of a database, enabling tracking of various operations (e.g., create, read, update, delete) to ensure information security. The audit log feature in IoTDB supports the following capabilities: -* Ability to enable/disable audit logging through configuration -* Ability to set auditable operation types and privilege levels via parameters -* Ability to configure audit log file retention periods using TTL (time-based rolling) and SpaceTL (space-based rolling) -* Audit logs are encrypted by default +* Supports enabling/disabling the audit log functionality through configuration +* Supports configuring operation types and privilege levels to be recorded via parameters +* Supports setting the storage duration of audit log files, including time-based rolling (via TTL) and space-based rolling (via SpaceTL) +* Supports configuring parameters to count slow requests (with write/query latency exceeding a threshold, default 3000 milliseconds) within any specified time period +* Audit log files are stored in encrypted format by default > Note: This feature is available from version V2.0.8 onwards. @@ -36,16 +38,20 @@ Audit logs provide a documented record of database activities. Through the audit Edit the `iotdb-system.properties` file to enable audit logging using the following parameters: -| Parameter Name | Description | Data Type | Default Value | Application Method | -|---------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------|----------------------------|--------------------| -| `enable_audit_log` | Enable audit logging. true: enabled. false: disabled. | Boolean | false | Restart Required | -| `auditable_operation_type` | Operation type selection. DML: All DML operations; DDL: All DDL operations; QUERY: All queries; CONTROL: All control statements; | String | DML,DDL,QUERY,CONTROL | Restart Required | -| `auditable_operation_level` | Privilege level selection. global: Record all audit logs; object: Only record audit logs for data instances; Containment relationship: object < global. | String | global | Restart Required | -| `auditable_operation_result` | Audit result selection. success: Only record successful events; fail: Only record failed events; | String | success, fail | Restart Required | -| `audit_log_ttl_in_days` | Audit log TTL (Time To Live) in days. Logs older than this threshold will expire. | Double | -1.0 (never deleted) | Restart Required | -| `audit_log_space_tl_in_GB` | Audit log SpaceTL in GB. When total audit log size exceeds this threshold, log rotation starts deleting oldest files. | Double | 1.0 | Restart Required | -| `audit_log_batch_interval_in_ms` | Batch write interval for audit logs in milliseconds | Long | 1000 | Restart Required | -| `audit_log_batch_max_queue_bytes` | Maximum queue size in bytes for batch processing audit logs. Subsequent writes will be blocked when queue exceeds this value. | Long | 268435456 | Restart Required | +| Parameter Name | Description | Data Type | Default Value | Activation Method | +|-------------------------------------------|------------------------------------------------------------------------------------------------------------|-----------|-------------------------------|-------------------| +| `enable_audit_log` | Whether to enable audit logging. true: enabled. false: disabled. | Boolean | false | Hot Reload | +| `auditable_operation_type` | Operation type selection. DML: all DML operations are logged; DDL: all DDL operations are logged; QUERY: all query operations are logged; CONTROL: all control statements are logged. | String | DML,DDL,QUERY,CONTROL | Hot Reload | +| `auditable_dml_event_type` | Event types for auditing DML operations. `OBJECT_AUTHENTICATION`: object authentication, `SLOW_OPERATION`: slow operation | String | `OBJECT_AUTHENTICATION`,`SLOW_OPERATION` | Hot Reload | +| `auditable_ddl_event_type` | Event types for auditing DDL operations. `OBJECT_AUTHENTICATION`: object authentication, `SLOW_OPERATION`: slow operation | String | `OBJECT_AUTHENTICATION`,`SLOW_OPERATION` | Hot Reload | +| `auditable_query_event_type` | Event types for auditing query operations. `OBJECT_AUTHENTICATION`: object authentication, `SLOW_OPERATION`: slow operation | String | `OBJECT_AUTHENTICATION`,`SLOW_OPERATION` | Hot Reload | +| `auditable_control_event_type` | Event types for auditing control operations. `CHANGE_AUDIT_OPTION`: audit option change, `OBJECT_AUTHENTICATION`: object authentication, `LOGIN`: login, `LOGOUT`: logout, `DN_SHUTDOWN`: data node shutdown, `SLOW_OPERATION`: slow operation | String | `CHANGE_AUDIT_OPTION`,`OBJECT_AUTHENTICATION`,`LOGIN`,`LOGOUT`,`DN_SHUTDOWN`,`SLOW_OPERATION` | Hot Reload | +| `auditable_operation_level` | Permission level selection. global: log all audit events; object: only log events related to data instances. Containment relationship: object < global. For example: when set to global, all audit logs are recorded normally; when set to object, only operations on specific data instances are recorded. | String | global | Hot Reload | +| `auditable_operation_result` | Audit result selection. success: log only successful events; fail: log only failed events | String | success,fail | Hot Reload | +| `audit_log_ttl_in_days` | Audit log TTL (Time To Live). Logs older than this threshold will expire. | Double | -1.0 (never deleted) | Hot Reload | +| `audit_log_space_tl_in_GB` | Audit log SpaceTL. Logs will start rotating when total space reaches this threshold. | Double | 1.0 | Hot Reload | +| `audit_log_batch_interval_in_ms` | Batch write interval for audit logs | Long | 1000 | Hot Reload | +| `audit_log_batch_max_queue_bytes` | Maximum byte size of the queue for batch processing audit logs. Subsequent write operations will be blocked when this threshold is exceeded. | Long | 268435456 | Hot Reload | ## 3. Access Methods @@ -121,4 +127,17 @@ IoTDB> select database,operation_type,log from root.__audit.log.** where result +-----------------------------+-------------------------------+-----------+--------------+---------------------------------------------------------------------------------+ Total line number = 4 It costs 0.024s +``` + +* Query audit records for user 'u_0' on node 'node_1' with event types 'SLOW_OPERATION' and 'LOGIN' + +```SQL +IoTDB> select * from root.__audit.log.node_1.u_0 where audit_event_type='SLOW_OPERATION' or audit_event_type='LOGIN' limit 1 align by device ++-----------------------------+---------------------------+------+---------------+--------------+--------+--------------+-----------------------------------------------------------------------------------------------+----------+----------------+------------+--------+ +| Time| Device|result|privilege_level|privilege_type|database|operation_type| log|sql_string|audit_event_type|cli_hostname|username| ++-----------------------------+---------------------------+------+---------------+--------------+--------+--------------+-----------------------------------------------------------------------------------------------+----------+----------------+------------+--------+ +|2026-01-23T11:42:23.636+08:00|root.__audit.log.node_1.u_0| true| GLOBAL| null| | CONTROL|IoTDB: Login status: Login successfully. User root (ID=0), opens Session-1-root:127.0.0.1:51308| | LOGIN| 127.0.0.1| root| ++-----------------------------+---------------------------+------+---------------+--------------+--------+--------------+-----------------------------------------------------------------------------------------------+----------+----------------+------------+--------+ +Total line number = 1 +It costs 0.021s ``` \ No newline at end of file diff --git a/src/zh/UserGuide/Master/Table/Reference/System-Config-Manual.md b/src/zh/UserGuide/Master/Table/Reference/System-Config-Manual.md index 660b55b42..d4b1de132 100644 --- a/src/zh/UserGuide/Master/Table/Reference/System-Config-Manual.md +++ b/src/zh/UserGuide/Master/Table/Reference/System-Config-Manual.md @@ -21,3 +21,4 @@ redirectTo: System-Config-Manual_apache.html under the License. --> + diff --git a/src/zh/UserGuide/Master/Table/User-Manual/Audit-Log_timecho.md b/src/zh/UserGuide/Master/Table/User-Manual/Audit-Log_timecho.md index 89d214405..f032eb013 100644 --- a/src/zh/UserGuide/Master/Table/User-Manual/Audit-Log_timecho.md +++ b/src/zh/UserGuide/Master/Table/User-Manual/Audit-Log_timecho.md @@ -29,24 +29,30 @@ * 可通过配置决定是否开启审计日志功能 * 可通过参数设置审计日志记录的操作类型和权限级别 * 可通过参数设置审计日志文件的存储周期,包括基于 TTL 实现时间滚动和基于 SpaceTL 实现空间滚动。 +* 可通过参数设置统计任意时间段内写入和查询延时大于阈值(默认3000毫秒)的慢请求个数。 * 审计日志文件默认加密存储 -> 注意:该功能从 V2.0.8 版本开始提供。 +> 注意:该功能从 V2.0.8-beta 版本开始提供。 ## 2. 配置参数 通过编辑配置文件 `iotdb-system.properties` 中如下参数来启动审计日志功能。 -| 参数名称 | 参数描述 | 数据类型 | 默认值 | 生效方式 | -|-----------------------------------| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | ------------------------ | ---------- | -| `enable_audit_log` | 是否开启审计日志。 true:启用。false:禁用。 | Boolean | false | 重启 | -| `auditable_operation_type` | 操作类型选择。 DML :所有 DML 都会记录审计日志; DDL :所有 DDL 都会记录审计日志; QUERY :所有 QUERY 都会记录审计日志; CONTROL:所有控制语句都会记录审计日志; | String | DML,DDL,QUERY,CONTROL | 重启 | -| `auditable_operation_level` | 权限级别选择。 global :记录全部的审计日志; object:仅针对数据实例的事件的审计日志会被记录; 包含关系:object < global。 例如:设置为 global 时,所有审计日志正常记录;设置为 object 时,仅记录对具体数据实例的操作。 | String | global | 重启 | -| `auditable_operation_result` | 审计结果选择。 success:只记录成功事件的审计日志; fail:只记录失败事件的审计日志; | String | success, fail | 重启 | -| `audit_log_ttl_in_days` | 审计日志的 TTL,生成审计日志的时间达到该阈值后过期。 | Double | -1.0(永远不会被删除) | 重启 | -| `audit_log_space_tl_in_GB` | 审计日志的 SpaceTL,审计日志总空间达到该阈值后开始轮转删除。 | Double | 1.0| 重启| -| `audit_log_batch_interval_in_ms` | 审计日志批量写入的时间间隔 | Long | 1000 | 重启 | -| `audit_log_batch_max_queue_bytes` | 用于批量处理审计日志的队列最大字节数。当队列大小超过此值时,后续的写入操作将被阻塞。 | Long | 268435456 | 重启 | +| 参数名称 | 参数描述 | 数据类型 | 默认值 | 生效方式 | +|-----------------------------------|------------------------------------------------------------------------------------------------------| ---------- | ------------------------ | ---------- | +| `enable_audit_log` | 是否开启审计日志。 true:启用。false:禁用。 | Boolean | false | 热加载 | +| `auditable_operation_type` | 操作类型选择。 DML :所有 DML 都会记录审计日志; DDL :所有 DDL 都会记录审计日志; QUERY :所有 QUERY 都会记录审计日志; CONTROL:所有控制语句都会记录审计日志; | String | DML,DDL,QUERY,CONTROL | 热加载 | +| `auditable_dml_event_type` | 审计DML操作时的事件类型。`OBJECT_AUTHENTICATION`:对象鉴权,`SLOW_OPERATION`:慢操作 | String | `OBJECT_AUTHENTICATION`,`SLOW_OPERATION` | 热加载 | +| `auditable_ddl_event_type` | 审计DDL操作时的事件类型。`OBJECT_AUTHENTICATION`:对象鉴权,`SLOW_OPERATION`:慢操作 | String | `OBJECT_AUTHENTICATION`,`SLOW_OPERATION` | 热加载 | +| `auditable_query_event_type` | 审计查询操作时的事件类型。`OBJECT_AUTHENTICATION`:对象鉴权,`SLOW_OPERATION`:慢操作 | String | `OBJECT_AUTHENTICATION`,`SLOW_OPERATION` | 热加载 | +| `auditable_control_event_type` | 审计控制操作时的事件类型。`CHANGE_AUDIT_OPTION`:审计选项变更,`OBJECT_AUTHENTICATION`:对象鉴权,`LOGIN`:登录,`LOGOUT`:退出登录,`DN_SHUTDOWN`:数据节点关机,`SLOW_OPERATION`:慢操作 | String | `CHANGE_AUDIT_OPTION`,`OBJECT_AUTHENTICATION`,`LOGIN`,`LOGOUT`,`DN_SHUTDOWN`,`SLOW_OPERATION` | 热加载 | +| `auditable_operation_level` | 权限级别选择。 global :记录全部的审计日志; object:仅针对数据实例的事件的审计日志会被记录; 包含关系:object < global。 例如:设置为 global 时,所有审计日志正常记录;设置为 object 时,仅记录对具体数据实例的操作。 | String | global | 热加载 | +| `auditable_operation_result` | 审计结果选择。 success:只记录成功事件的审计日志; fail:只记录失败事件的审计日志; | String | success, fail | 热加载 | +| `audit_log_ttl_in_days` | 审计日志的 TTL,生成审计日志的时间达到该阈值后过期。 | Double | -1.0(永远不会被删除) | 热加载 | +| `audit_log_space_tl_in_GB` | 审计日志的 SpaceTL,审计日志总空间达到该阈值后开始轮转删除。 | Double | 1.0| 热加载| +| `audit_log_batch_interval_in_ms` | 审计日志批量写入的时间间隔 | Long | 1000 | 热加载 | +| `audit_log_batch_max_queue_bytes` | 用于批量处理审计日志的队列最大字节数。当队列大小超过此值时,后续的写入操作将被阻塞。 | Long | 268435456 | 热加载 | + ## 3. 查阅方法 @@ -66,19 +72,19 @@ SELECT (, )* log FROM WHERE whereclause ORDER ### 3.2 元数据结构 -| 字段 | 含义 | 类型 | -| ------------------------ | -------------------------------------------------- | ----------- | -| `time` | 事件开始的的日期和时间 | timestamp | -| `username` | 用户名称 | string | -| `cli_hostname` | 用户主机标识 | string | -| `audit_event_type` | 审计事件类型,WRITE\_DATA, GENERATE\_KEY 等 | string | -| `operation_type` | 审计事件的操作类型,DML, DDL, QUERY, CONTROL | string | -| `privilege_type` | 审计事件使用的权限,WRITE\_DATA, MANAGE\_USER 等 | string | -| `privilege_level` | 事件的权限级别,global, object | string | -| `result` | 事件结果,success=1, fail=0 | boolean | -| `database` | 数据库名称 | string | -| `sql_string` | 用户的原始 SQL | string | -| `log` | 具体的事件描述 | string | +| 字段 | 含义 | 类型 | +| ------------------------ |------------------------------------------------------| ----------- | +| `time` | 事件开始的的日期和时间 | timestamp | +| `username` | 用户名称 | string | +| `cli_hostname` | 用户主机标识 | string | +| `audit_event_type` | 审计事件类型,WRITE\_DATA, GENERATE\_KEY, SLOW\_OPERATION 等 | string | +| `operation_type` | 审计事件的操作类型,DML, DDL, QUERY, CONTROL | string | +| `privilege_type` | 审计事件使用的权限,WRITE\_DATA, MANAGE\_USER 等 | string | +| `privilege_level` | 事件的权限级别,global, object | string | +| `result` | 事件结果,success=1, fail=0 | boolean | +| `database` | 数据库名称 | string | +| `sql_string` | 用户的原始 SQL | string | +| `log` | 具体的事件描述 | string | ### 3.3 使用示例 @@ -121,3 +127,15 @@ IoTDB:__audit> select time,database,operation_type,log from audit_log where res Total line number = 1 It costs 0.011s ``` + +* 查询审计事件类型为慢操作和登录的记录 +```SQL +IoTDB:__audit> select * from __audit.audit_log where audit_event_type='SLOW_OPERATION' or audit_event_type='LOGIN' limit 1 ++-----------------------------+-------+-------+--------+------------+----------------+--------------+--------------+---------------+------+--------+----------+----------------------------------------------------------------------+ +| time|node_id|user_id|username|cli_hostname|audit_event_type|operation_type|privilege_type|privilege_level|result|database|sql_string| log| ++-----------------------------+-------+-------+--------+------------+----------------+--------------+--------------+---------------+------+--------+----------+----------------------------------------------------------------------+ +|2026-01-23T11:47:42.136+08:00| node_1| u_none| user1| 127.0.0.1| LOGIN| CONTROL| null| GLOBAL| false| | |User user1 (ID=-1) login failed with code: 804, Authentication failed.| ++-----------------------------+-------+-------+--------+------------+----------------+--------------+--------------+---------------+------+--------+----------+----------------------------------------------------------------------+ +Total line number = 1 +It costs 0.033s +``` \ No newline at end of file diff --git a/src/zh/UserGuide/Master/Tree/Reference/Common-Config-Manual.md b/src/zh/UserGuide/Master/Tree/Reference/Common-Config-Manual.md index 02ada5951..c18f36ee1 100644 --- a/src/zh/UserGuide/Master/Tree/Reference/Common-Config-Manual.md +++ b/src/zh/UserGuide/Master/Tree/Reference/Common-Config-Manual.md @@ -682,7 +682,7 @@ IoTDB ConfigNode 和 DataNode 的公共配置参数位于 `conf` 目录下。 |:---:|:-----------------------| |描述| 慢查询的时间阈值。单位:毫秒。 | |类型| Int32 | -|默认值| 10000 | +|默认值| 3000 | |改后生效方式| 热加载 | * query\_timeout\_threshold diff --git a/src/zh/UserGuide/Master/Tree/User-Manual/Audit-Log_timecho.md b/src/zh/UserGuide/Master/Tree/User-Manual/Audit-Log_timecho.md index a4de129c8..24d7dc565 100644 --- a/src/zh/UserGuide/Master/Tree/User-Manual/Audit-Log_timecho.md +++ b/src/zh/UserGuide/Master/Tree/User-Manual/Audit-Log_timecho.md @@ -29,24 +29,29 @@ * 可通过配置决定是否开启审计日志功能 * 可通过参数设置审计日志记录的操作类型和权限级别 * 可通过参数设置审计日志文件的存储周期,包括基于 TTL 实现时间滚动和基于 SpaceTL 实现空间滚动。 +* 可通过参数设置统计任意时间段内写入和查询延时大于阈值(默认3000毫秒)的慢请求个数。 * 审计日志文件默认加密存储 -> 注意:该功能从 V2.0.8 版本开始提供。 +> 注意:该功能从 V2.0.8-beta 版本开始提供。 ## 2. 配置参数 通过编辑配置文件 `iotdb-system.properties` 中如下参数来启动审计日志功能。 -| 参数名称 | 参数描述 | 数据类型 | 默认值 | 生效方式 | -|-----------------------------------| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | ------------------------ | ---------- | -| `enable_audit_log` | 是否开启审计日志。 true:启用。false:禁用。 | Boolean | false | 重启 | -| `auditable_operation_type` | 操作类型选择。 DML :所有 DML 都会记录审计日志; DDL :所有 DDL 都会记录审计日志; QUERY :所有 QUERY 都会记录审计日志; CONTROL:所有控制语句都会记录审计日志; | String | DML,DDL,QUERY,CONTROL | 重启 | -| `auditable_operation_level` | 权限级别选择。 global :记录全部的审计日志; object:仅针对数据实例的事件的审计日志会被记录; 包含关系:object < global。 例如:设置为 global 时,所有审计日志正常记录;设置为 object 时,仅记录对具体数据实例的操作。 | String | global | 重启 | -| `auditable_operation_result` | 审计结果选择。 success:只记录成功事件的审计日志; fail:只记录失败事件的审计日志; | String | success, fail | 重启 | -| `audit_log_ttl_in_days` | 审计日志的 TTL,生成审计日志的时间达到该阈值后过期。 | Double | -1.0(永远不会被删除) | 重启 | -| `audit_log_space_tl_in_GB` | 审计日志的 SpaceTL,审计日志总空间达到该阈值后开始轮转删除。 | Double | 1.0| 重启| -| `audit_log_batch_interval_in_ms` | 审计日志批量写入的时间间隔 | Long | 1000 | 重启 | -| `audit_log_batch_max_queue_bytes` | 用于批量处理审计日志的队列最大字节数。当队列大小超过此值时,后续的写入操作将被阻塞。 | Long | 268435456 | 重启 | +| 参数名称 | 参数描述 | 数据类型 | 默认值 | 生效方式 | +|-----------------------------------|------------------------------------------------------------------------------------------------------| ---------- | ------------------------ | ---------- | +| `enable_audit_log` | 是否开启审计日志。 true:启用。false:禁用。 | Boolean | false | 热加载 | +| `auditable_operation_type` | 操作类型选择。 DML :所有 DML 都会记录审计日志; DDL :所有 DDL 都会记录审计日志; QUERY :所有 QUERY 都会记录审计日志; CONTROL:所有控制语句都会记录审计日志; | String | DML,DDL,QUERY,CONTROL | 热加载 | +| `auditable_dml_event_type` | 审计DML操作时的事件类型。`OBJECT_AUTHENTICATION`:对象鉴权,`SLOW_OPERATION`:慢操作 | String | `OBJECT_AUTHENTICATION`,`SLOW_OPERATION` | 热加载 | +| `auditable_ddl_event_type` | 审计DDL操作时的事件类型。`OBJECT_AUTHENTICATION`:对象鉴权,`SLOW_OPERATION`:慢操作 | String | `OBJECT_AUTHENTICATION`,`SLOW_OPERATION` | 热加载 | +| `auditable_query_event_type` | 审计查询操作时的事件类型。`OBJECT_AUTHENTICATION`:对象鉴权,`SLOW_OPERATION`:慢操作 | String | `OBJECT_AUTHENTICATION`,`SLOW_OPERATION` | 热加载 | +| `auditable_control_event_type` | 审计控制操作时的事件类型。`CHANGE_AUDIT_OPTION`:审计选项变更,`OBJECT_AUTHENTICATION`:对象鉴权,`LOGIN`:登录,`LOGOUT`:退出登录,`DN_SHUTDOWN`:数据节点关机,`SLOW_OPERATION`:慢操作 | String | `CHANGE_AUDIT_OPTION`,`OBJECT_AUTHENTICATION`,`LOGIN`,`LOGOUT`,`DN_SHUTDOWN`,`SLOW_OPERATION` | 热加载 | +| `auditable_operation_level` | 权限级别选择。 global :记录全部的审计日志; object:仅针对数据实例的事件的审计日志会被记录; 包含关系:object < global。 例如:设置为 global 时,所有审计日志正常记录;设置为 object 时,仅记录对具体数据实例的操作。 | String | global | 热加载 | +| `auditable_operation_result` | 审计结果选择。 success:只记录成功事件的审计日志; fail:只记录失败事件的审计日志; | String | success, fail | 热加载 | +| `audit_log_ttl_in_days` | 审计日志的 TTL,生成审计日志的时间达到该阈值后过期。 | Double | -1.0(永远不会被删除) | 热加载 | +| `audit_log_space_tl_in_GB` | 审计日志的 SpaceTL,审计日志总空间达到该阈值后开始轮转删除。 | Double | 1.0| 热加载| +| `audit_log_batch_interval_in_ms` | 审计日志批量写入的时间间隔 | Long | 1000 | 热加载 | +| `audit_log_batch_max_queue_bytes` | 用于批量处理审计日志的队列最大字节数。当队列大小超过此值时,后续的写入操作将被阻塞。 | Long | 268435456 | 热加载 | ## 3. 查阅方法 @@ -69,7 +74,7 @@ SELECT (, )* log FROM WHERE whereclause ORDER | `time` | 事件开始的的日期和时间 | timestamp | | `username` | 用户名称 | string | | `cli_hostname` | 用户主机标识 | string | -| `audit_event_type` | 审计事件类型,WRITE\_DATA, GENERATE\_KEY 等 | string | +| `audit_event_type` | 审计事件类型,WRITE\_DATA, GENERATE\_KEY, SLOW\_OPERATION 等 | string | | `operation_type` | 审计事件的操作类型,DML, DDL, QUERY, CONTROL | string | | `privilege_type` | 审计事件使用的权限,WRITE\_DATA, MANAGE\_USER 等 | string | | `privilege_level` | 事件的权限级别,global, object | string | @@ -122,4 +127,17 @@ IoTDB> select database,operation_type,log from root.__audit.log.** where result +-----------------------------+-------------------------------+-----------+--------------+---------------------------------------------------------------------------------+ Total line number = 4 It costs 0.024s -``` \ No newline at end of file +``` + +* 查询某个用户在某个数据节点上审计事件类型为慢操作和登录的记录 + +```SQL +IoTDB> select * from root.__audit.log.node_1.u_0 where audit_event_type='SLOW_OPERATION' or audit_event_type='LOGIN'limit 1 align by device ++-----------------------------+---------------------------+------+---------------+--------------+--------+--------------+-----------------------------------------------------------------------------------------------+----------+----------------+------------+--------+ +| Time| Device|result|privilege_level|privilege_type|database|operation_type| log|sql_string|audit_event_type|cli_hostname|username| ++-----------------------------+---------------------------+------+---------------+--------------+--------+--------------+-----------------------------------------------------------------------------------------------+----------+----------------+------------+--------+ +|2026-01-23T11:42:23.636+08:00|root.__audit.log.node_1.u_0| true| GLOBAL| null| | CONTROL|IoTDB: Login status: Login successfully. User root (ID=0), opens Session-1-root:127.0.0.1:51308| | LOGIN| 127.0.0.1| root| ++-----------------------------+---------------------------+------+---------------+--------------+--------+--------------+-----------------------------------------------------------------------------------------------+----------+----------------+------------+--------+ +Total line number = 1 +It costs 0.021s +``` diff --git a/src/zh/UserGuide/latest-Table/User-Manual/Audit-Log_timecho.md b/src/zh/UserGuide/latest-Table/User-Manual/Audit-Log_timecho.md index 89d214405..c8e3b2153 100644 --- a/src/zh/UserGuide/latest-Table/User-Manual/Audit-Log_timecho.md +++ b/src/zh/UserGuide/latest-Table/User-Manual/Audit-Log_timecho.md @@ -29,6 +29,7 @@ * 可通过配置决定是否开启审计日志功能 * 可通过参数设置审计日志记录的操作类型和权限级别 * 可通过参数设置审计日志文件的存储周期,包括基于 TTL 实现时间滚动和基于 SpaceTL 实现空间滚动。 +* 可通过参数设置统计任意时间段内写入和查询延时大于阈值(默认3000毫秒)的慢请求个数。 * 审计日志文件默认加密存储 > 注意:该功能从 V2.0.8 版本开始提供。 @@ -37,16 +38,21 @@ 通过编辑配置文件 `iotdb-system.properties` 中如下参数来启动审计日志功能。 -| 参数名称 | 参数描述 | 数据类型 | 默认值 | 生效方式 | -|-----------------------------------| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | ------------------------ | ---------- | -| `enable_audit_log` | 是否开启审计日志。 true:启用。false:禁用。 | Boolean | false | 重启 | -| `auditable_operation_type` | 操作类型选择。 DML :所有 DML 都会记录审计日志; DDL :所有 DDL 都会记录审计日志; QUERY :所有 QUERY 都会记录审计日志; CONTROL:所有控制语句都会记录审计日志; | String | DML,DDL,QUERY,CONTROL | 重启 | -| `auditable_operation_level` | 权限级别选择。 global :记录全部的审计日志; object:仅针对数据实例的事件的审计日志会被记录; 包含关系:object < global。 例如:设置为 global 时,所有审计日志正常记录;设置为 object 时,仅记录对具体数据实例的操作。 | String | global | 重启 | -| `auditable_operation_result` | 审计结果选择。 success:只记录成功事件的审计日志; fail:只记录失败事件的审计日志; | String | success, fail | 重启 | -| `audit_log_ttl_in_days` | 审计日志的 TTL,生成审计日志的时间达到该阈值后过期。 | Double | -1.0(永远不会被删除) | 重启 | -| `audit_log_space_tl_in_GB` | 审计日志的 SpaceTL,审计日志总空间达到该阈值后开始轮转删除。 | Double | 1.0| 重启| -| `audit_log_batch_interval_in_ms` | 审计日志批量写入的时间间隔 | Long | 1000 | 重启 | -| `audit_log_batch_max_queue_bytes` | 用于批量处理审计日志的队列最大字节数。当队列大小超过此值时,后续的写入操作将被阻塞。 | Long | 268435456 | 重启 | +| 参数名称 | 参数描述 | 数据类型 | 默认值 | 生效方式 | +|-----------------------------------|------------------------------------------------------------------------------------------------------| ---------- | ------------------------ | ---------- | +| `enable_audit_log` | 是否开启审计日志。 true:启用。false:禁用。 | Boolean | false | 热加载 | +| `auditable_operation_type` | 操作类型选择。 DML :所有 DML 都会记录审计日志; DDL :所有 DDL 都会记录审计日志; QUERY :所有 QUERY 都会记录审计日志; CONTROL:所有控制语句都会记录审计日志; | String | DML,DDL,QUERY,CONTROL | 热加载 | +| `auditable_dml_event_type` | 审计DML操作时的事件类型。`OBJECT_AUTHENTICATION`:对象鉴权,`SLOW_OPERATION`:慢操作 | String | `OBJECT_AUTHENTICATION`,`SLOW_OPERATION` | 热加载 | +| `auditable_ddl_event_type` | 审计DDL操作时的事件类型。`OBJECT_AUTHENTICATION`:对象鉴权,`SLOW_OPERATION`:慢操作 | String | `OBJECT_AUTHENTICATION`,`SLOW_OPERATION` | 热加载 | +| `auditable_query_event_type` | 审计查询操作时的事件类型。`OBJECT_AUTHENTICATION`:对象鉴权,`SLOW_OPERATION`:慢操作 | String | `OBJECT_AUTHENTICATION`,`SLOW_OPERATION` | 热加载 | +| `auditable_control_event_type` | 审计控制操作时的事件类型。`CHANGE_AUDIT_OPTION`:审计选项变更,`OBJECT_AUTHENTICATION`:对象鉴权,`LOGIN`:登录,`LOGOUT`:退出登录,`DN_SHUTDOWN`:数据节点关机,`SLOW_OPERATION`:慢操作 | String | `CHANGE_AUDIT_OPTION`,`OBJECT_AUTHENTICATION`,`LOGIN`,`LOGOUT`,`DN_SHUTDOWN`,`SLOW_OPERATION` | 热加载 | +| `auditable_operation_level` | 权限级别选择。 global :记录全部的审计日志; object:仅针对数据实例的事件的审计日志会被记录; 包含关系:object < global。 例如:设置为 global 时,所有审计日志正常记录;设置为 object 时,仅记录对具体数据实例的操作。 | String | global | 热加载 | +| `auditable_operation_result` | 审计结果选择。 success:只记录成功事件的审计日志; fail:只记录失败事件的审计日志; | String | success, fail | 热加载 | +| `audit_log_ttl_in_days` | 审计日志的 TTL,生成审计日志的时间达到该阈值后过期。 | Double | -1.0(永远不会被删除) | 热加载 | +| `audit_log_space_tl_in_GB` | 审计日志的 SpaceTL,审计日志总空间达到该阈值后开始轮转删除。 | Double | 1.0| 热加载| +| `audit_log_batch_interval_in_ms` | 审计日志批量写入的时间间隔 | Long | 1000 | 热加载 | +| `audit_log_batch_max_queue_bytes` | 用于批量处理审计日志的队列最大字节数。当队列大小超过此值时,后续的写入操作将被阻塞。 | Long | 268435456 | 热加载 | + ## 3. 查阅方法 @@ -66,19 +72,19 @@ SELECT (, )* log FROM WHERE whereclause ORDER ### 3.2 元数据结构 -| 字段 | 含义 | 类型 | -| ------------------------ | -------------------------------------------------- | ----------- | -| `time` | 事件开始的的日期和时间 | timestamp | -| `username` | 用户名称 | string | -| `cli_hostname` | 用户主机标识 | string | -| `audit_event_type` | 审计事件类型,WRITE\_DATA, GENERATE\_KEY 等 | string | -| `operation_type` | 审计事件的操作类型,DML, DDL, QUERY, CONTROL | string | -| `privilege_type` | 审计事件使用的权限,WRITE\_DATA, MANAGE\_USER 等 | string | -| `privilege_level` | 事件的权限级别,global, object | string | -| `result` | 事件结果,success=1, fail=0 | boolean | -| `database` | 数据库名称 | string | -| `sql_string` | 用户的原始 SQL | string | -| `log` | 具体的事件描述 | string | +| 字段 | 含义 | 类型 | +| ------------------------ |------------------------------------------------------| ----------- | +| `time` | 事件开始的的日期和时间 | timestamp | +| `username` | 用户名称 | string | +| `cli_hostname` | 用户主机标识 | string | +| `audit_event_type` | 审计事件类型,WRITE\_DATA, GENERATE\_KEY, SLOW\_OPERATION 等 | string | +| `operation_type` | 审计事件的操作类型,DML, DDL, QUERY, CONTROL | string | +| `privilege_type` | 审计事件使用的权限,WRITE\_DATA, MANAGE\_USER 等 | string | +| `privilege_level` | 事件的权限级别,global, object | string | +| `result` | 事件结果,success=1, fail=0 | boolean | +| `database` | 数据库名称 | string | +| `sql_string` | 用户的原始 SQL | string | +| `log` | 具体的事件描述 | string | ### 3.3 使用示例 @@ -121,3 +127,15 @@ IoTDB:__audit> select time,database,operation_type,log from audit_log where res Total line number = 1 It costs 0.011s ``` + +* 查询审计事件类型为慢操作和登录的记录 +```SQL +IoTDB:__audit> select * from __audit.audit_log where audit_event_type='SLOW_OPERATION' or audit_event_type='LOGIN' limit 1 ++-----------------------------+-------+-------+--------+------------+----------------+--------------+--------------+---------------+------+--------+----------+----------------------------------------------------------------------+ +| time|node_id|user_id|username|cli_hostname|audit_event_type|operation_type|privilege_type|privilege_level|result|database|sql_string| log| ++-----------------------------+-------+-------+--------+------------+----------------+--------------+--------------+---------------+------+--------+----------+----------------------------------------------------------------------+ +|2026-01-23T11:47:42.136+08:00| node_1| u_none| user1| 127.0.0.1| LOGIN| CONTROL| null| GLOBAL| false| | |User user1 (ID=-1) login failed with code: 804, Authentication failed.| ++-----------------------------+-------+-------+--------+------------+----------------+--------------+--------------+---------------+------+--------+----------+----------------------------------------------------------------------+ +Total line number = 1 +It costs 0.033s +``` \ No newline at end of file diff --git a/src/zh/UserGuide/latest/Reference/Common-Config-Manual.md b/src/zh/UserGuide/latest/Reference/Common-Config-Manual.md index 02ada5951..c18f36ee1 100644 --- a/src/zh/UserGuide/latest/Reference/Common-Config-Manual.md +++ b/src/zh/UserGuide/latest/Reference/Common-Config-Manual.md @@ -682,7 +682,7 @@ IoTDB ConfigNode 和 DataNode 的公共配置参数位于 `conf` 目录下。 |:---:|:-----------------------| |描述| 慢查询的时间阈值。单位:毫秒。 | |类型| Int32 | -|默认值| 10000 | +|默认值| 3000 | |改后生效方式| 热加载 | * query\_timeout\_threshold diff --git a/src/zh/UserGuide/latest/User-Manual/Audit-Log_timecho.md b/src/zh/UserGuide/latest/User-Manual/Audit-Log_timecho.md index a4de129c8..7ff956b88 100644 --- a/src/zh/UserGuide/latest/User-Manual/Audit-Log_timecho.md +++ b/src/zh/UserGuide/latest/User-Manual/Audit-Log_timecho.md @@ -29,6 +29,7 @@ * 可通过配置决定是否开启审计日志功能 * 可通过参数设置审计日志记录的操作类型和权限级别 * 可通过参数设置审计日志文件的存储周期,包括基于 TTL 实现时间滚动和基于 SpaceTL 实现空间滚动。 +* 可通过参数设置统计任意时间段内写入和查询延时大于阈值(默认3000毫秒)的慢请求个数。 * 审计日志文件默认加密存储 > 注意:该功能从 V2.0.8 版本开始提供。 @@ -37,16 +38,20 @@ 通过编辑配置文件 `iotdb-system.properties` 中如下参数来启动审计日志功能。 -| 参数名称 | 参数描述 | 数据类型 | 默认值 | 生效方式 | -|-----------------------------------| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | ------------------------ | ---------- | -| `enable_audit_log` | 是否开启审计日志。 true:启用。false:禁用。 | Boolean | false | 重启 | -| `auditable_operation_type` | 操作类型选择。 DML :所有 DML 都会记录审计日志; DDL :所有 DDL 都会记录审计日志; QUERY :所有 QUERY 都会记录审计日志; CONTROL:所有控制语句都会记录审计日志; | String | DML,DDL,QUERY,CONTROL | 重启 | -| `auditable_operation_level` | 权限级别选择。 global :记录全部的审计日志; object:仅针对数据实例的事件的审计日志会被记录; 包含关系:object < global。 例如:设置为 global 时,所有审计日志正常记录;设置为 object 时,仅记录对具体数据实例的操作。 | String | global | 重启 | -| `auditable_operation_result` | 审计结果选择。 success:只记录成功事件的审计日志; fail:只记录失败事件的审计日志; | String | success, fail | 重启 | -| `audit_log_ttl_in_days` | 审计日志的 TTL,生成审计日志的时间达到该阈值后过期。 | Double | -1.0(永远不会被删除) | 重启 | -| `audit_log_space_tl_in_GB` | 审计日志的 SpaceTL,审计日志总空间达到该阈值后开始轮转删除。 | Double | 1.0| 重启| -| `audit_log_batch_interval_in_ms` | 审计日志批量写入的时间间隔 | Long | 1000 | 重启 | -| `audit_log_batch_max_queue_bytes` | 用于批量处理审计日志的队列最大字节数。当队列大小超过此值时,后续的写入操作将被阻塞。 | Long | 268435456 | 重启 | +| 参数名称 | 参数描述 | 数据类型 | 默认值 | 生效方式 | +|-----------------------------------|------------------------------------------------------------------------------------------------------| ---------- | ------------------------ | ---------- | +| `enable_audit_log` | 是否开启审计日志。 true:启用。false:禁用。 | Boolean | false | 热加载 | +| `auditable_operation_type` | 操作类型选择。 DML :所有 DML 都会记录审计日志; DDL :所有 DDL 都会记录审计日志; QUERY :所有 QUERY 都会记录审计日志; CONTROL:所有控制语句都会记录审计日志; | String | DML,DDL,QUERY,CONTROL | 热加载 | +| `auditable_dml_event_type` | 审计DML操作时的事件类型。`OBJECT_AUTHENTICATION`:对象鉴权,`SLOW_OPERATION`:慢操作 | String | `OBJECT_AUTHENTICATION`,`SLOW_OPERATION` | 热加载 | +| `auditable_ddl_event_type` | 审计DDL操作时的事件类型。`OBJECT_AUTHENTICATION`:对象鉴权,`SLOW_OPERATION`:慢操作 | String | `OBJECT_AUTHENTICATION`,`SLOW_OPERATION` | 热加载 | +| `auditable_query_event_type` | 审计查询操作时的事件类型。`OBJECT_AUTHENTICATION`:对象鉴权,`SLOW_OPERATION`:慢操作 | String | `OBJECT_AUTHENTICATION`,`SLOW_OPERATION` | 热加载 | +| `auditable_control_event_type` | 审计控制操作时的事件类型。`CHANGE_AUDIT_OPTION`:审计选项变更,`OBJECT_AUTHENTICATION`:对象鉴权,`LOGIN`:登录,`LOGOUT`:退出登录,`DN_SHUTDOWN`:数据节点关机,`SLOW_OPERATION`:慢操作 | String | `CHANGE_AUDIT_OPTION`,`OBJECT_AUTHENTICATION`,`LOGIN`,`LOGOUT`,`DN_SHUTDOWN`,`SLOW_OPERATION` | 热加载 | +| `auditable_operation_level` | 权限级别选择。 global :记录全部的审计日志; object:仅针对数据实例的事件的审计日志会被记录; 包含关系:object < global。 例如:设置为 global 时,所有审计日志正常记录;设置为 object 时,仅记录对具体数据实例的操作。 | String | global | 热加载 | +| `auditable_operation_result` | 审计结果选择。 success:只记录成功事件的审计日志; fail:只记录失败事件的审计日志; | String | success, fail | 热加载 | +| `audit_log_ttl_in_days` | 审计日志的 TTL,生成审计日志的时间达到该阈值后过期。 | Double | -1.0(永远不会被删除) | 热加载 | +| `audit_log_space_tl_in_GB` | 审计日志的 SpaceTL,审计日志总空间达到该阈值后开始轮转删除。 | Double | 1.0| 热加载| +| `audit_log_batch_interval_in_ms` | 审计日志批量写入的时间间隔 | Long | 1000 | 热加载 | +| `audit_log_batch_max_queue_bytes` | 用于批量处理审计日志的队列最大字节数。当队列大小超过此值时,后续的写入操作将被阻塞。 | Long | 268435456 | 热加载 | ## 3. 查阅方法 @@ -69,7 +74,7 @@ SELECT (, )* log FROM WHERE whereclause ORDER | `time` | 事件开始的的日期和时间 | timestamp | | `username` | 用户名称 | string | | `cli_hostname` | 用户主机标识 | string | -| `audit_event_type` | 审计事件类型,WRITE\_DATA, GENERATE\_KEY 等 | string | +| `audit_event_type` | 审计事件类型,WRITE\_DATA, GENERATE\_KEY, SLOW\_OPERATION 等 | string | | `operation_type` | 审计事件的操作类型,DML, DDL, QUERY, CONTROL | string | | `privilege_type` | 审计事件使用的权限,WRITE\_DATA, MANAGE\_USER 等 | string | | `privilege_level` | 事件的权限级别,global, object | string | @@ -122,4 +127,17 @@ IoTDB> select database,operation_type,log from root.__audit.log.** where result +-----------------------------+-------------------------------+-----------+--------------+---------------------------------------------------------------------------------+ Total line number = 4 It costs 0.024s -``` \ No newline at end of file +``` + +* 查询某个用户在某个数据节点上审计事件类型为慢操作和登录的记录 + +```SQL +IoTDB> select * from root.__audit.log.node_1.u_0 where audit_event_type='SLOW_OPERATION' or audit_event_type='LOGIN'limit 1 align by device ++-----------------------------+---------------------------+------+---------------+--------------+--------+--------------+-----------------------------------------------------------------------------------------------+----------+----------------+------------+--------+ +| Time| Device|result|privilege_level|privilege_type|database|operation_type| log|sql_string|audit_event_type|cli_hostname|username| ++-----------------------------+---------------------------+------+---------------+--------------+--------+--------------+-----------------------------------------------------------------------------------------------+----------+----------------+------------+--------+ +|2026-01-23T11:42:23.636+08:00|root.__audit.log.node_1.u_0| true| GLOBAL| null| | CONTROL|IoTDB: Login status: Login successfully. User root (ID=0), opens Session-1-root:127.0.0.1:51308| | LOGIN| 127.0.0.1| root| ++-----------------------------+---------------------------+------+---------------+--------------+--------+--------------+-----------------------------------------------------------------------------------------------+----------+----------------+------------+--------+ +Total line number = 1 +It costs 0.021s +```