Skip to content

add slow operation tp auditlog from 2082 #1001

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
leto-b wants to merge 2 commits into
base: main
Choose a base branch
from
Open

add slow operation tp auditlog from 2082 #1001

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
6431039
add slow operation tp auditlog from 2082
leto-b Feb 5, 2026
034a157
Merge branch 'main' into add-slow-operation-to-audit-log-2082
leto-b Feb 6, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions src/UserGuide/Master/Table/Reference/System-Config-Manual.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,3 +21,4 @@ redirectTo: System-Config-Manual_apache.html
under the License.

-->

51 changes: 35 additions & 16 deletions src/UserGuide/Master/Table/User-Manual/Audit-Log_timecho.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,29 +24,34 @@

## 1. Introduction

Audit logs provide a documented record of database activities. Through the audit log feature, you can track operations like data creation, deletion, modification, and querying to ensure information security. IoTDB's audit log functionality supports the following features:
Audit logs serve as the record credentials of a database, enabling tracking of various operations (e.g., create, read, update, delete) to ensure information security. The audit log feature in IoTDB supports the following capabilities:

* Configurable enable/disable of audit logging
* Configurable auditable operation types and privilege levels
* Configurable audit log retention periods using TTL (time-based rolling) and SpaceTL (space-based rolling)
* Default encryption storage for audit logs
* Supports enabling/disabling the audit log functionality through configuration
* Supports configuring operation types and privilege levels to be recorded via parameters
* Supports setting the storage duration of audit log files, including time-based rolling (via TTL) and space-based rolling (via SpaceTL)
* Supports configuring parameters to count slow requests (with write/query latency exceeding a threshold, default 3000 milliseconds) within any specified time period
* Audit log files are stored in encrypted format by default

> Note: This feature is available from version V2.0.8 onwards.
> Note: This feature is available from version V2.0.8-beta onwards.

## 2. Configuration Parameters

Edit the `iotdb-system.properties` file to enable audit logging using the following parameters:

| Parameter Name | Description | Data Type | Default Value | Application Method |
|---------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------|----------------------------|--------------------|
| `enable_audit_log` | Enable audit logging. true: enabled. false: disabled. | Boolean | false | Restart Required |
| `auditable_operation_type` | Operation type selection. DML: All DML operations; DDL: All DDL operations; QUERY: All queries; CONTROL: All control statements; | String | DML,DDL,QUERY,CONTROL | Restart Required |
| `auditable_operation_level` | Privilege level selection. global: Record all audit logs; object: Only record audit logs for data instances; Containment relationship: object < global. | String | global | Restart Required |
| `auditable_operation_result` | Audit result selection. success: Only record successful events; fail: Only record failed events; | String | success, fail | Restart Required |
| `audit_log_ttl_in_days` | Audit log TTL (Time To Live) in days. Logs older than this threshold will expire. | Double | -1.0 (never deleted) | Restart Required |
| `audit_log_space_tl_in_GB` | Audit log SpaceTL in GB. When total audit log size exceeds this threshold, log rotation starts deleting oldest files. | Double | 1.0 | Restart Required |
| `audit_log_batch_interval_in_ms` | Batch write interval for audit logs in milliseconds | Long | 1000 | Restart Required |
| `audit_log_batch_max_queue_bytes` | Maximum queue size in bytes for batch processing audit logs. Subsequent writes will be blocked when queue exceeds this value. | Long | 268435456 | Restart Required |
| Parameter Name | Description | Data Type | Default Value | Activation Method |
|-------------------------------------------|------------------------------------------------------------------------------------------------------------|-----------|-------------------------------|-------------------|
| `enable_audit_log` | Whether to enable audit logging. true: enabled. false: disabled. | Boolean | false | Hot Reload |
| `auditable_operation_type` | Operation type selection. DML: all DML operations are logged; DDL: all DDL operations are logged; QUERY: all query operations are logged; CONTROL: all control statements are logged. | String | DML,DDL,QUERY,CONTROL | Hot Reload |
| `auditable_dml_event_type` | Event types for auditing DML operations. `OBJECT_AUTHENTICATION`: object authentication, `SLOW_OPERATION`: slow operation | String | `OBJECT_AUTHENTICATION`,`SLOW_OPERATION` | Hot Reload |
| `auditable_ddl_event_type` | Event types for auditing DDL operations. `OBJECT_AUTHENTICATION`: object authentication, `SLOW_OPERATION`: slow operation | String | `OBJECT_AUTHENTICATION`,`SLOW_OPERATION` | Hot Reload |
| `auditable_query_event_type` | Event types for auditing query operations. `OBJECT_AUTHENTICATION`: object authentication, `SLOW_OPERATION`: slow operation | String | `OBJECT_AUTHENTICATION`,`SLOW_OPERATION` | Hot Reload |
| `auditable_control_event_type` | Event types for auditing control operations. `CHANGE_AUDIT_OPTION`: audit option change, `OBJECT_AUTHENTICATION`: object authentication, `LOGIN`: login, `LOGOUT`: logout, `DN_SHUTDOWN`: data node shutdown, `SLOW_OPERATION`: slow operation | String | `CHANGE_AUDIT_OPTION`,`OBJECT_AUTHENTICATION`,`LOGIN`,`LOGOUT`,`DN_SHUTDOWN`,`SLOW_OPERATION` | Hot Reload |
| `auditable_operation_level` | Permission level selection. global: log all audit events; object: only log events related to data instances. Containment relationship: object < global. For example: when set to global, all audit logs are recorded normally; when set to object, only operations on specific data instances are recorded. | String | global | Hot Reload |
| `auditable_operation_result` | Audit result selection. success: log only successful events; fail: log only failed events | String | success,fail | Hot Reload |
| `audit_log_ttl_in_days` | Audit log TTL (Time To Live). Logs older than this threshold will expire. | Double | -1.0 (never deleted) | Hot Reload |
| `audit_log_space_tl_in_GB` | Audit log SpaceTL. Logs will start rotating when total space reaches this threshold. | Double | 1.0 | Hot Reload |
| `audit_log_batch_interval_in_ms` | Batch write interval for audit logs | Long | 1000 | Hot Reload |
| `audit_log_batch_max_queue_bytes` | Maximum byte size of the queue for batch processing audit logs. Subsequent write operations will be blocked when this threshold is exceeded. | Long | 268435456 | Hot Reload |

## 3. Access Methods

Expand Down Expand Up @@ -120,4 +125,18 @@ IoTDB:__audit> select time,database,operation_type,log from audit_log where res
+-----------------------------+--------+--------------+----------------------------------------------------------------------+
Total line number = 1
It costs 0.011s
```


* Query audit event records with types 'slow operation' and 'login'

```SQL
IoTDB:__audit> select * from audit_log where audit_event_type='SLOW_OPERATION' or audit_event_type='LOGIN' limit 1
+-----------------------------+-------+-------+--------+------------+----------------+--------------+--------------+---------------+------+--------+----------+----------------------------------------------------------------------+
| time|node_id|user_id|username|cli_hostname|audit_event_type|operation_type|privilege_type|privilege_level|result|database|sql_string| log|
+-----------------------------+-------+-------+--------+------------+----------------+--------------+--------------+---------------+------+--------+----------+----------------------------------------------------------------------+
|2026-01-23T11:47:42.136+08:00| node_1| u_none| user1| 127.0.0.1| LOGIN| CONTROL| null| GLOBAL| false| | |User user1 (ID=-1) login failed with code: 804, Authentication failed.|
+-----------------------------+-------+-------+--------+------------+----------------+--------------+--------------+---------------+------+--------+----------+----------------------------------------------------------------------+
Total line number = 1
It costs 0.033s
```
2 changes: 1 addition & 1 deletion src/UserGuide/Master/Tree/Reference/Common-Config-Manual.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -707,7 +707,7 @@ Different configuration parameters take effect in the following three ways:
|:---:|:----------------------------------------|
|Description| Time cost(ms) threshold for slow query. |
|Type| Int32 |
|Default| 10000 |
|Default| 3000 |
|Effective| Trigger |

* query\_timeout\_threshold
Expand Down
Loading