Skip to content

Commit 9d9ed71

Browse files
Jak-MSJak-MS
authored
Merge pull request #108357 from ajlam/master
Add audit log sample queries
2 parents 01ba3d2 + ac8c50c commit 9d9ed71

File tree

2 files changed

+112
-26
lines changed

2 files changed

+112
-26
lines changed

articles/mariadb/concepts-audit-logs.md

Lines changed: 54 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@ author: ajlam
55
ms.author: andrela
66
ms.service: mariadb
77
ms.topic: conceptual
8-
ms.date: 3/18/2020
8+
ms.date: 3/19/2020
99
---
1010

1111
# Audit Logs in Azure Database for MariaDB
@@ -101,30 +101,59 @@ Schema below applies to GENERAL, DML_SELECT, DML_NONSELECT, DML, DDL, DCL, and A
101101
| `sql_text_s` | Full query text |
102102
| `\_ResourceId` | Resource URI |
103103

104-
### Table access
105-
106-
| **Property** | **Description** |
107-
|---|---|
108-
| `TenantId` | Your tenant ID |
109-
| `SourceSystem` | `Azure` |
110-
| `TimeGenerated [UTC]` | Time stamp when the log was recorded in UTC |
111-
| `Type` | Type of the log. Always `AzureDiagnostics` |
112-
| `SubscriptionId` | GUID for the subscription that the server belongs to |
113-
| `ResourceGroup` | Name of the resource group the server belongs to |
114-
| `ResourceProvider` | Name of the resource provider. Always `MICROSOFT.DBFORMARIADB` |
115-
| `ResourceType` | `Servers` |
116-
| `ResourceId` | Resource URI |
117-
| `Resource` | Name of the server |
118-
| `Category` | `MySqlAuditLogs` |
119-
| `OperationName` | `LogEvent` |
120-
| `LogicalServerName_s` | Name of the server |
121-
| `event_class_s` | `table_access_log` |
122-
| `event_subclass_s` | `READ`, `INSERT`, `UPDATE`, or `DELETE` |
123-
| `connection_id_d` | Unique connection ID generated by MariaDB |
124-
| `db_s` | Name of database accessed |
125-
| `table_s` | Name of table accessed |
126-
| `sql_text_s` | Full query text |
127-
| `\_ResourceId` | Resource URI |
104+
## Analyze logs in Azure Monitor Logs
105+
106+
Once your audit logs are piped to Azure Monitor Logs through Diagnostic Logs, you can perform further analysis of your audited events. Below are some sample queries to help you get started. Make sure to update the below with your server name.
107+
108+
- List GENERAL events on a particular server
109+
110+
```kusto
111+
AzureDiagnostics
112+
| where LogicalServerName_s == '<your server name>'
113+
| where Category == 'MySqlAuditLogs' and event_class_s == "general_log"
114+
| project TimeGenerated, LogicalServerName_s, event_class_s, event_subclass_s, event_time_t, user_s , ip_s , sql_text_s
115+
| order by TimeGenerated asc nulls last
116+
```
117+
118+
- List CONNECTION events on a particular server
119+
120+
```kusto
121+
AzureDiagnostics
122+
| where LogicalServerName_s == '<your server name>'
123+
| where Category == 'MySqlAuditLogs' and event_class_s == "connection_log"
124+
| project TimeGenerated, LogicalServerName_s, event_class_s, event_subclass_s, event_time_t, user_s , ip_s , sql_text_s
125+
| order by TimeGenerated asc nulls last
126+
```
127+
128+
- Summarize audited events on a particular server
129+
130+
```kusto
131+
AzureDiagnostics
132+
| where LogicalServerName_s == '<your server name>'
133+
| where Category == 'MySqlAuditLogs'
134+
| project TimeGenerated, LogicalServerName_s, event_class_s, event_subclass_s, event_time_t, user_s , ip_s , sql_text_s
135+
| summarize count() by event_class_s, event_subclass_s, user_s, ip_s
136+
```
137+
138+
- Graph the audit event type distribution on a particular server
139+
140+
```kusto
141+
AzureDiagnostics
142+
| where LogicalServerName_s == '<your server name>'
143+
| where Category == 'MySqlAuditLogs'
144+
| project TimeGenerated, LogicalServerName_s, event_class_s, event_subclass_s, event_time_t, user_s , ip_s , sql_text_s
145+
| summarize count() by LogicalServerName_s, bin(TimeGenerated, 5m)
146+
| render timechart
147+
```
148+
149+
- List audited events across all MariaDB servers with Diagnostic Logs enabled for audit logs
150+
151+
```kusto
152+
AzureDiagnostics
153+
| where Category == 'MySqlAuditLogs'
154+
| project TimeGenerated, LogicalServerName_s, event_class_s, event_subclass_s, event_time_t, user_s , ip_s , sql_text_s
155+
| order by TimeGenerated asc nulls last
156+
```
128157
129158
## Next steps
130159

articles/mysql/concepts-audit-logs.md

Lines changed: 58 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@ author: ajlam
55
ms.author: andrela
66
ms.service: mysql
77
ms.topic: conceptual
8-
ms.date: 3/18/2020
8+
ms.date: 3/19/2020
99
---
1010

1111
# Audit Logs in Azure Database for MySQL
@@ -108,6 +108,9 @@ Schema below applies to GENERAL, DML_SELECT, DML_NONSELECT, DML, DDL, DCL, and A
108108

109109
### Table access
110110

111+
> [!NOTE]
112+
> Table access logs are only output for MySQL 5.7.
113+
111114
| **Property** | **Description** |
112115
|---|---|
113116
| `TenantId` | Your tenant ID |
@@ -131,6 +134,60 @@ Schema below applies to GENERAL, DML_SELECT, DML_NONSELECT, DML, DDL, DCL, and A
131134
| `sql_text_s` | Full query text |
132135
| `\_ResourceId` | Resource URI |
133136

137+
## Analyze logs in Azure Monitor Logs
138+
139+
Once your audit logs are piped to Azure Monitor Logs through Diagnostic Logs, you can perform further analysis of your audited events. Below are some sample queries to help you get started. Make sure to update the below with your server name.
140+
141+
- List GENERAL events on a particular server
142+
143+
```kusto
144+
AzureDiagnostics
145+
| where LogicalServerName_s == '<your server name>'
146+
| where Category == 'MySqlAuditLogs' and event_class_s == "general_log"
147+
| project TimeGenerated, LogicalServerName_s, event_class_s, event_subclass_s, event_time_t, user_s , ip_s , sql_text_s
148+
| order by TimeGenerated asc nulls last
149+
```
150+
151+
- List CONNECTION events on a particular server
152+
153+
```kusto
154+
AzureDiagnostics
155+
| where LogicalServerName_s == '<your server name>'
156+
| where Category == 'MySqlAuditLogs' and event_class_s == "connection_log"
157+
| project TimeGenerated, LogicalServerName_s, event_class_s, event_subclass_s, event_time_t, user_s , ip_s , sql_text_s
158+
| order by TimeGenerated asc nulls last
159+
```
160+
161+
- Summarize audited events on a particular server
162+
163+
```kusto
164+
AzureDiagnostics
165+
| where LogicalServerName_s == '<your server name>'
166+
| where Category == 'MySqlAuditLogs'
167+
| project TimeGenerated, LogicalServerName_s, event_class_s, event_subclass_s, event_time_t, user_s , ip_s , sql_text_s
168+
| summarize count() by event_class_s, event_subclass_s, user_s, ip_s
169+
```
170+
171+
- Graph the audit event type distribution on a particular server
172+
173+
```kusto
174+
AzureDiagnostics
175+
| where LogicalServerName_s == '<your server name>'
176+
| where Category == 'MySqlAuditLogs'
177+
| project TimeGenerated, LogicalServerName_s, event_class_s, event_subclass_s, event_time_t, user_s , ip_s , sql_text_s
178+
| summarize count() by LogicalServerName_s, bin(TimeGenerated, 5m)
179+
| render timechart
180+
```
181+
182+
- List audited events across all MySQL servers with Diagnostic Logs enabled for audit logs
183+
184+
```kusto
185+
AzureDiagnostics
186+
| where Category == 'MySqlAuditLogs'
187+
| project TimeGenerated, LogicalServerName_s, event_class_s, event_subclass_s, event_time_t, user_s , ip_s , sql_text_s
188+
| order by TimeGenerated asc nulls last
189+
```
190+
134191
## Next steps
135192
136193
- [How to configure audit logs in the Azure portal](howto-configure-audit-logs-portal.md)

0 commit comments

Comments
 (0)