Merge pull request #590 from bytebase/o-branch-20

OP3ratordec · web-flow · commit 93b6b9a65d15 · 2025-04-11T11:05:03.000+08:00
docs: add how to enable auditing references
diff --git a/content/reference/mysql/how-to/_layout.md b/content/reference/mysql/how-to/_layout.md
@@ -13,6 +13,8 @@
 
 ## [How to enable slow query log](/reference/mysql/how-to/how-to-enable-slow-query-log-mysql)
 
+## [How to enable auditing](/reference/mysql/how-to/how-to-enable-auditing-mysql)
+
 ## [How to CREATE INDEX](/reference/mysql/how-to/how-to-create-index-mysql)
 
 ## [How to CREATE VIEW](/reference/mysql/how-to/how-to-create-view-mysql)
@@ -23,6 +25,8 @@
 
 ## [How to ALTER TABLE](/reference/mysql/how-to/how-to-alter-table-mysql)
 
+## [How to ALTER large table](/reference/mysql/how-to/how-to-alter-large-table-mysql)
+
 ## [How to ALTER COLUMN TYPE](/reference/mysql/how-to/how-to-alter-column-type-mysql)
 
 ## [How to ADD CONSTRAINT](/reference/mysql/how-to/how-to-add-constraint-mysql)
diff --git a/content/reference/mysql/how-to/how-to-enable-auditing-mysql.md b/content/reference/mysql/how-to/how-to-enable-auditing-mysql.md
@@ -0,0 +1,142 @@
+---
+title: How to enable auditing in MySQL
+---
+
+<HintBlock type="info">
+
+MySQL auditing allows you to track and log database activity, including user connections, query execution, and data modifications. Audit logs are crucial for security compliance, troubleshooting, and monitoring user activity in your database environment.
+
+Bytebase provides [centralized audit logging](/docs/security/audit-logging/) and [access control](/docs/security/data-access-control/) features that complement MySQL's native auditing capabilities for enterprise environments.
+
+</HintBlock>
+
+## MySQL Enterprise Audit Plugin (Enterprise Edition)
+
+If you are using MySQL Enterprise Edition, you can enable the built-in audit plugin:
+
+### Install the Audit Plugin
+
+```sql
+-- Check if the plugin is already installed
+SELECT PLUGIN_NAME, PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS
+WHERE PLUGIN_NAME LIKE 'audit%';
+
+-- Install the plugin if not already installed
+INSTALL PLUGIN audit_log SONAME 'audit_log.so';
+```
+
+### Configure Audit Settings
+
+Add the following to your MySQL configuration file (e.g., `/etc/mysql/my.cnf`):
+
+```plain
+[mysqld]
+audit_log=FORCE_PLUS_PERMANENT
+audit_log_format=JSON
+audit_log_file=/var/log/mysql/audit.log
+audit_log_policy=ALL
+```
+
+- `audit_log`: Enables the audit log plugin
+- `audit_log_format`: Log format (JSON, NEW, or OLD)
+- `audit_log_file`: Path to the audit log file
+- `audit_log_policy`: Logging policy (ALL, LOGINS, QUERIES, NONE)
+
+## MariaDB Audit Plugin (Community Edition)
+
+For MySQL Community Edition, you can use the MariaDB Audit Plugin:
+
+### Install the MariaDB Audit Plugin
+
+Download the appropriate plugin for your MySQL version from [GitHub](https://github.com/mariadb-corporation/server-audit-plugin) and install it:
+
+```sql
+-- Install the plugin
+INSTALL PLUGIN server_audit SONAME 'server_audit.so';
+```
+
+### Configure MariaDB Audit Plugin
+
+Add the following to your MySQL configuration file:
+
+```plain
+[mysqld]
+server_audit_logging=ON
+server_audit_events=CONNECT,QUERY,TABLE
+server_audit_output_type=file
+server_audit_file_path=/var/log/mysql/audit.log
+```
+
+- `server_audit_logging`: Enable or disable audit logging
+- `server_audit_events`: Types of events to log (CONNECT, QUERY, TABLE, etc.)
+- `server_audit_output_type`: Output type (file or syslog)
+- `server_audit_file_path`: Path to the audit log file
+
+## Alternative: Using General Query Log
+
+If you don't have access to audit plugins, you can use the general query log as a basic auditing solution:
+
+```plain
+[mysqld]
+general_log=ON
+general_log_file=/var/log/mysql/general.log
+```
+
+<HintBlock type="info">
+
+Using general query logs for auditing produces large log files and can impact performance.
+
+Bytebase offers [SQL review](/docs/sql-review/overview/) and [data access control](/docs/security/data-access-control/) features that provide audit capabilities with less overhead.
+
+</HintBlock>
+
+## Restart MySQL
+
+After changing the MySQL configuration, restart MySQL to apply the changes:
+
+```bash
+sudo systemctl restart mysql
+```
+
+## Verify Auditing is Enabled
+
+### For Enterprise Audit Plugin
+
+```sql
+-- Check if the plugin is active
+SELECT PLUGIN_NAME, PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS
+WHERE PLUGIN_NAME = 'audit_log';
+
+-- View audit log variables
+SHOW VARIABLES LIKE 'audit_log%';
+```
+
+### For MariaDB Audit Plugin
+
+```sql
+-- Check if the plugin is active
+SELECT PLUGIN_NAME, PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS
+WHERE PLUGIN_NAME = 'server_audit';
+
+-- View audit variables
+SHOW VARIABLES LIKE 'server_audit%';
+```
+
+### For General Log
+
+```sql
+-- Check general log status
+SHOW VARIABLES LIKE 'general_log%';
+```
+
+<HintBlock type="info">
+
+For enterprise environments managing multiple MySQL instances, Bytebase provides [centralized schema change workflows](/docs/change-database/change-workflow/) with comprehensive [audit trails](/docs/security/audit-logging/) and [compliance checks](/docs/sql-review/review-policy/). This approach allows you to enforce consistent auditing policies across your database fleet.
+
+</HintBlock>
+
+## References
+
+- [MySQL Enterprise Audit](https://dev.mysql.com/doc/refman/8.0/en/audit-log.html)
+- [MariaDB Audit Plugin](https://mariadb.com/kb/en/mariadb-audit-plugin/)
+- [MySQL General Query Log](https://dev.mysql.com/doc/refman/8.0/en/query-log.html)
diff --git a/content/reference/postgres/how-to/_layout.md b/content/reference/postgres/how-to/_layout.md
@@ -19,6 +19,8 @@
 
 ## [How to enable pg_stat_statements](/reference/postgres/how-to/how-to-enable-pg-stat-statements-postgres)
 
+## [How to enable auditing](/reference/mysql/how-to/how-to-enable-auditing-mysql)
+
 ## [How to CREATE INDEX](/reference/postgres/how-to/how-to-create-index-postgres)
 
 ## [How to CREATE VIEW](/reference/postgres/how-to/how-to-create-view-postgres)
diff --git a/content/reference/postgres/how-to/how-to-enable-auditing-postgres.md b/content/reference/postgres/how-to/how-to-enable-auditing-postgres.md
@@ -0,0 +1,188 @@
+---
+title: How to enable auditing in PostgreSQL
+---
+
+<HintBlock type="info">
+
+PostgreSQL auditing allows you to track and log database activity, including user connections, query execution, and data modifications. Audit logs are crucial for security compliance, troubleshooting, and monitoring user activity in your database environment.
+
+Bytebase provides [centralized audit logging](/docs/security/audit-logging/) and [access control](/docs/security/data-access-control/) features that complement PostgreSQL's native auditing capabilities for enterprise environments.
+
+</HintBlock>
+
+## PostgreSQL's Built-in Logging
+
+PostgreSQL offers built-in logging capabilities that can be configured for basic auditing:
+
+### Configure Log Settings
+
+Add the following to your PostgreSQL configuration file (`postgresql.conf`):
+
+```plain
+# Basic logging settings
+log_destination = 'csvlog'
+logging_collector = on
+log_directory = 'log'
+log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log'
+log_rotation_age = 1d
+log_rotation_size = 10MB
+
+# What to log
+log_statement = 'all'        # Options: none, ddl, mod, all
+log_connections = on
+log_disconnections = on
+log_duration = on
+```
+
+- `log_statement`: Controls which SQL statements to log (none, ddl, mod, all)
+- `log_connections`: Log successful connections
+- `log_disconnections`: Log session terminations
+- `log_duration`: Include query execution time
+
+## pg_audit Extension (Recommended)
+
+For comprehensive auditing capabilities, install the `pgaudit` extension:
+
+### Install pgaudit
+
+For most distributions:
+
+```bash
+# Debian/Ubuntu
+sudo apt-get install postgresql-[version]-pgaudit
+
+# RHEL/CentOS
+sudo yum install pgaudit_[version]
+```
+
+For source installation:
+
+```bash
+git clone https://github.com/pgaudit/pgaudit.git
+cd pgaudit
+make install
+```
+
+### Configure pgaudit
+
+Add the following to your PostgreSQL configuration file (`postgresql.conf`):
+
+```plain
+# Load the extension
+shared_preload_libraries = 'pgaudit'
+
+# Audit settings
+pgaudit.log = 'write, ddl'
+pgaudit.log_catalog = on
+pgaudit.log_parameter = on
+pgaudit.log_statement_once = on
+pgaudit.log_level = 'log'
+```
+
+Then enable the extension in your database:
+
+```sql
+-- Connect to your database and run:
+CREATE EXTENSION pgaudit;
+```
+
+### Audit Session Logging
+
+For session-level auditing, which audits operations by specific users:
+
+```sql
+-- Enable session audit logging for a user
+ALTER USER audited_user SET pgaudit.log = 'read, write';
+```
+
+### Object-level Audit Logging
+
+For more granular auditing of specific objects:
+
+```sql
+-- Create audit role
+CREATE ROLE auditor;
+
+-- Grant audit privileges on table
+GRANT SELECT ON sensitive_table TO auditor;
+
+-- Enable object-level auditing for the table
+ALTER TABLE sensitive_table ENABLE AUDIT;
+```
+
+<HintBlock type="info">
+
+For large databases, selective auditing using `pgaudit.log_relation` can help minimize performance impact by focusing only on important tables.
+
+Bytebase offers [SQL review](/docs/sql-review/overview/) and [data access control](/docs/security/data-access-control/) features that provide audit capabilities with less overhead.
+
+</HintBlock>
+
+## Alternative: WAL-based Auditing
+
+For advanced use cases, you can use write-ahead log (WAL) decoding for auditing:
+
+```plain
+# Enable logical decoding
+wal_level = logical
+max_replication_slots = 10
+```
+
+This approach is more advanced but allows real-time monitoring of all data changes.
+
+## Restart PostgreSQL
+
+After changing the PostgreSQL configuration, restart the service to apply the changes:
+
+```bash
+# For systemd-based systems
+sudo systemctl restart postgresql
+
+# For older systems
+sudo service postgresql restart
+```
+
+## Verify Auditing is Enabled
+
+### For Built-in Logging
+
+```sql
+-- Check current logging settings
+SHOW log_statement;
+SHOW log_connections;
+SHOW logging_collector;
+
+-- View recent logs (if using csvlog format)
+SELECT * FROM pg_logical_slot_peek_changes('audit_slot', NULL, NULL);
+```
+
+### For pgaudit Extension
+
+```sql
+-- Verify the extension is installed
+SELECT * FROM pg_extension WHERE extname = 'pgaudit';
+
+-- Check current pgaudit settings
+SHOW pgaudit.log;
+SHOW pgaudit.log_catalog;
+
+-- Test with an auditable operation
+CREATE TABLE test_audit(id int);
+INSERT INTO test_audit VALUES (1);
+DROP TABLE test_audit;
+```
+
+After these operations, check your log files for audit entries.
+
+<HintBlock type="info">
+
+For enterprise environments managing multiple PostgreSQL instances, Bytebase provides [centralized schema change workflows](/docs/change-database/change-workflow/) with comprehensive [audit trails](/docs/security/audit-logging/) and [compliance checks](/docs/sql-review/review-policy/). This approach allows you to enforce consistent auditing policies across your database fleet.
+
+</HintBlock>
+
+## References
+
+- [PostgreSQL Logging Documentation](https://www.postgresql.org/docs/current/runtime-config-logging.html)
+- [pgAudit Extension](https://github.com/pgaudit/pgaudit)
+- [PostgreSQL WAL-based Auditing](https://www.postgresql.org/docs/current/logical-replication.html)
+- [Timescale Guide: What is Audit Logging in PostgreSQL](https://www.timescale.com/learn/what-is-audit-logging-and-how-to-enable-it-in-postgresql)
