From a20707ae1a98fdaa70945fcf45aaadd1d6b0034a Mon Sep 17 00:00:00 2001 From: Cheng Weiwei <65707268+wildpcww@users.noreply.github.com> Date: Wed, 12 Nov 2025 11:44:30 +0800 Subject: [PATCH 01/22] Create tidb-cloud-auditing-premium.md --- .../premium/tidb-cloud-auditing-premium.md | 316 ++++++++++++++++++ 1 file changed, 316 insertions(+) create mode 100644 tidb-cloud/premium/tidb-cloud-auditing-premium.md diff --git a/tidb-cloud/premium/tidb-cloud-auditing-premium.md b/tidb-cloud/premium/tidb-cloud-auditing-premium.md new file mode 100644 index 0000000000000..66429408d4328 --- /dev/null +++ b/tidb-cloud/premium/tidb-cloud-auditing-premium.md @@ -0,0 +1,316 @@ +--- +title: TiDB Cloud Premium Database Audit Logging +summary: Learn about how to audit a instance in TiDB Cloud. +--- + +# TiDB Cloud Premium Database Audit Logging + +TiDB Cloud provides you with a database audit logging feature to record a history of user access details (such as any SQL statements executed) in logs. + +To assess the effectiveness of user access policies and other information security measures of your organization, it is a security best practice to conduct a periodic analysis of the database audit logs. + +The audit logging feature is disabled by default. To audit a instance, you need to enable the audit logging first, and then specify the auditing filter rules. + +> **Note:** +> +> Because audit logging consumes instance resources, be prudent about whether to audit a instance. + +## Prerequisites + +- You are using a TiDB Cloud Premium instance. Audit logging is not available for {{{ .starter }}} or {{{ .essential }}} clusters. +- You are in the `Organization Owner` role of your organization. Otherwise, you cannot see the database audit-related options in the TiDB Cloud console. + +## Enable audit logging + +TiDB Cloud supports recording the audit logs of a TiDB Cloud Premium instance to your cloud storage service. Before enabling database audit logging, configure your cloud storage service on the cloud provider where the instance is located. + + +### Enable audit logging for AWS + +To enable audit logging for AWS, take the following steps: + +#### Step 1. Create an Amazon S3 bucket + +Specify an Amazon S3 bucket in your corporate-owned AWS account as a destination to which TiDB Cloud writes the audit logs. + +> **Note:** +> +> Do not enable object lock on the AWS S3 bucket. Enabling object lock will prevent TiDB Cloud from pushing audit log files to S3. + +For more information, see [Creating a bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-bucket-overview.html) in the AWS User Guide. + +#### Step 2. Configure Amazon S3 access + +1. Get the TiDB Cloud Account ID and the External ID of the TiDB instance that you want to enable audit logging. + + 1. In the TiDB Cloud console, navigate to the [**instances**](https://tidbcloud.com/instances) page of your instance. + + 2. Click the name of your target instance to go to its overview page, and then click **Settings** > **DB Audit Logging** in the left navigation pane. + + 3. On the **DB Audit Logging** page, click **Enable** in the upper-right corner. + + 4. In the **Enable Database Audit Logging** dialog, locate the **AWS IAM Policy Settings** section, and record **TiDB Cloud Account ID** and **TiDB Cloud External ID** for later use. + +2. In the AWS Management Console, go to **IAM** > **Access Management** > **Policies**, and then check whether there is a storage bucket policy with the `s3:PutObject` write-only permission. + + - If yes, record the matched storage bucket policy for later use. + - If not, go to **IAM** > **Access Management** > **Policies** > **Create Policy**, and define a bucket policy according to the following policy template. + + ```json + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "s3:PutObject", + "Resource": "/*" + } + ] + } + ``` + + In the template, `` is the Amazon Resource Name (ARN) of your S3 bucket where the audit log files are to be written. You can go to the **Properties** tab in your S3 bucket and get the ARN value in the **Bucket Overview** area. In the `"Resource"` field, you need to add `/*` after the ARN. For example, if the ARN is `arn:aws:s3:::tidb-cloud-test`, you need to configure the value of the `"Resource"` field as `"arn:aws:s3:::tidb-cloud-test/*"`. + +3. Go to **IAM** > **Access Management** > **Roles**, and then check whether a role whose trust entity corresponds to the TiDB Cloud Account ID and the External ID that you recorded earlier already exists. + + - If yes, record the matched role for later use. + - If not, click **Create role**, select **Another AWS account** as the trust entity type, and then enter the TiDB Cloud Account ID value into the **Account ID** field. Then, choose the **Require External ID** option and enter the TiDB Cloud External ID value into the **External ID** field. + +4. In **IAM** > **Access Management** > **Roles**, click the role name from the previous step to go to the **Summary** page, and then take the following steps: + + 1. Under the **Permissions** tab, check whether the recorded policy with the `s3:PutObject` write-only permission is attached to the role. If not, choose **Attach Policies**, search for the needed policy, and then click **Attach Policy**. + 2. Return to the **Summary** page and copy the **Role ARN** value to your clipboard. + +#### Step 3. Enable audit logging + +In the TiDB Cloud console, go back to the **Enable Database Audit Logging** dialog box where you got the TiDB Cloud account ID and the External ID values, and then take the following steps: + +1. In the **Bucket URI** field, enter the URI of your S3 bucket where the audit log files are to be written. +2. In the **Bucket Region** drop-down list, select the AWS region where the bucket locates. +3. In the **Role ARN** field, fill in the Role ARN value that you copied in [Step 2. Configure Amazon S3 access](#step-2-configure-amazon-s3-access). +4. Click **Test Connection** to verify whether TiDB Cloud can access and write to the bucket. + + If it is successful, **The connection is successfully** is displayed. Otherwise, check your access configuration. + +5. Click **Enable** to enable audit logging for the instance. + + TiDB Cloud is ready to write audit logs for the specified instance to your Amazon S3 bucket. + +> **Note:** +> +> - After enabling audit logging, if you make any new changes to the bucket URI, location, or ARN, you must click **Test Connection** again to verify that TiDB Cloud can connect to the bucket. Then, click **Enable** to apply the changes. +> - To remove TiDB Cloud's access to your Amazon S3, simply delete the trust policy granted to this instance in the AWS Management Console. + +### Enable audit logging for Alibaba Cloud + +To enable audit logging for Alibaba Cloud, take the following steps: + +#### Step 1. Create a GCS bucket + +Specify a Google Cloud Storage (GCS) bucket in your corporate-owned Google Cloud account as a destination to which TiDB Cloud writes audit logs. + +For more information, see [Creating storage buckets](https://cloud.google.com/storage/docs/creating-buckets) in the Google Cloud Storage documentation. + +#### Step 2. Configure GCS access + +1. Get the Google Cloud Service Account ID of the TiDB instance that you want to enable audit logging. + + 1. In the TiDB Cloud console, navigate to the [**instances**](https://tidbcloud.com/instances) page of your project. + + 2. Click the name of your target instance to go to its overview page, and then click **Settings** > **DB Audit Logging** in the left navigation pane. + 3. On the **DB Audit Logging** page, click **Enable** in the upper-right corner. + 4. In the **Enable Database Audit Logging** dialog, locate the **Google Cloud Server Account ID** section, and record **Service Account ID** for later use. + +2. In the Google Cloud console, go to **IAM & Admin** > **Roles**, and then check whether a role with the following write-only permissions of the storage container exists. + + - storage.objects.create + - storage.objects.delete + + If yes, record the matched role for the TiDB instance for later use. If not, go to **IAM & Admin** > **Roles** > **CREATE ROLE** to define a role for the TiDB instance. + +3. Go to **Cloud Storage** > **Browser**, select the GCS bucket you want TiDB Cloud to access, and then click **SHOW INFO PANEL**. + + The panel is displayed. + +4. In the panel, click **ADD PRINCIPAL**. + + The dialog box for adding principals is displayed. + +5. In the dialog box, take the following steps: + + 1. In the **New Principals** field, paste the Google Cloud Service Account ID of the TiDB instance. + 2. In the **Role** drop-down list, choose the role of the target TiDB instance. + 3. Click **SAVE**. + +#### Step 3. Enable audit logging + +In the TiDB Cloud console, go back to the **Enable Database Audit Logging** dialog box where you got the TiDB Cloud account ID, and then take the following steps: + +1. In the **Bucket URI** field, enter your full GCS bucket name. +2. In the **Bucket Region** field, select the GCS region where the bucket locates. +3. Click **Test Connection** to verify whether TiDB Cloud can access and write to the bucket. + + If it is successful, **The connection is successfully** is displayed. Otherwise, check your access configuration. + +4. Click **Enable** to enable audit logging for the instance. + + TiDB Cloud is ready to write audit logs for the specified instance to your GCS bucket. + +> **Note:** +> +> - After enabling audit logging, if you make any new changes to the bucket URI or location, you must click **Test Connection** again to verify that TiDB Cloud can connect to the bucket. Then, click **Enable** to apply the changes. +> - To remove TiDB Cloud's access to your GCS bucket, delete the trust policy granted to this instance in the Google Cloud console. + +### Enable audit logging for Azure + +To enable audit logging for Azure, take the following steps: + +#### Step 1. Create an Azure storage account + +Create an Azure storage account in your organization's Azure subscription as the destination to which TiDB Cloud writes the database audit logs. + +For more information, see [Create an Azure storage account](https://learn.microsoft.com/en-us/azure/storage/common/storage-account-create?tabs=azure-portal) in Azure documentation. + +#### Step 2. Configure Azure Blob Storage access + +1. In the [Azure portal](https://portal.azure.com/), create a container used for storing database audit logs. + + 1. In the left navigation pane of the Azure portal, click **Storage Accounts**, and then click the storage account for storing database audit logs. + + > **Tip:** + > + > If the left navigation pane is hidden, click the menu button in the upper-left corner to toggle its visibility. + + 2. In the navigation pane for the selected storage account, click **Data storage > Containers**, and then click **+ Container** to open the **New container** pane. + + 3. In the **New container** pane, enter a name for your new container, set the anonymous access level (the recommended level is **Private**, which means no anonymous access), and then click **Create**. The new container will be created and displayed in the container list in a few seconds. + +2. Get the URL of the target container. + + 1. In the container list, select the target container, click **...** for the container, and then select **Container properties**. + 2. On the displayed properties page, copy the **URL** value for later use, and then return to the container list. + +3. Generate a SAS token for the target container. + + 1. In the container list, select the target container, click **...** for the container, and then select **Generate SAS**. + 2. In the displayed **Generate SAS** pane, select **Account key** for **Signing method**. + 3. In the **Permissions** drop-down list, select **Read**, **Write**, and **Create** to allow writing audit log files. + 4. In the **Start** and **Expiry** fields, specify a validity period for the SAS token. + + > **Note:** + > + > - The audit feature needs to continuously write audit logs to the storage account, so the SAS token must have a sufficiently long validity period. However, longer validity increases the risk of token leakage. For security, it is recommended to replace your SAS token every six to twelve months. + > - The generated SAS token cannot be revoked, so you need to set its validity period carefully. + > - Make sure to re-generate and update the SAS token before it expires to ensure continuous availability of audit logs. + + 5. For **Allowed protocols**, select **HTTPS only** to ensure secure access. + 6. Click **Generate SAS token and URL**, and then copy the displayed **Blob SAS token** for later use. + +#### Step 3. Enable audit logging + +1. In the TiDB Cloud console, navigate to the [**instances**](https://tidbcloud.com/instances) page of your instance. + +2. Click the name of your target instance to go to its overview page, and then click **Settings** > **DB Audit Logging** in the left navigation pane. + +3. On the **DB Audit Logging** page, click **Enable** in the upper-right corner. +4. In the **Enable Database Audit Logging** dialog, provide the blob URL and SAS token that you obtained from [Step 2. Configure Azure Blob access](#step-2-configure-azure-blob-storage-access): + + - In the **Blob URL** field, enter the URL of the container where audit logs will be stored. + - In the **SAS Token** field, enter the SAS token for accessing the container. + +5. Click **Test Connection** to verify whether TiDB Cloud can access and write to the container. + + If it is successful, **The connection is successfully** is displayed. Otherwise, check your access configuration. + +6. Click **Enable** to enable audit logging for the instance. + + TiDB Cloud is ready to write audit logs for the specified instance to your Azure blob container. + +> **Note:** +> +> After enabling audit logging, if you make new changes to the **Blob URL** or **SAS Token** fields, you must click **Test Connection** again to verify that TiDB Cloud can connect to the container. Then, click **Enable** to apply the changes. + +## Specify auditing filter rules + +After enabling audit logging, you must specify auditing filter rules to control which user access events to capture and write to audit logs. If no filter rules are specified, TiDB Cloud does not log anything. + +To specify auditing filter rules for a instance, take the following steps: + +1. On the **DB Audit Logging** page, click **Add Filter Rule** in the **Log Filter Rules** section to add an audit filter rule. + + You can add one audit rule at a time. Each rule specifies a user expression, database expression, table expression, and access type. You can add multiple audit rules to meet your auditing requirements. + +2.In the **Log Filter Rules** section, click **>** to expand and view the list of audit rules you have added. + +> **Note:** +> +> - The filter rules are regular expressions and case-sensitive. If you use the wildcard rule `.*`, all users, databases, or table events in the instance are logged. +> - Because audit logging consumes instance resources, be prudent when specifying filter rules. To minimize the consumption, it is recommended that you specify filter rules to limit the scope of audit logging to specific database objects, users, and actions, where possible. + +## View audit logs + +By default, TiDB Cloud stores database audit log files in your storage service, so you need to read the audit log information from your storage service. + +TiDB Cloud audit logs are readable text files with the instance ID, Pod ID, and log creation date incorporated into the fully qualified filenames. + +For example, `13796619446086334065/tidb-0/tidb-audit-2022-04-21T18-16-29.529.log`. In this example, `13796619446086334065` indicates the instance ID and `tidb-0` indicates the Pod ID. + +## Disable audit logging + +If you no longer want to audit a instance, go to the page of the instance, click **Settings** > **Audit Settings**, and then toggle the audit setting in the upper-right corner to **Disable**. + +> **Note:** + +> Each time the size of the log file reaches 10 MiB, the log file will be pushed to the cloud storage bucket. Therefore, after the audit log is disabled, the log file whose size is smaller than 10 MiB will not be automatically pushed to the cloud storage bucket. To get the log file in this situation, contact [PingCAP support](/tidb-cloud/tidb-cloud-support.md). + +## Audit log fields + +For each database event record in audit logs, TiDB provides the following fields: + +> **Note:** +> +> In the following tables, the empty maximum length of a field means that the data type of this field has a well-defined constant length (for example, 4 bytes for INTEGER). + +| Col # | Field name | TiDB data type | Maximum length | Description | +|---|---|---|---|---| +| 1 | N/A | N/A | N/A | Reserved for internal use | +| 2 | N/A | N/A | N/A | Reserved for internal use | +| 3 | N/A | N/A | N/A | Reserved for internal use | +| 4 | ID | INTEGER | | Unique event ID | +| 5 | TIMESTAMP | TIMESTAMP | | Time of event | +| 6 | EVENT_CLASS | VARCHAR | 15 | Event type | +| 7 | EVENT_SUBCLASS | VARCHAR | 15 | Event subtype | +| 8 | STATUS_CODE | INTEGER | | Response status of the statement | +| 9 | COST_TIME | FLOAT | | Time consumed by the statement | +| 10 | HOST | VARCHAR | 16 | Server IP | +| 11 | CLIENT_IP | VARCHAR | 16 | Client IP | +| 12 | USER | VARCHAR | 17 | Login username | +| 13 | DATABASE | VARCHAR | 64 | Event-related database | +| 14 | TABLES | VARCHAR | 64 | Event-related table name | +| 15 | SQL_TEXT | VARCHAR | 64 KB | Masked SQL statement | +| 16 | ROWS | INTEGER | | Number of affected rows (`0` indicates that no rows are affected) | + +Depending on the EVENT_CLASS field value set by TiDB, database event records in audit logs also contain additional fields as follows: + +- If the EVENT_CLASS value is `CONNECTION`, database event records also contain the following fields: + + | Col # | Field name | TiDB data type | Maximum length | Description | + |---|---|---|---|---| + | 17 | CLIENT_PORT | INTEGER | | Client port number | + | 18 | CONNECTION_ID | INTEGER | | Connection ID | + | 19 | CONNECTION_TYPE | VARCHAR | 12 | Connection via `socket` or `unix-socket` | + | 20 | SERVER_ID | INTEGER | | TiDB server ID | + | 21 | SERVER_PORT | INTEGER | | The port that the TiDB server uses to listen to client communicating via the MySQL protocol | + | 22 | SERVER_OS_LOGIN_USER | VARCHAR | 17 | The username of the TiDB process startup system | + | 23 | OS_VERSION | VARCHAR | N/A | The version of the operating system where the TiDB server is located | + | 24 | SSL_VERSION | VARCHAR | 6 | The current SSL version of TiDB | + | 25 | PID | INTEGER | | The PID of the TiDB process | + +- If the EVENT_CLASS value is `TABLE_ACCESS` or `GENERAL`, database event records also contain the following fields: + + | Col # | Field name | TiDB data type | Maximum length | Description | + |---|---|---|---|---| + | 17 | CONNECTION_ID | INTEGER | | Connection ID | + | 18 | COMMAND | VARCHAR | 14 | The command type of the MySQL protocol | + | 19 | SQL_STATEMENT | VARCHAR | 17 | The SQL statement type | + | 20 | PID | INTEGER | | The PID of the TiDB process | From 502327b999e314ab8345a06852fe9275cbd5bbce Mon Sep 17 00:00:00 2001 From: Cheng Weiwei <65707268+wildpcww@users.noreply.github.com> Date: Wed, 12 Nov 2025 11:53:11 +0800 Subject: [PATCH 02/22] Update tidb-cloud-auditing-premium.md --- .../premium/tidb-cloud-auditing-premium.md | 165 +++++++----------- 1 file changed, 67 insertions(+), 98 deletions(-) diff --git a/tidb-cloud/premium/tidb-cloud-auditing-premium.md b/tidb-cloud/premium/tidb-cloud-auditing-premium.md index 66429408d4328..86c6688a31cb7 100644 --- a/tidb-cloud/premium/tidb-cloud-auditing-premium.md +++ b/tidb-cloud/premium/tidb-cloud-auditing-premium.md @@ -49,7 +49,7 @@ For more information, see [Creating a bucket](https://docs.aws.amazon.com/Amazon 3. On the **DB Audit Logging** page, click **Enable** in the upper-right corner. - 4. In the **Enable Database Audit Logging** dialog, locate the **AWS IAM Policy Settings** section, and record **TiDB Cloud Account ID** and **TiDB Cloud External ID** for later use. + 4. In the **Database Audit Log Storage Configuration** dialog, locate the **AWS IAM Policy Settings** section, and record **TiDB Cloud Account ID** and **TiDB Cloud External ID** for later use. 2. In the AWS Management Console, go to **IAM** > **Access Management** > **Policies**, and then check whether there is a storage bucket policy with the `s3:PutObject` write-only permission. @@ -83,12 +83,12 @@ For more information, see [Creating a bucket](https://docs.aws.amazon.com/Amazon #### Step 3. Enable audit logging -In the TiDB Cloud console, go back to the **Enable Database Audit Logging** dialog box where you got the TiDB Cloud account ID and the External ID values, and then take the following steps: +In the TiDB Cloud console, go back to the **Database Audit Log Storage Configuration** dialog box where you got the TiDB Cloud account ID and the External ID values, and then take the following steps: 1. In the **Bucket URI** field, enter the URI of your S3 bucket where the audit log files are to be written. 2. In the **Bucket Region** drop-down list, select the AWS region where the bucket locates. 3. In the **Role ARN** field, fill in the Role ARN value that you copied in [Step 2. Configure Amazon S3 access](#step-2-configure-amazon-s3-access). -4. Click **Test Connection** to verify whether TiDB Cloud can access and write to the bucket. +4. Click **Test Connection and Next** to verify whether TiDB Cloud can access and write to the bucket. If it is successful, **The connection is successfully** is displayed. Otherwise, check your access configuration. @@ -101,134 +101,103 @@ In the TiDB Cloud console, go back to the **Enable Database Audit Logging** dial > - After enabling audit logging, if you make any new changes to the bucket URI, location, or ARN, you must click **Test Connection** again to verify that TiDB Cloud can connect to the bucket. Then, click **Enable** to apply the changes. > - To remove TiDB Cloud's access to your Amazon S3, simply delete the trust policy granted to this instance in the AWS Management Console. -### Enable audit logging for Alibaba Cloud +### Enable audit logging for TiDB cloud on Alibaba Cloud -To enable audit logging for Alibaba Cloud, take the following steps: +To enable database audit logging for TiDB cloud on Alibaba Cloud, follow the steps below: -#### Step 1. Create a GCS bucket +#### Step 1. Create an OSS bucket -Specify a Google Cloud Storage (GCS) bucket in your corporate-owned Google Cloud account as a destination to which TiDB Cloud writes audit logs. +Create an OSS bucket in your organization-owned Alibaba Cloud account as the destination to which TiDB Cloud will write audit logs. -For more information, see [Creating storage buckets](https://cloud.google.com/storage/docs/creating-buckets) in the Google Cloud Storage documentation. +For more information, see [Creating storage buckets](https://help.aliyun.com/zh/oss/user-guide/create-a-bucket-4) in the Alibaba Cloud Storage documentation. -#### Step 2. Configure GCS access +#### Step 2. Configure OSS access -1. Get the Google Cloud Service Account ID of the TiDB instance that you want to enable audit logging. +1. Get the Alibaba Cloud Service Account ID of the TiDB instance that you want to enable audit logging. - 1. In the TiDB Cloud console, navigate to the [**instances**](https://tidbcloud.com/instances) page of your project. - - 2. Click the name of your target instance to go to its overview page, and then click **Settings** > **DB Audit Logging** in the left navigation pane. + 1. In the TiDB Cloud console, navigate to the [**instances**](https://tidbcloud.com/instances) page of your instance. + 2. Click your target instance to open its overview page, and then click **Settings** > **DB Audit Logging** in the left navigation pane. 3. On the **DB Audit Logging** page, click **Enable** in the upper-right corner. - 4. In the **Enable Database Audit Logging** dialog, locate the **Google Cloud Server Account ID** section, and record **Service Account ID** for later use. - -2. In the Google Cloud console, go to **IAM & Admin** > **Roles**, and then check whether a role with the following write-only permissions of the storage container exists. - - - storage.objects.create - - storage.objects.delete - - If yes, record the matched role for the TiDB instance for later use. If not, go to **IAM & Admin** > **Roles** > **CREATE ROLE** to define a role for the TiDB instance. - -3. Go to **Cloud Storage** > **Browser**, select the GCS bucket you want TiDB Cloud to access, and then click **SHOW INFO PANEL**. - - The panel is displayed. - -4. In the panel, click **ADD PRINCIPAL**. - - The dialog box for adding principals is displayed. - -5. In the dialog box, take the following steps: - - 1. In the **New Principals** field, paste the Google Cloud Service Account ID of the TiDB instance. - 2. In the **Role** drop-down list, choose the role of the target TiDB instance. - 3. Click **SAVE**. - -#### Step 3. Enable audit logging - -In the TiDB Cloud console, go back to the **Enable Database Audit Logging** dialog box where you got the TiDB Cloud account ID, and then take the following steps: - -1. In the **Bucket URI** field, enter your full GCS bucket name. -2. In the **Bucket Region** field, select the GCS region where the bucket locates. -3. Click **Test Connection** to verify whether TiDB Cloud can access and write to the bucket. - - If it is successful, **The connection is successfully** is displayed. Otherwise, check your access configuration. + 4. In the **Database Audit Log Storage Configuration** dialog, locate the **Alibaba Cloud RAM Policy Settings** section, and record **TiDB Cloud Account ID** and **TiDB Cloud External ID** for later use. -4. Click **Enable** to enable audit logging for the instance. +2. In the Alibaba Cloud console, go to **RAM** > **Permissions** > **Policies**. - TiDB Cloud is ready to write audit logs for the specified instance to your GCS bucket. + Check if a policy already exists with the `oss:PutObject` write-only permission for your audit log bucket: -> **Note:** -> -> - After enabling audit logging, if you make any new changes to the bucket URI or location, you must click **Test Connection** again to verify that TiDB Cloud can connect to the bucket. Then, click **Enable** to apply the changes. -> - To remove TiDB Cloud's access to your GCS bucket, delete the trust policy granted to this instance in the Google Cloud console. - -### Enable audit logging for Azure - -To enable audit logging for Azure, take the following steps: - -#### Step 1. Create an Azure storage account - -Create an Azure storage account in your organization's Azure subscription as the destination to which TiDB Cloud writes the database audit logs. - -For more information, see [Create an Azure storage account](https://learn.microsoft.com/en-us/azure/storage/common/storage-account-create?tabs=azure-portal) in Azure documentation. - -#### Step 2. Configure Azure Blob Storage access + - If yes, record the policy name for later use. -1. In the [Azure portal](https://portal.azure.com/), create a container used for storing database audit logs. + - If not, click **Create Policy**, and define the policy using the following policy template. - 1. In the left navigation pane of the Azure portal, click **Storage Accounts**, and then click the storage account for storing database audit logs. + ```json + { + "Version": "1", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "oss:PutObject" + ], + "Resource": "acs:oss:*:*:/*" + } + ] + } + ``` - > **Tip:** - > - > If the left navigation pane is hidden, click the menu button in the upper-left corner to toggle its visibility. + Replace `` with the name of your OSS bucket where TiDB Cloud will write audit logs. + + For example, if your bucket name is `auditlog-bucket`, use: `"Resource": "acs:oss:*:*:auditlog-bucket/*"` - 2. In the navigation pane for the selected storage account, click **Data storage > Containers**, and then click **+ Container** to open the **New container** pane. +3. Go to **RAM** > **Identities** > **Roles** in the Alibaba Cloud Console. - 3. In the **New container** pane, enter a name for your new container, set the anonymous access level (the recommended level is **Private**, which means no anonymous access), and then click **Create**. The new container will be created and displayed in the container list in a few seconds. + Check if a role already exists whose **trusted entity** matches the TiDB Cloud Account ID and External ID you recorded earlier. -2. Get the URL of the target container. + - If yes, record the role name for later use. - 1. In the container list, select the target container, click **...** for the container, and then select **Container properties**. - 2. On the displayed properties page, copy the **URL** value for later use, and then return to the container list. + - If not, click **Create Role**. -3. Generate a SAS token for the target container. + **When creating the role:** - 1. In the container list, select the target container, click **...** for the container, and then select **Generate SAS**. - 2. In the displayed **Generate SAS** pane, select **Account key** for **Signing method**. - 3. In the **Permissions** drop-down list, select **Read**, **Write**, and **Create** to allow writing audit log files. - 4. In the **Start** and **Expiry** fields, specify a validity period for the SAS token. + 1. In the role creation page, click **Switch to Policy Editor**. + 2. Under **Principal**, choose **Cloud Account** and enter the **TiDB Cloud Account Id** in the field. + 3. Under **Action**, select **sts:AssumeRole** from drop down list. + 4. Click **Add conditon**, then: + - Set **Key** to ``sts:ExternalId`` + - Set **Operator** to ``StringEquals`` + - Set **Value** to the **TiDB Cloud External ID**. + 5. Click **OK** to open the **Create Role** Dialog. + 6. Enter the role name in the **Role Name** field, then Click **OK** to create the role.. - > **Note:** - > - > - The audit feature needs to continuously write audit logs to the storage account, so the SAS token must have a sufficiently long validity period. However, longer validity increases the risk of token leakage. For security, it is recommended to replace your SAS token every six to twelve months. - > - The generated SAS token cannot be revoked, so you need to set its validity period carefully. - > - Make sure to re-generate and update the SAS token before it expires to ensure continuous availability of audit logs. +4. After the role is created, go to the **Permissions** tab and click **Grant Permission**. + In the dialog, do the following: + - For **Resource Scope**, select **Account**. + - In the **Policy** field, select the OSS write policy created in the previous step + - Click **Grant Permissions**. - 5. For **Allowed protocols**, select **HTTPS only** to ensure secure access. - 6. Click **Generate SAS token and URL**, and then copy the displayed **Blob SAS token** for later use. +5. Copy the **Role ARN** (for example: `acs:ram:::role/tidb-cloud-audit-role`) for later use. -#### Step 3. Enable audit logging -1. In the TiDB Cloud console, navigate to the [**instances**](https://tidbcloud.com/instances) page of your instance. +#### Step 3. Enable Audit logging in TiDB cloud -2. Click the name of your target instance to go to its overview page, and then click **Settings** > **DB Audit Logging** in the left navigation pane. +In the TiDB Cloud console, go back to the **Database Audit Log Storage Configuration** dialog box where you got the TiDB Cloud account ID, and then take the following steps: -3. On the **DB Audit Logging** page, click **Enable** in the upper-right corner. -4. In the **Enable Database Audit Logging** dialog, provide the blob URL and SAS token that you obtained from [Step 2. Configure Azure Blob access](#step-2-configure-azure-blob-storage-access): +1. In the **Bucket URI** field, enter the URI of your OSS bucket, e.g.: ``oss://tidb-cloud-audit-log``. +2. In the **Bucket Region** field, select the Alibaba Cloud region where the bucket locates (recommended to match your TiDB instance region). +3. In the **Role ARN** field, paste the Role ARN value copied in Step 2. - - In the **Blob URL** field, enter the URL of the container where audit logs will be stored. - - In the **SAS Token** field, enter the SAS token for accessing the container. +Click **Test Connection** to verify that TiDB Cloud can access and write to the OSS bucket. -5. Click **Test Connection** to verify whether TiDB Cloud can access and write to the container. + - If successful, you will see **The connection is successfully**. + - If not, check the OSS bucket permissions, RAM role configuration and policy. - If it is successful, **The connection is successfully** is displayed. Otherwise, check your access configuration. - -6. Click **Enable** to enable audit logging for the instance. +Finally, Click **Enable** to activate audit logging for the instance. - TiDB Cloud is ready to write audit logs for the specified instance to your Azure blob container. + TiDB Cloud is ready to write audit logs for the specified instance to your OSS bucket. > **Note:** > -> After enabling audit logging, if you make new changes to the **Blob URL** or **SAS Token** fields, you must click **Test Connection** again to verify that TiDB Cloud can connect to the container. Then, click **Enable** to apply the changes. +> - After enabling audit logging, if you make any new changes to the bucket URI or location, you must click **Test Connection** again to verify that TiDB Cloud can connect to the bucket. Then, click **Enable** to apply the changes. +> - To remove TiDB Cloud's access to your OSS bucket, delete the trust policy granted to this instance in the Alibaba Cloud console. + ## Specify auditing filter rules From 01179998f4433713cddb0e8c6d3ea96ed3a2fa59 Mon Sep 17 00:00:00 2001 From: Lilian Lee Date: Wed, 12 Nov 2025 14:19:02 +0800 Subject: [PATCH 03/22] Refine wording and format Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> --- .../premium/tidb-cloud-auditing-premium.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/tidb-cloud/premium/tidb-cloud-auditing-premium.md b/tidb-cloud/premium/tidb-cloud-auditing-premium.md index 86c6688a31cb7..c1bf0f2a4d151 100644 --- a/tidb-cloud/premium/tidb-cloud-auditing-premium.md +++ b/tidb-cloud/premium/tidb-cloud-auditing-premium.md @@ -1,24 +1,24 @@ --- -title: TiDB Cloud Premium Database Audit Logging -summary: Learn about how to audit a instance in TiDB Cloud. +title: "{{{ .premium }}} Database Audit Logging" +summary: Learn how to audit a instance in {{{ .premium }}}. --- -# TiDB Cloud Premium Database Audit Logging +# {{{ .premium }}} Database Audit Logging -TiDB Cloud provides you with a database audit logging feature to record a history of user access details (such as any SQL statements executed) in logs. +TiDB Cloud provides an audit logging feature that records user access activities, such as any executed SQL statements. -To assess the effectiveness of user access policies and other information security measures of your organization, it is a security best practice to conduct a periodic analysis of the database audit logs. +To evaluate the effectiveness of user access policies and other information security measures of your organization, it is a security best practice to periodically analyze database audit logs. -The audit logging feature is disabled by default. To audit a instance, you need to enable the audit logging first, and then specify the auditing filter rules. +The audit logging feature is **disabled by default**. To audit an instance, you must first enable audit logging, and then configure auditing filter rules. > **Note:** > -> Because audit logging consumes instance resources, be prudent about whether to audit a instance. +> Because audit logging consumes instance resources, be prudent about whether to audit an instance. ## Prerequisites -- You are using a TiDB Cloud Premium instance. Audit logging is not available for {{{ .starter }}} or {{{ .essential }}} clusters. -- You are in the `Organization Owner` role of your organization. Otherwise, you cannot see the database audit-related options in the TiDB Cloud console. +- You are using a {{{ .premium }}} instance. Audit logging is not available for {{{ .starter }}} or {{{ .essential }}} clusters. +- You must have the `Organization Owner` role in your organization. Otherwise, you cannot see the database audit-related options in the TiDB Cloud console. ## Enable audit logging From 69f55db08bc91f41e7dc778ab6f766cd76f409ce Mon Sep 17 00:00:00 2001 From: lilin90 Date: Wed, 12 Nov 2025 14:51:59 +0800 Subject: [PATCH 04/22] *: refine wording, fix format, update toc --- TOC-tidb-cloud-premium.md | 1 + .../premium/tidb-cloud-auditing-premium.md | 84 ++++++++----------- tidb-cloud/tidb-cloud-auditing.md | 2 +- 3 files changed, 39 insertions(+), 48 deletions(-) diff --git a/TOC-tidb-cloud-premium.md b/TOC-tidb-cloud-premium.md index 9a13a3a6f757a..f384564926ffa 100644 --- a/TOC-tidb-cloud-premium.md +++ b/TOC-tidb-cloud-premium.md @@ -241,6 +241,7 @@ - [Connect via Private Endpoint with Alibaba Cloud](/tidb-cloud/set-up-private-endpoint-connections-on-alibaba-cloud.md) - [Configure Firewall Rules for Public Endpoints](/tidb-cloud/configure-serverless-firewall-rules-for-public-endpoints.md) - Audit Management + - [TiDB Cloud Premium Database Audit Logging](/tidb-cloud/premium/tidb-cloud-auditing-premium.md) - [Console Audit Logging](/tidb-cloud/tidb-cloud-console-auditing.md) - Billing - [Invoices](/tidb-cloud/tidb-cloud-billing.md#invoices) diff --git a/tidb-cloud/premium/tidb-cloud-auditing-premium.md b/tidb-cloud/premium/tidb-cloud-auditing-premium.md index c1bf0f2a4d151..d5d58fb429a78 100644 --- a/tidb-cloud/premium/tidb-cloud-auditing-premium.md +++ b/tidb-cloud/premium/tidb-cloud-auditing-premium.md @@ -18,20 +18,19 @@ The audit logging feature is **disabled by default**. To audit an instance, you ## Prerequisites - You are using a {{{ .premium }}} instance. Audit logging is not available for {{{ .starter }}} or {{{ .essential }}} clusters. -- You must have the `Organization Owner` role in your organization. Otherwise, you cannot see the database audit-related options in the TiDB Cloud console. +- You must have the `Organization Owner` role in your organization. Otherwise, you cannot see the database audit-related options in the TiDB Cloud console. ## Enable audit logging -TiDB Cloud supports recording the audit logs of a TiDB Cloud Premium instance to your cloud storage service. Before enabling database audit logging, configure your cloud storage service on the cloud provider where the instance is located. +TiDB Cloud supports recording the audit logs of a {{{ .premium }}} instance to your cloud storage service. Before enabling database audit logging, configure your cloud storage service on the cloud provider where the instance is located. - -### Enable audit logging for AWS +### Enable audit logging for TiDB on AWS To enable audit logging for AWS, take the following steps: #### Step 1. Create an Amazon S3 bucket -Specify an Amazon S3 bucket in your corporate-owned AWS account as a destination to which TiDB Cloud writes the audit logs. +Specify an Amazon S3 bucket in your organization-owned AWS account as the destination to which TiDB Cloud writes audit logs. > **Note:** > @@ -43,7 +42,7 @@ For more information, see [Creating a bucket](https://docs.aws.amazon.com/Amazon 1. Get the TiDB Cloud Account ID and the External ID of the TiDB instance that you want to enable audit logging. - 1. In the TiDB Cloud console, navigate to the [**instances**](https://tidbcloud.com/instances) page of your instance. + 1. In the TiDB Cloud console, navigate to the [**TiDB Instances**](https://tidbcloud.com/instances) page. 2. Click the name of your target instance to go to its overview page, and then click **Settings** > **DB Audit Logging** in the left navigation pane. @@ -101,13 +100,13 @@ In the TiDB Cloud console, go back to the **Database Audit Log Storage Configura > - After enabling audit logging, if you make any new changes to the bucket URI, location, or ARN, you must click **Test Connection** again to verify that TiDB Cloud can connect to the bucket. Then, click **Enable** to apply the changes. > - To remove TiDB Cloud's access to your Amazon S3, simply delete the trust policy granted to this instance in the AWS Management Console. -### Enable audit logging for TiDB cloud on Alibaba Cloud +### Enable audit logging for TiDB on Alibaba Cloud -To enable database audit logging for TiDB cloud on Alibaba Cloud, follow the steps below: +To enable database audit logging for TiDB cloud on Alibaba Cloud, take the following steps: #### Step 1. Create an OSS bucket -Create an OSS bucket in your organization-owned Alibaba Cloud account as the destination to which TiDB Cloud will write audit logs. +Create an Object Storage Service (OSS) bucket in your organization-owned Alibaba Cloud account as the destination to which TiDB Cloud writes audit logs. For more information, see [Creating storage buckets](https://help.aliyun.com/zh/oss/user-guide/create-a-bucket-4) in the Alibaba Cloud Storage documentation. @@ -115,18 +114,16 @@ For more information, see [Creating storage buckets](https://help.aliyun.com/zh/ 1. Get the Alibaba Cloud Service Account ID of the TiDB instance that you want to enable audit logging. - 1. In the TiDB Cloud console, navigate to the [**instances**](https://tidbcloud.com/instances) page of your instance. - 2. Click your target instance to open its overview page, and then click **Settings** > **DB Audit Logging** in the left navigation pane. + 1. In the TiDB Cloud console, navigate to the [**TiDB Instances**](https://tidbcloud.com/instances) page. + 2. Click the name of your target instance to go to its overview page, and then click **Settings** > **DB Audit Logging** in the left navigation pane. 3. On the **DB Audit Logging** page, click **Enable** in the upper-right corner. 4. In the **Database Audit Log Storage Configuration** dialog, locate the **Alibaba Cloud RAM Policy Settings** section, and record **TiDB Cloud Account ID** and **TiDB Cloud External ID** for later use. -2. In the Alibaba Cloud console, go to **RAM** > **Permissions** > **Policies**. - - Check if a policy already exists with the `oss:PutObject` write-only permission for your audit log bucket: +2. In the Alibaba Cloud console, go to **RAM** > **Permissions** > **Policies**, and then check whether a policy already exists with the `oss:PutObject` write-only permission for your audit log bucket. - If yes, record the policy name for later use. - - If not, click **Create Policy**, and define the policy using the following policy template. + - If not, click **Create Policy**, and define the policy using the following policy template. ```json { @@ -143,53 +140,47 @@ For more information, see [Creating storage buckets](https://help.aliyun.com/zh/ } ``` - Replace `` with the name of your OSS bucket where TiDB Cloud will write audit logs. - - For example, if your bucket name is `auditlog-bucket`, use: `"Resource": "acs:oss:*:*:auditlog-bucket/*"` + Replace `` with the name of your OSS bucket where TiDB Cloud will write audit logs. For example, if your bucket name is `auditlog-bucket`, use: `"Resource": "acs:oss:*:*:auditlog-bucket/*"`. -3. Go to **RAM** > **Identities** > **Roles** in the Alibaba Cloud Console. - - Check if a role already exists whose **trusted entity** matches the TiDB Cloud Account ID and External ID you recorded earlier. +3. In the Alibaba Cloud Console, go to **RAM** > **Identities** > **Roles**, and then check whether a role already exists whose **trusted entity** matches the TiDB Cloud Account ID and External ID you recorded earlier. - If yes, record the role name for later use. - - If not, click **Create Role**. - - **When creating the role:** + - If not, click **Create Role** by taking the following steps. - 1. In the role creation page, click **Switch to Policy Editor**. - 2. Under **Principal**, choose **Cloud Account** and enter the **TiDB Cloud Account Id** in the field. - 3. Under **Action**, select **sts:AssumeRole** from drop down list. - 4. Click **Add conditon**, then: - - Set **Key** to ``sts:ExternalId`` - - Set **Operator** to ``StringEquals`` - - Set **Value** to the **TiDB Cloud External ID**. - 5. Click **OK** to open the **Create Role** Dialog. - 6. Enter the role name in the **Role Name** field, then Click **OK** to create the role.. + 1. In the role creation page, click **Switch to Policy Editor**. + 2. Under **Principal**, choose **Cloud Account** and enter the **TiDB Cloud Account Id** in the field. + 3. Under **Action**, select **sts:AssumeRole** from the drop-down list. + 4. Click **Add condition**, and then configure the condition as follows: + - Set **Key** to ``sts:ExternalId``. + - Set **Operator** to ``StringEquals``. + - Set **Value** to the **TiDB Cloud External ID**. + 5. Click **OK** to open the **Create Role** dialog. + 6. Enter the role name in the **Role Name** field, and lick **OK** to create the role. 4. After the role is created, go to the **Permissions** tab and click **Grant Permission**. - In the dialog, do the following: + + In the dialog, configure the following settings: + - For **Resource Scope**, select **Account**. - - In the **Policy** field, select the OSS write policy created in the previous step + - In the **Policy** field, select the OSS write policy created earlier. - Click **Grant Permissions**. 5. Copy the **Role ARN** (for example: `acs:ram:::role/tidb-cloud-audit-role`) for later use. - -#### Step 3. Enable Audit logging in TiDB cloud +#### Step 3. Enable Audit logging In the TiDB Cloud console, go back to the **Database Audit Log Storage Configuration** dialog box where you got the TiDB Cloud account ID, and then take the following steps: -1. In the **Bucket URI** field, enter the URI of your OSS bucket, e.g.: ``oss://tidb-cloud-audit-log``. +1. In the **Bucket URI** field, enter the URI of your OSS bucket. For example, ``oss://tidb-cloud-audit-log``. 2. In the **Bucket Region** field, select the Alibaba Cloud region where the bucket locates (recommended to match your TiDB instance region). -3. In the **Role ARN** field, paste the Role ARN value copied in Step 2. - -Click **Test Connection** to verify that TiDB Cloud can access and write to the OSS bucket. +3. In the **Role ARN** field, paste the Role ARN value copied in [Step 2. Configure the OSS access](#step-2-configure-oss-access). +4. Click **Test Connection** to verify whether TiDB Cloud can access and write to the OSS bucket. - - If successful, you will see **The connection is successfully**. - - If not, check the OSS bucket permissions, RAM role configuration and policy. + - If successful, **The connection is successfully** is displayed. + - If not, check the OSS bucket permissions, RAM role configuration, and policy. -Finally, Click **Enable** to activate audit logging for the instance. +5. Click **Enable** to activate audit logging for the instance. TiDB Cloud is ready to write audit logs for the specified instance to your OSS bucket. @@ -198,7 +189,6 @@ Finally, Click **Enable** to activate audit logging for the instance. > - After enabling audit logging, if you make any new changes to the bucket URI or location, you must click **Test Connection** again to verify that TiDB Cloud can connect to the bucket. Then, click **Enable** to apply the changes. > - To remove TiDB Cloud's access to your OSS bucket, delete the trust policy granted to this instance in the Alibaba Cloud console. - ## Specify auditing filter rules After enabling audit logging, you must specify auditing filter rules to control which user access events to capture and write to audit logs. If no filter rules are specified, TiDB Cloud does not log anything. @@ -209,7 +199,7 @@ To specify auditing filter rules for a instance, take the following steps: You can add one audit rule at a time. Each rule specifies a user expression, database expression, table expression, and access type. You can add multiple audit rules to meet your auditing requirements. -2.In the **Log Filter Rules** section, click **>** to expand and view the list of audit rules you have added. +2. In the **Log Filter Rules** section, click **>** to expand and view the list of audit rules you have added. > **Note:** > @@ -229,7 +219,7 @@ For example, `13796619446086334065/tidb-0/tidb-audit-2022-04-21T18-16-29.529.log If you no longer want to audit a instance, go to the page of the instance, click **Settings** > **Audit Settings**, and then toggle the audit setting in the upper-right corner to **Disable**. > **Note:** - +> > Each time the size of the log file reaches 10 MiB, the log file will be pushed to the cloud storage bucket. Therefore, after the audit log is disabled, the log file whose size is smaller than 10 MiB will not be automatically pushed to the cloud storage bucket. To get the log file in this situation, contact [PingCAP support](/tidb-cloud/tidb-cloud-support.md). ## Audit log fields diff --git a/tidb-cloud/tidb-cloud-auditing.md b/tidb-cloud/tidb-cloud-auditing.md index 921767e30cde7..c52b9104582a1 100644 --- a/tidb-cloud/tidb-cloud-auditing.md +++ b/tidb-cloud/tidb-cloud-auditing.md @@ -256,7 +256,7 @@ To specify auditing filter rules for a cluster, take the following steps: You can add one audit rule at a time. Each rule specifies a user expression, database expression, table expression, and access type. You can add multiple audit rules to meet your auditing requirements. -2.In the **Log Filter Rules** section, click **>** to expand and view the list of audit rules you have added. +2. In the **Log Filter Rules** section, click **>** to expand and view the list of audit rules you have added. > **Note:** > From 8b94e0206df03608cec796dd8feca6afad8c0f36 Mon Sep 17 00:00:00 2001 From: Cheng Weiwei <65707268+wildpcww@users.noreply.github.com> Date: Wed, 12 Nov 2025 14:56:15 +0800 Subject: [PATCH 05/22] Update tidb-cloud/premium/tidb-cloud-auditing-premium.md Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> --- tidb-cloud/premium/tidb-cloud-auditing-premium.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tidb-cloud/premium/tidb-cloud-auditing-premium.md b/tidb-cloud/premium/tidb-cloud-auditing-premium.md index d5d58fb429a78..531300857ef37 100644 --- a/tidb-cloud/premium/tidb-cloud-auditing-premium.md +++ b/tidb-cloud/premium/tidb-cloud-auditing-premium.md @@ -220,7 +220,7 @@ If you no longer want to audit a instance, go to the page of the instance, click > **Note:** > -> Each time the size of the log file reaches 10 MiB, the log file will be pushed to the cloud storage bucket. Therefore, after the audit log is disabled, the log file whose size is smaller than 10 MiB will not be automatically pushed to the cloud storage bucket. To get the log file in this situation, contact [PingCAP support](/tidb-cloud/tidb-cloud-support.md). +> Each time the size of the log file reaches 10 MiB, the log file will be pushed to the cloud storage bucket. Therefore, after audit logging is disabled, the log file whose size is smaller than 10 MiB will not be automatically pushed to the cloud storage bucket. To get the log file in this situation, contact [PingCAP support](/tidb-cloud/tidb-cloud-support.md). ## Audit log fields From 18413e09287b4574d23d41b1bb1db7302f84fc7d Mon Sep 17 00:00:00 2001 From: Cheng Weiwei <65707268+wildpcww@users.noreply.github.com> Date: Wed, 12 Nov 2025 14:56:29 +0800 Subject: [PATCH 06/22] Update tidb-cloud/premium/tidb-cloud-auditing-premium.md Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> --- tidb-cloud/premium/tidb-cloud-auditing-premium.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tidb-cloud/premium/tidb-cloud-auditing-premium.md b/tidb-cloud/premium/tidb-cloud-auditing-premium.md index 531300857ef37..d4a2a90ac0bd4 100644 --- a/tidb-cloud/premium/tidb-cloud-auditing-premium.md +++ b/tidb-cloud/premium/tidb-cloud-auditing-premium.md @@ -259,7 +259,7 @@ Depending on the EVENT_CLASS field value set by TiDB, database event records in | 18 | CONNECTION_ID | INTEGER | | Connection ID | | 19 | CONNECTION_TYPE | VARCHAR | 12 | Connection via `socket` or `unix-socket` | | 20 | SERVER_ID | INTEGER | | TiDB server ID | - | 21 | SERVER_PORT | INTEGER | | The port that the TiDB server uses to listen to client communicating via the MySQL protocol | + | 21 | SERVER_PORT | INTEGER | | The port that the TiDB server uses to listen to client communication via the MySQL protocol | | 22 | SERVER_OS_LOGIN_USER | VARCHAR | 17 | The username of the TiDB process startup system | | 23 | OS_VERSION | VARCHAR | N/A | The version of the operating system where the TiDB server is located | | 24 | SSL_VERSION | VARCHAR | 6 | The current SSL version of TiDB | From c7a594bad03c4f3e9f466c7e464e5430ea8a5cbf Mon Sep 17 00:00:00 2001 From: Lilian Lee Date: Wed, 12 Nov 2025 16:11:24 +0800 Subject: [PATCH 07/22] Update wording Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> --- tidb-cloud/premium/tidb-cloud-auditing-premium.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tidb-cloud/premium/tidb-cloud-auditing-premium.md b/tidb-cloud/premium/tidb-cloud-auditing-premium.md index d4a2a90ac0bd4..7d50e7b3c5058 100644 --- a/tidb-cloud/premium/tidb-cloud-auditing-premium.md +++ b/tidb-cloud/premium/tidb-cloud-auditing-premium.md @@ -85,7 +85,7 @@ For more information, see [Creating a bucket](https://docs.aws.amazon.com/Amazon In the TiDB Cloud console, go back to the **Database Audit Log Storage Configuration** dialog box where you got the TiDB Cloud account ID and the External ID values, and then take the following steps: 1. In the **Bucket URI** field, enter the URI of your S3 bucket where the audit log files are to be written. -2. In the **Bucket Region** drop-down list, select the AWS region where the bucket locates. +2. In the **Bucket Region** drop-down list, select the AWS region where the bucket is located. 3. In the **Role ARN** field, fill in the Role ARN value that you copied in [Step 2. Configure Amazon S3 access](#step-2-configure-amazon-s3-access). 4. Click **Test Connection and Next** to verify whether TiDB Cloud can access and write to the bucket. From 2797b75bbcddca2348cb247292e76f31e08b8e95 Mon Sep 17 00:00:00 2001 From: lilin90 Date: Wed, 12 Nov 2025 16:13:46 +0800 Subject: [PATCH 08/22] Update toc --- TOC-tidb-cloud-premium.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/TOC-tidb-cloud-premium.md b/TOC-tidb-cloud-premium.md index f384564926ffa..51b94320dd32a 100644 --- a/TOC-tidb-cloud-premium.md +++ b/TOC-tidb-cloud-premium.md @@ -241,7 +241,7 @@ - [Connect via Private Endpoint with Alibaba Cloud](/tidb-cloud/set-up-private-endpoint-connections-on-alibaba-cloud.md) - [Configure Firewall Rules for Public Endpoints](/tidb-cloud/configure-serverless-firewall-rules-for-public-endpoints.md) - Audit Management - - [TiDB Cloud Premium Database Audit Logging](/tidb-cloud/premium/tidb-cloud-auditing-premium.md) + - [TiDB Cloud Database Audit Logging](/tidb-cloud/premium/tidb-cloud-auditing-premium.md) - [Console Audit Logging](/tidb-cloud/tidb-cloud-console-auditing.md) - Billing - [Invoices](/tidb-cloud/tidb-cloud-billing.md#invoices) From 2dcab32e3dc9cd51cb7fecd8770f192737268f57 Mon Sep 17 00:00:00 2001 From: lilin90 Date: Wed, 12 Nov 2025 16:35:15 +0800 Subject: [PATCH 09/22] Update tidb-cloud-auditing-premium.md --- tidb-cloud/premium/tidb-cloud-auditing-premium.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tidb-cloud/premium/tidb-cloud-auditing-premium.md b/tidb-cloud/premium/tidb-cloud-auditing-premium.md index 7d50e7b3c5058..a530b6f82fab1 100644 --- a/tidb-cloud/premium/tidb-cloud-auditing-premium.md +++ b/tidb-cloud/premium/tidb-cloud-auditing-premium.md @@ -17,7 +17,7 @@ The audit logging feature is **disabled by default**. To audit an instance, you ## Prerequisites -- You are using a {{{ .premium }}} instance. Audit logging is not available for {{{ .starter }}} or {{{ .essential }}} clusters. +- You are using a {{{ .premium }}} instance. - You must have the `Organization Owner` role in your organization. Otherwise, you cannot see the database audit-related options in the TiDB Cloud console. ## Enable audit logging From 844c0879d048679736190ffa46b016c01f9133db Mon Sep 17 00:00:00 2001 From: lilin90 Date: Wed, 12 Nov 2025 16:40:44 +0800 Subject: [PATCH 10/22] Update wording --- tidb-cloud/premium/tidb-cloud-auditing-premium.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tidb-cloud/premium/tidb-cloud-auditing-premium.md b/tidb-cloud/premium/tidb-cloud-auditing-premium.md index a530b6f82fab1..cf48364f894f3 100644 --- a/tidb-cloud/premium/tidb-cloud-auditing-premium.md +++ b/tidb-cloud/premium/tidb-cloud-auditing-premium.md @@ -1,6 +1,6 @@ --- title: "{{{ .premium }}} Database Audit Logging" -summary: Learn how to audit a instance in {{{ .premium }}}. +summary: Learn how to audit an instance in {{{ .premium }}}. --- # {{{ .premium }}} Database Audit Logging @@ -36,7 +36,7 @@ Specify an Amazon S3 bucket in your organization-owned AWS account as the destin > > Do not enable object lock on the AWS S3 bucket. Enabling object lock will prevent TiDB Cloud from pushing audit log files to S3. -For more information, see [Creating a bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-bucket-overview.html) in the AWS User Guide. +For more information, see [creating a bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-bucket-overview.html) in the AWS User Guide. #### Step 2. Configure Amazon S3 access @@ -193,7 +193,7 @@ In the TiDB Cloud console, go back to the **Database Audit Log Storage Configura After enabling audit logging, you must specify auditing filter rules to control which user access events to capture and write to audit logs. If no filter rules are specified, TiDB Cloud does not log anything. -To specify auditing filter rules for a instance, take the following steps: +To specify auditing filter rules for an instance, take the following steps: 1. On the **DB Audit Logging** page, click **Add Filter Rule** in the **Log Filter Rules** section to add an audit filter rule. @@ -216,11 +216,11 @@ For example, `13796619446086334065/tidb-0/tidb-audit-2022-04-21T18-16-29.529.log ## Disable audit logging -If you no longer want to audit a instance, go to the page of the instance, click **Settings** > **Audit Settings**, and then toggle the audit setting in the upper-right corner to **Disable**. +If you no longer want to audit an instance, go to the page of the instance, click **Settings** > **Audit Settings**, and then toggle the audit setting in the upper-right corner to **Disable**. > **Note:** > -> Each time the size of the log file reaches 10 MiB, the log file will be pushed to the cloud storage bucket. Therefore, after audit logging is disabled, the log file whose size is smaller than 10 MiB will not be automatically pushed to the cloud storage bucket. To get the log file in this situation, contact [PingCAP support](/tidb-cloud/tidb-cloud-support.md). +> Each time the size of the log file reaches 10 MiB, the log file will be pushed to the cloud storage bucket. Therefore, after audit logging is disabled, the log file whose size is smaller than 10 MiB will not be automatically pushed to the cloud storage bucket. To get the log file in this situation, contact [TiDB Cloud Support](/tidb-cloud/tidb-cloud-support.md). ## Audit log fields From 74432224767a49f2599f9dcc2037b245cf082f53 Mon Sep 17 00:00:00 2001 From: lilin90 Date: Wed, 12 Nov 2025 16:43:49 +0800 Subject: [PATCH 11/22] Update wording for consistency --- tidb-cloud/tidb-cloud-auditing.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tidb-cloud/tidb-cloud-auditing.md b/tidb-cloud/tidb-cloud-auditing.md index c52b9104582a1..f067a08cd1375 100644 --- a/tidb-cloud/tidb-cloud-auditing.md +++ b/tidb-cloud/tidb-cloud-auditing.md @@ -5,15 +5,15 @@ summary: Learn about how to audit a cluster in TiDB Cloud. # TiDB Cloud Dedicated Database Audit Logging -TiDB Cloud provides you with a database audit logging feature to record a history of user access details (such as any SQL statements executed) in logs. +TiDB Cloud provides an audit logging feature that records user access activities, such as any executed SQL statements. > **Note:** > > Currently, the database audit logging feature is only available upon request. To request this feature, click **?** in the lower-right corner of the [TiDB Cloud console](https://tidbcloud.com) and click **Request Support**. Then, fill in "Apply for database audit logging" in the **Description** field and click **Submit**. -To assess the effectiveness of user access policies and other information security measures of your organization, it is a security best practice to conduct a periodic analysis of the database audit logs. +To evaluate the effectiveness of user access policies and other information security measures of your organization, it is a security best practice to periodically analyze database audit logs. -The audit logging feature is disabled by default. To audit a cluster, you need to enable the audit logging first, and then specify the auditing filter rules. +The audit logging feature is **disabled by default**. To audit a cluster, you must first enable the audit logging, and then specify the auditing filter rules. > **Note:** > @@ -38,7 +38,7 @@ To enable audit logging for AWS, take the following steps: #### Step 1. Create an Amazon S3 bucket -Specify an Amazon S3 bucket in your corporate-owned AWS account as a destination to which TiDB Cloud writes the audit logs. +Specify an Amazon S3 bucket in your organization-owned AWS account as a destination to which TiDB Cloud writes the audit logs. > **Note:** > @@ -116,7 +116,7 @@ To enable audit logging for Google Cloud, take the following steps: #### Step 1. Create a GCS bucket -Specify a Google Cloud Storage (GCS) bucket in your corporate-owned Google Cloud account as a destination to which TiDB Cloud writes audit logs. +Specify a Google Cloud Storage (GCS) bucket in your organization-owned Google Cloud account as a destination to which TiDB Cloud writes audit logs. For more information, see [Creating storage buckets](https://cloud.google.com/storage/docs/creating-buckets) in the Google Cloud Storage documentation. From 994db6f06afbcc458d807d811ab627dc0e10c38c Mon Sep 17 00:00:00 2001 From: lilin90 Date: Wed, 12 Nov 2025 16:45:31 +0800 Subject: [PATCH 12/22] Update TOC-tidb-cloud-premium.md --- TOC-tidb-cloud-premium.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/TOC-tidb-cloud-premium.md b/TOC-tidb-cloud-premium.md index 51b94320dd32a..da2429decaa4f 100644 --- a/TOC-tidb-cloud-premium.md +++ b/TOC-tidb-cloud-premium.md @@ -241,7 +241,7 @@ - [Connect via Private Endpoint with Alibaba Cloud](/tidb-cloud/set-up-private-endpoint-connections-on-alibaba-cloud.md) - [Configure Firewall Rules for Public Endpoints](/tidb-cloud/configure-serverless-firewall-rules-for-public-endpoints.md) - Audit Management - - [TiDB Cloud Database Audit Logging](/tidb-cloud/premium/tidb-cloud-auditing-premium.md) + - [Database Audit Logging](/tidb-cloud/premium/tidb-cloud-auditing-premium.md) - [Console Audit Logging](/tidb-cloud/tidb-cloud-console-auditing.md) - Billing - [Invoices](/tidb-cloud/tidb-cloud-billing.md#invoices) From 727a053a13c9f6bd31a7b62dc510c995f8831e1a Mon Sep 17 00:00:00 2001 From: lilin90 Date: Wed, 12 Nov 2025 16:53:19 +0800 Subject: [PATCH 13/22] Update grammar --- tidb-cloud/premium/tidb-cloud-auditing-premium.md | 4 ++-- tidb-cloud/tidb-cloud-auditing.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/tidb-cloud/premium/tidb-cloud-auditing-premium.md b/tidb-cloud/premium/tidb-cloud-auditing-premium.md index cf48364f894f3..9f939086c053f 100644 --- a/tidb-cloud/premium/tidb-cloud-auditing-premium.md +++ b/tidb-cloud/premium/tidb-cloud-auditing-premium.md @@ -89,7 +89,7 @@ In the TiDB Cloud console, go back to the **Database Audit Log Storage Configura 3. In the **Role ARN** field, fill in the Role ARN value that you copied in [Step 2. Configure Amazon S3 access](#step-2-configure-amazon-s3-access). 4. Click **Test Connection and Next** to verify whether TiDB Cloud can access and write to the bucket. - If it is successful, **The connection is successfully** is displayed. Otherwise, check your access configuration. + If it is successful, **The connection is successful** is displayed. Otherwise, check your access configuration. 5. Click **Enable** to enable audit logging for the instance. @@ -177,7 +177,7 @@ In the TiDB Cloud console, go back to the **Database Audit Log Storage Configura 3. In the **Role ARN** field, paste the Role ARN value copied in [Step 2. Configure the OSS access](#step-2-configure-oss-access). 4. Click **Test Connection** to verify whether TiDB Cloud can access and write to the OSS bucket. - - If successful, **The connection is successfully** is displayed. + - If successful, **The connection is successful** is displayed. - If not, check the OSS bucket permissions, RAM role configuration, and policy. 5. Click **Enable** to activate audit logging for the instance. diff --git a/tidb-cloud/tidb-cloud-auditing.md b/tidb-cloud/tidb-cloud-auditing.md index f067a08cd1375..3a1740e2cd698 100644 --- a/tidb-cloud/tidb-cloud-auditing.md +++ b/tidb-cloud/tidb-cloud-auditing.md @@ -99,7 +99,7 @@ In the TiDB Cloud console, go back to the **Enable Database Audit Logging** dial 3. In the **Role ARN** field, fill in the Role ARN value that you copied in [Step 2. Configure Amazon S3 access](#step-2-configure-amazon-s3-access). 4. Click **Test Connection** to verify whether TiDB Cloud can access and write to the bucket. - If it is successful, **The connection is successfully** is displayed. Otherwise, check your access configuration. + If it is successful, **The connection is successful** is displayed. Otherwise, check your access configuration. 5. Click **Enable** to enable audit logging for the cluster. @@ -163,7 +163,7 @@ In the TiDB Cloud console, go back to the **Enable Database Audit Logging** dial 2. In the **Bucket Region** field, select the GCS region where the bucket locates. 3. Click **Test Connection** to verify whether TiDB Cloud can access and write to the bucket. - If it is successful, **The connection is successfully** is displayed. Otherwise, check your access configuration. + If it is successful, **The connection is successful** is displayed. Otherwise, check your access configuration. 4. Click **Enable** to enable audit logging for the cluster. From 8e19ccbd9c4cf46d777fbd03f819ba12de00d5cc Mon Sep 17 00:00:00 2001 From: lilin90 Date: Wed, 12 Nov 2025 17:03:21 +0800 Subject: [PATCH 14/22] Update wording for consistency --- tidb-cloud/essential-database-audit-logging.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tidb-cloud/essential-database-audit-logging.md b/tidb-cloud/essential-database-audit-logging.md index 58b2ba17bc8b9..2fbe4a8531800 100644 --- a/tidb-cloud/essential-database-audit-logging.md +++ b/tidb-cloud/essential-database-audit-logging.md @@ -6,15 +6,15 @@ aliases: ['/tidbcloud/serverless-audit-logging'] # Database Audit Logging (Beta) for {{{ .essential }}} -{{{ .essential }}} provides you with a database audit logging feature to record a history of user access details (such as any SQL statements executed) in logs. +{{{ .essential }}} provides an audit logging feature that records user access activities, such as any executed SQL statements. > **Note:** > > Currently, the database audit logging feature is only available upon request. To request this feature, click **?** in the lower-right corner of the [TiDB Cloud console](https://tidbcloud.com) and click **Request Support**. Then, fill in "Apply for {{{ .essential }}} database audit logging" in the **Description** field and click **Submit**. -To assess the effectiveness of user access policies and other information security measures of your organization, it is a security best practice to conduct a periodic analysis of the database audit logs. +To evaluate the effectiveness of user access policies and other information security measures of your organization, it is a security best practice to periodically analyze database audit logs. -The audit logging feature is disabled by default. To audit a cluster, you need to enable audit logging for it. +The audit logging feature is **disabled by default**. To audit a cluster, you need to enable audit logging for it. ## Audit logging configurations From 399bfbe8540589d02e4c5db8b21fe5a68f9e86af Mon Sep 17 00:00:00 2001 From: lilin90 Date: Wed, 12 Nov 2025 17:20:22 +0800 Subject: [PATCH 15/22] Add a note --- tidb-cloud/premium/tidb-cloud-auditing-premium.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/tidb-cloud/premium/tidb-cloud-auditing-premium.md b/tidb-cloud/premium/tidb-cloud-auditing-premium.md index 9f939086c053f..d27031bd312cb 100644 --- a/tidb-cloud/premium/tidb-cloud-auditing-premium.md +++ b/tidb-cloud/premium/tidb-cloud-auditing-premium.md @@ -18,6 +18,13 @@ The audit logging feature is **disabled by default**. To audit an instance, you ## Prerequisites - You are using a {{{ .premium }}} instance. + + > **Note:** + > + > - Database audit logging is not available for {{{ .starter }}}. + > - For {{{ .essential }}}, see [Database Audit Logging (Beta) for {{{ .essential }}}](/tidb-cloud/essential-database-audit-logging.md). + > - For {{{ .dedicated }}}, see [{{{ .dedicated }}} Database Audit Logging](/tidb-cloud/tidb-cloud-auditing.md). + - You must have the `Organization Owner` role in your organization. Otherwise, you cannot see the database audit-related options in the TiDB Cloud console. ## Enable audit logging From 73465c9eb680cb0233e679b1553eca5cf318be23 Mon Sep 17 00:00:00 2001 From: Lilian Lee Date: Thu, 13 Nov 2025 10:02:28 +0800 Subject: [PATCH 16/22] Apply suggestions from code review Co-authored-by: Grace Cai --- .../premium/tidb-cloud-auditing-premium.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/tidb-cloud/premium/tidb-cloud-auditing-premium.md b/tidb-cloud/premium/tidb-cloud-auditing-premium.md index d27031bd312cb..2abd9ef78ceaa 100644 --- a/tidb-cloud/premium/tidb-cloud-auditing-premium.md +++ b/tidb-cloud/premium/tidb-cloud-auditing-premium.md @@ -9,7 +9,7 @@ TiDB Cloud provides an audit logging feature that records user access activities To evaluate the effectiveness of user access policies and other information security measures of your organization, it is a security best practice to periodically analyze database audit logs. -The audit logging feature is **disabled by default**. To audit an instance, you must first enable audit logging, and then configure auditing filter rules. +The audit logging feature is **disabled by default**. To audit a TiDB instance, you must first enable audit logging, and then configure auditing filter rules. > **Note:** > @@ -89,7 +89,7 @@ For more information, see [creating a bucket](https://docs.aws.amazon.com/Amazon #### Step 3. Enable audit logging -In the TiDB Cloud console, go back to the **Database Audit Log Storage Configuration** dialog box where you got the TiDB Cloud account ID and the External ID values, and then take the following steps: +In the TiDB Cloud console, go back to the **Database Audit Log Storage Configuration** dialog where you got the TiDB Cloud account ID and the External ID values, and then take the following steps: 1. In the **Bucket URI** field, enter the URI of your S3 bucket where the audit log files are to be written. 2. In the **Bucket Region** drop-down list, select the AWS region where the bucket is located. @@ -149,7 +149,7 @@ For more information, see [Creating storage buckets](https://help.aliyun.com/zh/ Replace `` with the name of your OSS bucket where TiDB Cloud will write audit logs. For example, if your bucket name is `auditlog-bucket`, use: `"Resource": "acs:oss:*:*:auditlog-bucket/*"`. -3. In the Alibaba Cloud Console, go to **RAM** > **Identities** > **Roles**, and then check whether a role already exists whose **trusted entity** matches the TiDB Cloud Account ID and External ID you recorded earlier. +3. In the Alibaba Cloud console, go to **RAM** > **Identities** > **Roles**, and then check whether a role already exists whose **trusted entity** matches the TiDB Cloud Account ID and External ID you recorded earlier. - If yes, record the role name for later use. @@ -163,28 +163,28 @@ For more information, see [Creating storage buckets](https://help.aliyun.com/zh/ - Set **Operator** to ``StringEquals``. - Set **Value** to the **TiDB Cloud External ID**. 5. Click **OK** to open the **Create Role** dialog. - 6. Enter the role name in the **Role Name** field, and lick **OK** to create the role. + 6. Enter the role name in the **Role Name** field, and click **OK** to create the role. 4. After the role is created, go to the **Permissions** tab and click **Grant Permission**. In the dialog, configure the following settings: - For **Resource Scope**, select **Account**. - - In the **Policy** field, select the OSS write policy created earlier. + - In the **Policy** field, select the OSS write policy created earlier. - Click **Grant Permissions**. 5. Copy the **Role ARN** (for example: `acs:ram:::role/tidb-cloud-audit-role`) for later use. #### Step 3. Enable Audit logging -In the TiDB Cloud console, go back to the **Database Audit Log Storage Configuration** dialog box where you got the TiDB Cloud account ID, and then take the following steps: +In the TiDB Cloud console, go back to the **Database Audit Log Storage Configuration** dialog where you got the TiDB Cloud account ID, and then take the following steps: 1. In the **Bucket URI** field, enter the URI of your OSS bucket. For example, ``oss://tidb-cloud-audit-log``. -2. In the **Bucket Region** field, select the Alibaba Cloud region where the bucket locates (recommended to match your TiDB instance region). +2. In the **Bucket Region** field, select the Alibaba Cloud region where the bucket is located (recommended to match your TiDB instance region). 3. In the **Role ARN** field, paste the Role ARN value copied in [Step 2. Configure the OSS access](#step-2-configure-oss-access). 4. Click **Test Connection** to verify whether TiDB Cloud can access and write to the OSS bucket. - - If successful, **The connection is successful** is displayed. + - If it is successful, **The connection is successful** is displayed. - If not, check the OSS bucket permissions, RAM role configuration, and policy. 5. Click **Enable** to activate audit logging for the instance. @@ -227,7 +227,7 @@ If you no longer want to audit an instance, go to the page of the instance, clic > **Note:** > -> Each time the size of the log file reaches 10 MiB, the log file will be pushed to the cloud storage bucket. Therefore, after audit logging is disabled, the log file whose size is smaller than 10 MiB will not be automatically pushed to the cloud storage bucket. To get the log file in this situation, contact [TiDB Cloud Support](/tidb-cloud/tidb-cloud-support.md). +> Each time the size of the log file reaches 10 MiB, the log file is pushed to the cloud storage bucket. Therefore, after audit logging is disabled, the log file whose size is smaller than 10 MiB will not be automatically pushed to the cloud storage bucket. To get the log file in this situation, contact [TiDB Cloud Support](/tidb-cloud/tidb-cloud-support.md). ## Audit log fields From 9fe22f9600c25542c211764ed574bcaaae7252ba Mon Sep 17 00:00:00 2001 From: Lilian Lee Date: Thu, 13 Nov 2025 10:04:19 +0800 Subject: [PATCH 17/22] Apply suggestions from code review Co-authored-by: Grace Cai --- tidb-cloud/premium/tidb-cloud-auditing-premium.md | 6 +++--- tidb-cloud/tidb-cloud-auditing.md | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/tidb-cloud/premium/tidb-cloud-auditing-premium.md b/tidb-cloud/premium/tidb-cloud-auditing-premium.md index 2abd9ef78ceaa..d77d55174c0dc 100644 --- a/tidb-cloud/premium/tidb-cloud-auditing-premium.md +++ b/tidb-cloud/premium/tidb-cloud-auditing-premium.md @@ -5,7 +5,7 @@ summary: Learn how to audit an instance in {{{ .premium }}}. # {{{ .premium }}} Database Audit Logging -TiDB Cloud provides an audit logging feature that records user access activities, such as any executed SQL statements. +TiDB Cloud provides an audit logging feature that records user access activities of your database, such as executed SQL statements. To evaluate the effectiveness of user access policies and other information security measures of your organization, it is a security best practice to periodically analyze database audit logs. @@ -115,7 +115,7 @@ To enable database audit logging for TiDB cloud on Alibaba Cloud, take the follo Create an Object Storage Service (OSS) bucket in your organization-owned Alibaba Cloud account as the destination to which TiDB Cloud writes audit logs. -For more information, see [Creating storage buckets](https://help.aliyun.com/zh/oss/user-guide/create-a-bucket-4) in the Alibaba Cloud Storage documentation. +For more information, see [Creating storage buckets](https://www.alibabacloud.com/help/en/oss/user-guide/create-a-bucket-4) in the Alibaba Cloud Storage documentation. #### Step 2. Configure OSS access @@ -126,7 +126,7 @@ For more information, see [Creating storage buckets](https://help.aliyun.com/zh/ 3. On the **DB Audit Logging** page, click **Enable** in the upper-right corner. 4. In the **Database Audit Log Storage Configuration** dialog, locate the **Alibaba Cloud RAM Policy Settings** section, and record **TiDB Cloud Account ID** and **TiDB Cloud External ID** for later use. -2. In the Alibaba Cloud console, go to **RAM** > **Permissions** > **Policies**, and then check whether a policy already exists with the `oss:PutObject` write-only permission for your audit log bucket. +2. In the Alibaba Cloud console, go to **RAM** > **Permissions** > **Policies**, and then check whether a policy already exists with the `oss:PutObject` write-only permission for your audit log OSS bucket. - If yes, record the policy name for later use. diff --git a/tidb-cloud/tidb-cloud-auditing.md b/tidb-cloud/tidb-cloud-auditing.md index 3a1740e2cd698..c2ea8c8e48e91 100644 --- a/tidb-cloud/tidb-cloud-auditing.md +++ b/tidb-cloud/tidb-cloud-auditing.md @@ -5,7 +5,7 @@ summary: Learn about how to audit a cluster in TiDB Cloud. # TiDB Cloud Dedicated Database Audit Logging -TiDB Cloud provides an audit logging feature that records user access activities, such as any executed SQL statements. +TiDB Cloud provides an audit logging feature that records user access activities of your database, such as executed SQL statements. > **Note:** > From da08721f256e8a3a95ff3b3649fa90204e399c34 Mon Sep 17 00:00:00 2001 From: lilin90 Date: Thu, 13 Nov 2025 10:20:06 +0800 Subject: [PATCH 18/22] Update wording --- tidb-cloud/essential-database-audit-logging.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tidb-cloud/essential-database-audit-logging.md b/tidb-cloud/essential-database-audit-logging.md index 2fbe4a8531800..f48132c3c4572 100644 --- a/tidb-cloud/essential-database-audit-logging.md +++ b/tidb-cloud/essential-database-audit-logging.md @@ -6,7 +6,7 @@ aliases: ['/tidbcloud/serverless-audit-logging'] # Database Audit Logging (Beta) for {{{ .essential }}} -{{{ .essential }}} provides an audit logging feature that records user access activities, such as any executed SQL statements. +{{{ .essential }}} provides an audit logging feature that records user access activities of your database, such as executed SQL statements. > **Note:** > @@ -14,7 +14,7 @@ aliases: ['/tidbcloud/serverless-audit-logging'] To evaluate the effectiveness of user access policies and other information security measures of your organization, it is a security best practice to periodically analyze database audit logs. -The audit logging feature is **disabled by default**. To audit a cluster, you need to enable audit logging for it. +The audit logging feature is **disabled by default**. To audit a TiDB cluster, you need to enable audit logging for it. ## Audit logging configurations From 321ba0ba1a62a1edfedc6162162932614685985d Mon Sep 17 00:00:00 2001 From: lilin90 Date: Thu, 13 Nov 2025 10:22:51 +0800 Subject: [PATCH 19/22] Add customcontent for alibaba cloud --- tidb-cloud/premium/tidb-cloud-auditing-premium.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tidb-cloud/premium/tidb-cloud-auditing-premium.md b/tidb-cloud/premium/tidb-cloud-auditing-premium.md index d77d55174c0dc..5762873fc211d 100644 --- a/tidb-cloud/premium/tidb-cloud-auditing-premium.md +++ b/tidb-cloud/premium/tidb-cloud-auditing-premium.md @@ -107,6 +107,8 @@ In the TiDB Cloud console, go back to the **Database Audit Log Storage Configura > - After enabling audit logging, if you make any new changes to the bucket URI, location, or ARN, you must click **Test Connection** again to verify that TiDB Cloud can connect to the bucket. Then, click **Enable** to apply the changes. > - To remove TiDB Cloud's access to your Amazon S3, simply delete the trust policy granted to this instance in the AWS Management Console. + + ### Enable audit logging for TiDB on Alibaba Cloud To enable database audit logging for TiDB cloud on Alibaba Cloud, take the following steps: @@ -196,6 +198,8 @@ In the TiDB Cloud console, go back to the **Database Audit Log Storage Configura > - After enabling audit logging, if you make any new changes to the bucket URI or location, you must click **Test Connection** again to verify that TiDB Cloud can connect to the bucket. Then, click **Enable** to apply the changes. > - To remove TiDB Cloud's access to your OSS bucket, delete the trust policy granted to this instance in the Alibaba Cloud console. + + ## Specify auditing filter rules After enabling audit logging, you must specify auditing filter rules to control which user access events to capture and write to audit logs. If no filter rules are specified, TiDB Cloud does not log anything. From 122693ac1331503079da0607124fe6bbea216256 Mon Sep 17 00:00:00 2001 From: lilin90 Date: Thu, 13 Nov 2025 10:26:13 +0800 Subject: [PATCH 20/22] Update anchor link wording --- tidb-cloud/premium/tidb-cloud-auditing-premium.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tidb-cloud/premium/tidb-cloud-auditing-premium.md b/tidb-cloud/premium/tidb-cloud-auditing-premium.md index 5762873fc211d..c2b8462677ead 100644 --- a/tidb-cloud/premium/tidb-cloud-auditing-premium.md +++ b/tidb-cloud/premium/tidb-cloud-auditing-premium.md @@ -43,7 +43,7 @@ Specify an Amazon S3 bucket in your organization-owned AWS account as the destin > > Do not enable object lock on the AWS S3 bucket. Enabling object lock will prevent TiDB Cloud from pushing audit log files to S3. -For more information, see [creating a bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-bucket-overview.html) in the AWS User Guide. +For more information, see [Creating a general purpose bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-bucket-overview.html) in the AWS User Guide. #### Step 2. Configure Amazon S3 access @@ -117,7 +117,7 @@ To enable database audit logging for TiDB cloud on Alibaba Cloud, take the follo Create an Object Storage Service (OSS) bucket in your organization-owned Alibaba Cloud account as the destination to which TiDB Cloud writes audit logs. -For more information, see [Creating storage buckets](https://www.alibabacloud.com/help/en/oss/user-guide/create-a-bucket-4) in the Alibaba Cloud Storage documentation. +For more information, see [Create a bucket](https://www.alibabacloud.com/help/en/oss/user-guide/create-a-bucket-4) in the Alibaba Cloud Storage documentation. #### Step 2. Configure OSS access From 377acf27b388499811c67a6c314615b35a063b3b Mon Sep 17 00:00:00 2001 From: Cheng Weiwei <65707268+wildpcww@users.noreply.github.com> Date: Thu, 13 Nov 2025 11:28:07 +0800 Subject: [PATCH 21/22] description change --- tidb-cloud/premium/tidb-cloud-auditing-premium.md | 4 ++-- tidb-cloud/tidb-cloud-auditing.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/tidb-cloud/premium/tidb-cloud-auditing-premium.md b/tidb-cloud/premium/tidb-cloud-auditing-premium.md index c2b8462677ead..a88b5270693f5 100644 --- a/tidb-cloud/premium/tidb-cloud-auditing-premium.md +++ b/tidb-cloud/premium/tidb-cloud-auditing-premium.md @@ -221,9 +221,9 @@ To specify auditing filter rules for an instance, take the following steps: By default, TiDB Cloud stores database audit log files in your storage service, so you need to read the audit log information from your storage service. -TiDB Cloud audit logs are readable text files with the instance ID, Pod ID, and log creation date incorporated into the fully qualified filenames. +TiDB Cloud audit logs are readable text files with the instance ID, internal ID, and log creation date incorporated into the fully qualified filenames. -For example, `13796619446086334065/tidb-0/tidb-audit-2022-04-21T18-16-29.529.log`. In this example, `13796619446086334065` indicates the instance ID and `tidb-0` indicates the Pod ID. +For example, `13796619446086334065/tidb-5m5z34/tidb-audit-2022-04-21T18-16-29.529.log`. In this example, `13796619446086334065` indicates the instance ID and `tidb-5m5z34` indicates the internal ID. ## Disable audit logging diff --git a/tidb-cloud/tidb-cloud-auditing.md b/tidb-cloud/tidb-cloud-auditing.md index c2ea8c8e48e91..87ad791e20c5b 100644 --- a/tidb-cloud/tidb-cloud-auditing.md +++ b/tidb-cloud/tidb-cloud-auditing.md @@ -271,9 +271,9 @@ By default, TiDB Cloud stores database audit log files in your storage service, > > If you have requested and chosen to store audit log files in TiDB Cloud, you can download them from the **Audit Log Access** section on the **Database Audit Logging** page. -TiDB Cloud audit logs are readable text files with the cluster ID, Pod ID, and log creation date incorporated into the fully qualified filenames. +TiDB Cloud audit logs are readable text files with the cluster ID, node ID, and log creation date incorporated into the fully qualified filenames. -For example, `13796619446086334065/tidb-0/tidb-audit-2022-04-21T18-16-29.529.log`. In this example, `13796619446086334065` indicates the cluster ID and `tidb-0` indicates the Pod ID. +For example, `13796619446086334065/tidb-0/tidb-audit-2022-04-21T18-16-29.529.log`. In this example, `13796619446086334065` indicates the cluster ID and `tidb-0` indicates the node ID. ## Disable audit logging From 1cb5fab7018416536c3de3ee019b1852ef6efbdb Mon Sep 17 00:00:00 2001 From: Lilian Lee Date: Thu, 13 Nov 2025 11:45:35 +0800 Subject: [PATCH 22/22] Update capitalization for style consistency --- tidb-cloud/premium/tidb-cloud-auditing-premium.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tidb-cloud/premium/tidb-cloud-auditing-premium.md b/tidb-cloud/premium/tidb-cloud-auditing-premium.md index a88b5270693f5..ff903b5cfe250 100644 --- a/tidb-cloud/premium/tidb-cloud-auditing-premium.md +++ b/tidb-cloud/premium/tidb-cloud-auditing-premium.md @@ -177,7 +177,7 @@ For more information, see [Create a bucket](https://www.alibabacloud.com/help/en 5. Copy the **Role ARN** (for example: `acs:ram:::role/tidb-cloud-audit-role`) for later use. -#### Step 3. Enable Audit logging +#### Step 3. Enable audit logging In the TiDB Cloud console, go back to the **Database Audit Log Storage Configuration** dialog where you got the TiDB Cloud account ID, and then take the following steps: