Security & Compliance

MySQL Audit Logs: How to Enable, Configure & Secure Your Database

April 23, 2026
MySQL Audit Logs: How to Enable, Configure & Secure Your Database
10 min read
TL;DR
  • MySQL audit logs are structured records capturing connections, queries, schema changes, and admin actions to support security monitoring and compliance.
  • Community Edition users can enable audit logging via the MariaDB Audit Plugin, while Enterprise Edition uses the native audit_log plugin with JSON, XML, and CSV output.
  • MySQL audit logging satisfies GDPR, HIPAA, SOX, and PCI DSS v4.1 requirements by recording who accessed what data and when.
  • AWS RDS, Azure Flexible Server, and Google Cloud SQL each offer native audit log integration with their respective monitoring and SIEM ecosystems.
  • Choose the Enterprise Audit Plugin for granular filtering and encryption, the MariaDB Audit Plugin for Community Edition production systems, and the General Query Log only for development use.

MySQL audit logs are records of database activity that capture connections, queries, schema changes, errors, and administrative actions on a MySQL server. They provide a verifiable trail of who did what, when, and on which objects, enabling security teams to detect unauthorized access, meet compliance requirements, and investigate incidents. Audit logging is available through multiple methods depending on your MySQL edition and deployment environment.


This guide covers all major approaches to MySQL audit logging: the General Query Log and MariaDB Audit Plugin for Community Edition users, the MySQL Enterprise Audit Plugin for Enterprise Edition, and cloud-specific implementations for AWS, Azure, and GCP. It also covers filtering, log formats, best practices, performance considerations, and troubleshooting.

What Are MySQL Audit Logs?

MySQL audit logs are structured records generated by the MySQL server (or a plugin) that track database events for security, compliance, and operational analysis. Unlike the general query log, which records all SQL statements indiscriminately, audit logs provide selective, configurable recording of specific event types with metadata including timestamps, user accounts, source IP addresses, and affected objects.


The MySQL Enterprise Audit Plugin (audit_log) is the most feature-complete solution, supporting JSON, XML, and CSV output formats, granular event filtering, log rotation, and encryption. For MySQL Community Edition users, the MariaDB Audit Plugin provides a free, compatible alternative with similar core functionality. The General Query Log offers basic logging but lacks the filtering and security features needed for production audit requirements.

Why MySQL Audit Logs Matter

Security Monitoring and Threat Detection

Audit logs enable real-time and forensic detection of security threats. They capture failed login attempts that may indicate brute-force attacks, privilege escalation events where users gain elevated access, and unauthorized data access or modification. By monitoring audit logs, security teams can identify anomalous patterns such as access from unexpected IP addresses, queries against sensitive tables outside business hours, or bulk data exports that may indicate data exfiltration.

Compliance Requirements (GDPR, HIPAA, SOX, PCI DSS)

Regulatory frameworks require organizations to maintain audit trails of database access and modification. GDPR requires logging access to personal data and demonstrating accountability for data processing activities. HIPAA mandates audit controls that record and examine access to electronic protected health information (ePHI). SOX requires audit trails for financial data to prevent fraud. PCI DSS v4.1 requires logging all access to cardholder data environments and reviewing logs regularly.


Tessell holds ISO 27001, ISO 27701, SOC 2, and PCI DSS v4.1 certifications, directly supporting customers who need to demonstrate audit logging compliance across these frameworks.

Troubleshooting and Forensic Analysis

Audit logs provide the event sequence needed to diagnose database issues and perform post-incident analysis. When a schema change breaks an application, audit logs identify who made the change, when, and what the previous state was. When data corruption is detected, audit logs trace the sequence of operations that led to it. This forensic capability is essential for root cause analysis and incident response.

Change Management and Accountability

In environments with multiple database administrators and application service accounts, audit logs provide accountability by recording every configuration change, DDL operation, and privilege modification. This supports change management processes by creating a verifiable record that can be reviewed during change approval workflows and audited retrospectively.

MySQL Audit Log Methods Compared

MySQL supports three primary methods for audit logging, each suited to different editions and use cases.

FeatureGeneral Query LogMariaDB Audit PluginEnterprise Audit Plugin
EditionAll editionsCommunity + EnterpriseEnterprise only
Event FilteringNone (logs everything)Basic (connection, query, table)Granular (user, event, object)
Output FormatsFile or tableFile (syslog compatible)JSON, XML, CSV
Performance ImpactHigh (logs all queries)Low to moderateLow (async mode available)
Log RotationManual (FLUSH LOGS)ManualBuilt-in (audit_log_rotate)
EncryptionNoNoYes (Enterprise feature)
Best ForDevelopment/debuggingCommunity Edition productionEnterprise compliance

How to Enable MySQL Audit Logging (Community Edition)

MySQL Community Edition does not include the Enterprise Audit Plugin. Two alternative methods provide audit logging capabilities for Community Edition deployments.

Using the General Query Log

The General Query Log records every SQL statement received by the MySQL server. It is the simplest audit method but generates significant overhead and volume because it cannot filter events.


-- Enable the General Query Log


SET GLOBAL general_log = 'ON';


SET GLOBAL log_output = 'FILE';


SET GLOBAL general_log_file = '/var/log/mysql/general.log';



-- Verify


SHOW VARIABLES LIKE 'general_log%';



Limitation: The General Query Log is not suitable for production audit requirements. It logs all queries without filtering, generates large log files quickly, and has no built-in rotation, encryption, or structured output. Use it only for development, debugging, or short-term diagnostics.

Using the MariaDB Audit Plugin

The MariaDB Audit Plugin (server_audit) is a free, open-source plugin that works with both MariaDB and MySQL Community Edition. It provides connection and query logging with basic filtering, making it the most practical audit solution for Community Edition production environments. This is the method that Bytebase and other community guides recommend.


-- Install the MariaDB Audit Plugin


INSTALL PLUGIN server_audit SONAME 'server_audit.so';



-- Configure audit logging


SET GLOBAL server_audit_logging = 'ON';


SET GLOBAL server_audit_events = 'CONNECT,QUERY,TABLE';


SET GLOBAL server_audit_file_path = '/var/log/mysql/server_audit.log';


SET GLOBAL server_audit_file_rotate_size = 104857600; -- 100MB


SET GLOBAL server_audit_file_rotations = 10;



-- Verify the plugin is active


SHOW PLUGINS;


SELECT * FROM information_schema.plugins


WHERE plugin_name = 'server_audit';



To make the configuration persistent across restarts, add the following to your my.cnf:


[mysqld]


plugin-load-add = server_audit.so


server_audit_logging = ON


server_audit_events = CONNECT,QUERY,TABLE


server_audit_file_path = /var/log/mysql/server_audit.log


server_audit_file_rotate_size = 100M


server_audit_file_rotations = 10

How to Install and Configure MySQL Enterprise Audit Plugin

Prerequisites and Compatibility

The MySQL Enterprise Audit Plugin requires MySQL Enterprise Edition (commercial license). It is supported on MySQL 5.7, 8.0, 8.4, and 9.x. Verify your edition before proceeding:


SELECT @@version, @@license;


-- Must show 'Commercial' for Enterprise Edition

Installation Steps

-- Install the audit_log plugin


INSTALL PLUGIN audit_log SONAME 'audit_log.so';


-- Verify installation


SHOW PLUGINS;


SELECT plugin_name, plugin_status


FROM information_schema.plugins


WHERE plugin_name = 'audit_log';


-- Status must show 'ACTIVE'


If the INSTALL PLUGIN command returns an error, verify that the audit_log.so file exists in the MySQL plugin directory (SHOW VARIABLES LIKE 'plugin_dir') and that the MySQL user has file system permissions to load it.

Key Configuration Parameters

ParameterRecommended ValueDescription
audit_log_file/var/log/mysql/audit.logPath and filename for the audit log output
audit_log_formatJSONOutput format: JSON (recommended), XML (legacy), CSV
audit_log_rotate_on_size100MBAutomatic rotation when log reaches this size
audit_log_rotations10Number of rotated log files to retain
audit_log_strategyASYNCHRONOUSWrite strategy: ASYNCHRONOUS (lowest overhead), PERFORMANCE, SEMISYNCHRONOUS, SYNCHRONOUS
audit_log_buffer_size16MBBuffer size for async writes. Increase for high-throughput servers.

-- Apply configuration


SET GLOBAL audit_log_file = '/var/log/mysql/audit.log';


SET GLOBAL audit_log_format = 'JSON';


SET GLOBAL audit_log_rotate_on_size = 104857600;


SET GLOBAL audit_log_rotations = 10;


SET GLOBAL audit_log_strategy = 'ASYNCHRONOUS';


Audit Log Filtering

The Enterprise Audit Plugin supports granular filtering using the audit_log_filter functions. Filters control which events are recorded, reducing log volume and performance overhead.


-- Create a filter that logs only connection and DDL events


SELECT audit_log_filter_set_filter(


'connection_ddl_only',


'{"filter": {"class": [{"name": "connection"}, {"name": "general", "event": [{"name": "status", "log": {"on_completion": {"abort": {"log": true}, "status": {"log": true}}}}]}]}'


);



-- Assign the filter to a specific user


SELECT audit_log_filter_set_user('%', 'connection_ddl_only');



-- Remove all filtering (log everything)


SELECT audit_log_filter_remove_filter('connection_ddl_only');



Common filtering patterns include: logging all activity for privileged accounts (root, admin), logging only connection events for application service accounts, and excluding monitoring or health-check queries from the audit trail.

Log Format Options (XML, JSON, CSV)

JSON is the recommended format for new deployments. It provides structured, machine-parseable output that integrates cleanly with SIEM tools and log aggregation platforms. XML is the legacy format supported since MySQL 5.6. CSV is the simplest format but lacks nested event metadata.


Sample JSON output:


{


"timestamp": "2026-03-15T10:23:45Z",


"class": "general",


"event": "status",


"connection_id": 42,


"account": {"user": "app_user", "host": "10.0.1.50"},


"login": {"user": "app_user", "os": "", "ip": "10.0.1.50"},


"general_data": {"command": "Query", "sql_command": "select",


"query": "SELECT * FROM customers WHERE id = 1234"}


}

MySQL Audit Logs on Cloud Platforms

Each major cloud provider offers a native mechanism for enabling MySQL audit logging on their managed MySQL services. The following sections cover the implementation specifics for each platform.

AWS RDS and Aurora MySQL

On AWS RDS and Aurora MySQL, enable the server_audit_logging parameter in the DB parameter group. Set server_audit_events to CONNECT, QUERY, and TABLE as needed. Audit logs are published to Amazon CloudWatch Logs, where they can be queried, filtered, and forwarded to SIEM tools. Aurora MySQL also supports the advanced audit plugin with JSON output on MySQL 8.0+ compatible versions.

Azure Database for MySQL

On Azure Database for MySQL Flexible Server, enable audit logging by setting the audit_log_enabled server parameter to ON. Configure audit_log_events to specify which event types to capture. Audit logs are accessible through Azure Diagnostic Settings and can be streamed to Azure Log Analytics, Event Hubs, or a storage account for long-term retention and analysis.

Google Cloud SQL for MySQL

On Google Cloud SQL, enable the cloudsql.enable_data_access_audit flag on the instance. Audit events are captured in Cloud Audit Logs and accessible through the Cloud Logging console. Cloud SQL supports filtering by event type and integrating logs with BigQuery for analytical queries on audit data.

Simplified Multi-Cloud Auditing with Tessell

For organizations running MySQL across multiple clouds, Tessell provides a unified audit logging experience across AWS, Azure, GCP, and OCI. Rather than configuring audit logging separately on each platform with different parameter names and log destinations, Tessell abstracts the cloud-specific complexity into a consistent management interface. Tessell handles audit log configuration, rotation, storage, and retention automatically as part of its managed MySQL service. Combined with Tessell's ISO 27001, SOC 2, and PCI DSS v4.1 certifications, this provides end-to-end audit compliance without platform-specific configuration overhead.

Audit Log Management Best Practices

Log Rotation and Retention

Configure automatic log rotation to prevent audit logs from consuming excessive disk space. For the Enterprise Audit Plugin, use audit_log_rotate_on_size with a value of 100MB and retain 10 to 30 rotated files depending on your compliance retention requirements. For manual rotation, call the audit_log_rotate() function during maintenance windows. Define a retention policy that meets your regulatory requirements (GDPR typically requires 6 to 12 months; PCI DSS requires at least 12 months with 3 months immediately available).

Encryption and Tamper Protection

The MySQL Enterprise Audit Plugin supports audit log encryption to prevent unauthorized reading of log files. Enable encryption to protect sensitive query data captured in audit logs. Store audit logs on encrypted file systems and restrict file system access to the MySQL service account and authorized security personnel. Consider forwarding logs to a centralized, append-only log management system (SIEM) to provide tamper evidence.

Performance Optimization

Audit logging introduces write overhead. Use the ASYNCHRONOUS write strategy (audit_log_strategy = ASYNCHRONOUS) for the lowest performance impact. Increase the audit_log_buffer_size to 16MB or higher for servers handling thousands of queries per second. Use filtering to log only the events required for your compliance and security objectives, rather than logging all activity. In benchmark testing, asynchronous audit logging with appropriate filtering typically adds less than 2% overhead on high-throughput OLTP workloads.

Reading and Analyzing Audit Logs

JSON-format audit logs can be parsed with standard tools (jq, Python, Elasticsearch) or loaded into SIEM platforms (Splunk, Datadog, ELK Stack) for centralized analysis. For quick analysis, use MySQL shell commands to search for specific events:


# Search for failed login attempts


cat /var/log/mysql/audit.log | jq 'select(.class == "connection" and .event == "connect" and .general_data.status != 0)'



# Search for DDL statements


cat /var/log/mysql/audit.log | jq 'select(.general_data.sql_command | test("create|alter|drop"))'

Troubleshooting Common MySQL Audit Log Issues

IssueSolution
Plugin installation fails with "cannot open shared object file"Verify the .so file exists in the plugin directory (SHOW VARIABLES LIKE 'plugin_dir'). On Linux, check file permissions. For Community Edition, use server_audit.so instead of audit_log.so.
Audit log file not created after enablingCheck the directory path exists and the MySQL service account has write permissions. Verify audit_log_file is set correctly. Restart MySQL if the plugin was installed but the path was changed after startup.
Significant performance degradation after enablingSwitch from SYNCHRONOUS to ASYNCHRONOUS write strategy. Increase buffer_size. Apply filtering to reduce logged events. Ensure the audit log is on a separate disk from data files.
Permission denied errors in audit logThe MySQL user running the server must have read/write access to the audit log directory. On SELinux systems, add the audit log path to the MySQL SELinux context.
Audit log growing indefinitelyConfigure audit_log_rotate_on_size and audit_log_rotations. For Community Edition, set up a cron job with logrotate to manage file sizes.

Conclusion

MySQL audit logging is a foundational security and compliance capability for any production MySQL deployment. The right approach depends on your MySQL edition and deployment environment: the General Query Log provides basic visibility for development, the MariaDB Audit Plugin delivers practical audit logging for Community Edition production systems, and the MySQL Enterprise Audit Plugin provides the granular filtering, encryption, and format options that enterprise compliance requires.


For cloud deployments, each major platform offers native audit log integration with their respective monitoring and SIEM ecosystems. Organizations running MySQL across multiple clouds benefit from a unified approach that abstracts platform-specific configuration complexity.


Tessell's managed MySQL service provides automated audit log configuration, rotation, and retention across AWS, Azure, GCP, and OCI, backed by ISO 27001, SOC 2, and PCI DSS v4.1 certifications. For teams that need production-grade audit logging without the operational overhead of manual setup and maintenance, evaluate Tessell for MySQL as a next step.

FAQs
The method depends on your MySQL edition. For Enterprise Edition, install the audit_log plugin using INSTALL PLUGIN audit_log SONAME 'audit_log.so'. For Community Edition, install the MariaDB Audit Plugin (server_audit.so) and set server_audit_logging = ON. For managed cloud services (AWS RDS, Azure MySQL, GCP Cloud SQL), enable the audit logging parameter in the service configuration.
The general query log records every SQL statement the server receives, without filtering or structured metadata. The audit log plugin provides selective event recording with filtering, timestamps, user context, and structured output (JSON, XML, CSV). The general log is useful for debugging; the audit log is designed for security and compliance.
MySQL Community Edition does not include the Enterprise Audit Plugin. However, the MariaDB Audit Plugin (server_audit) is a free, open-source alternative that works with MySQL Community Edition and provides connection and query logging with basic filtering. The General Query Log is also available on all editions but is not suitable for production audit requirements.
With the Enterprise Audit Plugin using ASYNCHRONOUS write strategy and appropriate filtering, performance overhead is typically less than 2% on OLTP workloads. The General Query Log has the highest overhead because it logs all queries without filtering. The MariaDB Audit Plugin falls between the two. Use filtering to log only required events and increase the buffer size for high-throughput servers.
JSON-format audit logs can be parsed with command-line tools (jq, grep), loaded into SIEM platforms (Splunk, Datadog, ELK Stack), or queried in cloud-native log analytics services (CloudWatch, Azure Log Analytics, Cloud Logging). For quick searches, use jq to filter by event class, user, or SQL command type directly from the log file.