Skip to main content

πŸ›‘οΈ Azure MySQL Flexible Server audit_log_enabled Parameter is not set to ON🟒

  • Contextual name: πŸ›‘οΈ Flexible Server audit_log_enabled Parameter is not set to ON🟒
  • ID: /ce/ca/azure/mysql-database/flexible-server-audit-log-enabled-parameter
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: RELIABILITY, PERFORMANCE

Logic​

Description​

Open File

Description​

Enable audit_log_enabled on MySQL flexible servers.

Rationale​

Enabling audit_log_enabled helps MySQL to log items such as connection attempts, DDL/DML access, and other events. Log data can be used to identify, troubleshoot, and repair configuration errors and suboptimal performance.

Impact​

There are additional costs for log storage. For high-traffic databases, these logs can be significant. Determine your organization's needs before enabling.

Audit​

From Azure Portal​
  1. Log in to Azure Portal using https://portal.azure.com.
  2. Select Azure Database for MySQL Servers.
  3. For each database, under the Settings, click Server parameters.
  4. In the filter bar, type audit_log_enabled.
  5. Ensure that the VALUE for audit_log_enabled is ON.
From Azure CLI​

Ensure the following command returns a value of on:

az mysql flexible-server parameter show \
    --resource-group {{resource-group-name}} \
    --server-name {{server-name}} \
    --name audit_log_enabled
From PowerShell​

... see more

Remediation​

Open File

Remediation​

From Azure Portal​

Part 1 - Turn on audit logs​
  1. Log in to Azure Portal using https://portal.azure.com.
  2. Go to Azure Database for MySQL flexible servers.
  3. For each database, under Settings, click Server parameters.
  4. Set audit_log_enabled to ON.
  5. Click Save.
Part 2 - Capture audit logs (diagnostic settings are examples only, send these logs to the appropriate data sink for your logging needs)​
  1. Under Monitoring, select Diagnostic settings.
  2. Select + Add diagnostic setting.
  3. Provide a diagnostic setting name.
  4. Under Categories, select MySQL Audit Logs.
  5. Specify destination details.
  6. Click Save.

It may take up to 10 minutes for the logs to appear in the configured destination.

From Azure CLI​

Use the following command to enable audit_log_enabled:

az mysql flexible-server parameter set \
    --resource-group {{resource-group-name}} \
    --server-name {{server-name}} \
    --name audit_log_enabled \
    --value on

From PowerShell​

Use the following command to enable audit_log_enabled:

... see more

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό CIS Azure v3.0.0 β†’ πŸ’Ό 5.3.3 Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL flexible server (Automated)1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Logging and Monitoring Configuration75no data