Description
Enable audit_log_enabled on MySQL flexible servers.
Rationaleβ
Enabling audit_log_enabled helps MySQL to log items such as connection attempts, DDL/DML access, and other events. Log data can be used to identify, troubleshoot, and repair configuration errors and suboptimal performance.
Impactβ
There are additional costs for log storage. For high-traffic databases, these logs can be significant. Determine your organization's needs before enabling.
Auditβ
From Azure Portalβ
- Log in to Azure Portal using https://portal.azure.com.
- Select
Azure Database for MySQL Servers. - For each database, under the Settings, click
Server parameters. - In the filter bar, type
audit_log_enabled. - Ensure that the
VALUEforaudit_log_enabledisON.
From Azure CLIβ
Ensure the following command returns a value of on:
az mysql flexible-server parameter show \
--resource-group {{resource-group-name}} \
--server-name {{server-name}} \
--name audit_log_enabled
From PowerShellβ
Ensure the following command returns a value of on:
Get-AzMySqlFlexibleServerConfiguration `
-ResourceGroupName {{resource-group-name}} `
-ServerName {{server-name}} `
-Name audit_log_enabled
Default Valueβ
audit_log_enabled is set to OFF by default.
Referencesβ
- https://learn.microsoft.com/en-us/azure/mysql/flexible-server/tutorial-configure-audit
- https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-3-enable-logging-for-security-investigation
- https://learn.microsoft.com/en-us/azure/mysql/flexible-server/tutorial-configure-audit#configure-auditing-by-using-the-azure-cli