Description
Enable audit_log_enabled on MySQL flexible servers.
Rationaleβ
Enabling audit_log_enabled helps MySQL Database to log items such as connection attempts to the server, DDL/DML access, and more. Log data can be used to identify, troubleshoot, and repair configuration errors and suboptimal performance.
Impactβ
There are further costs incurred for storage of logs. For high traffic databases these logs will be significant. Determine your organization's needs before enabling.
Auditβ
From Azure Portalβ
- Login to Azure Portal using https://portal.azure.com.
- Select
Azure Database for MySQL Servers. - For each database, under the Settings, click
Server parameters. - In the filter bar, type
audit_log_enabled. - Ensure that the
VALUEforaudit_log_enabledisON.
From Azure CLIβ
Ensure the below command returns a value of on:
az mysql flexible-server parameter show --resource-group <resourceGroup> --server-name <serverName> --name audit_log_enabled
From PowerShellβ
Ensure the below command returns a value of on:
Get-AzMySqlFlexibleServerConfiguration -ResourceGroupName <resourceGroup> -ServerName <serverName> -Name audit_log_enabled
Default Valueβ
audit_log_enabled is set to OFF by default.
Referencesβ
- https://learn.microsoft.com/en-us/azure/mysql/flexible-server/tutorial-configure-audit
- https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-3-enable-logging-for-security-investigation
- https://learn.microsoft.com/en-us/azure/mysql/flexible-server/tutorial-configure-audit#configure-auditing-by-using-the-azure-cli