8.4.7.4 Audit Log Component File Format

The MySQL server calls the audit log component to write an audit record to its log file whenever an auditable event occurs. Typically the first audit record written after component startup contains the server description and startup options. Elements following that one represent events such as client connect and disconnect events, executed SQL statements, and so forth. Only top-level statements are logged, not statements within stored programs such as triggers or stored procedures. Contents of files referenced by statements such as LOAD DATA are not logged.

Note

The audit log component only allows output files in JSON format.

JSON Audit Log File Format

For JSON-format audit logging, the log file contents form a JSON array with each array element representing an audited event as a JSON hash of key-value pairs. Examples of complete event records appear later in this section. The following is an excerpt of partial events:

[
  {
    "timestamp": "2019-10-03 13:50:01",
    "id": 0,
    "class": "audit",
    "event": "startup",
    ...
  },
  {
    "timestamp": "2019-10-03 15:02:32",
    "id": 0,
    "class": "connection",
    "event": "connect",
    ...
  },
  ...
  {
    "timestamp": "2019-10-03 17:37:26",
    "id": 0,
    "class": "table_access",
    "event": "insert",
      ...
  }
  ...
]

The audit log file is written using UTF-8 (up to 4 bytes per character). When the audit log component begins writing a new log file, it writes the opening [ array marker. When the component closes a log file, it writes the closing ] array marker. The closing marker is not present while the file is open.

Items within audit records have these characteristics:

Some items appear in every audit record. Others are optional and may appear depending on the audit record type.
Order of items within an audit record is not guaranteed.
Item values are not fixed length. Long values may be truncated as indicated in the item descriptions given later.
The " and \ characters are encoded as \" and \\, respectively.

JSON format supports the optional query time and size statistics. This data is available in the slow query log for qualifying queries, and in the context of the audit log it similarly helps to detect outliers for activity analysis.

To add the query statistics to the log file, you must set them up as a filter using the audit_log_filter_set_filter() audit log function as the service element of the JSON filtering syntax. For instructions to do this, see Adding Query Statistics for Outlier Detection. For the bytes_sent and bytes_received fields to be populated, the system variable log_slow_extra must be set to ON.

The following examples show the JSON object formats for different event types (as indicated by the class and event items), reformatted slightly for readability:

Auditing startup event:

{ "timestamp": "2025-10-03 14:21:56",
  "id": 0,
  "class": "audit",
  "event": "startup",
  "connection_id": 0,
  "startup_data": { "server_id": 1,
                    "os_version": "i686-Linux",
                    "mysql_version": "9.6.0-log",
                    "args": ["/usr/local/mysql/bin/mysqld",
                             "--loose-audit-log-format=JSON",
                             "--log-error=log.err",
                             "--pid-file=mysqld.pid",
                             "--port=3306" ] } }

When the audit log component starts as a result of server startup (as opposed to being enabled at runtime), connection_id is set to 0, and account and login are not present.

Auditing shutdown event:

{ "timestamp": "2025-10-03 14:28:20",
  "id": 3,
  "class": "audit",
  "event": "shutdown",
  "connection_id": 0,
  "shutdown_data": { "server_id": 1 } }

When the audit log component is uninstalled as a result of server shutdown (as opposed to being disabled at runtime), connection_id is set to 0, and account and login are not present.

Connect or change-user event:

{ "timestamp": "2025-10-03 14:23:18",
  "id": 1,
  "class": "connection",
  "event": "connect",
  "connection_id": 5,
  "account": { "user": "root", "host": "localhost" },
  "login": { "user": "root", "os": "", "ip": "::1", "proxy": "" },
  "connection_data": { "connection_type": "ssl",
                       "status": 0,
                       "db": "test",
                       "connection_attributes": {
                         "_pid": "43236",
                         ...
                         "program_name": "mysqladmin"
                       } }
}

Disconnect event:

{ "timestamp": "2025-10-03 14:24:45",
  "id": 3,
  "class": "connection",
  "event": "disconnect",
  "connection_id": 5,
  "account": { "user": "root", "host": "localhost" },
  "login": { "user": "root", "os": "", "ip": "::1", "proxy": "" },
  "connection_data": { "connection_type": "ssl" } }

Query event:

{ "timestamp": "2025-10-03 14:23:35",
  "id": 2,
  "class": "general",
  "event": "status",
  "connection_id": 5,
  "account": { "user": "root", "host": "localhost" },
  "login": { "user": "root", "os": "", "ip": "::1", "proxy": "" },
  "general_data": { "command": "Query",
                    "sql_command": "show_variables",
                    "query": "SHOW VARIABLES",
                    "status": 0 } }

Query event with optional query statistics for outlier detection:

{ "timestamp": "2025-01-28 13:09:30", 
  "id": 0, 
  "class": "general", 
  "event": "status", 
  "connection_id": 46, 
  "account": { "user": "user", "host": "localhost" }, 
  "login": { "user": "user", “os": "", “ip": "127.0.0.1", “proxy": "" }, 
  "general_data": { "command": "Query", 
                    "sql_command": "insert",
	            "query": "INSERT INTO audit_table VALUES(4)",
	            "status": 1146 }
  "query_statistics": { "query_time": 0.116250,
                        "bytes_sent": 18384,
                        "bytes_received": 78858,
                        "rows_sent": 3,
                        "rows_examined": 20878 } }

Table access event (read, delete, insert, update):

{ "timestamp": "2025-10-03 14:23:41",
  "id": 0,
  "class": "table_access",
  "event": "insert",
  "connection_id": 5,
  "account": { "user": "root", "host": "localhost" },
  "login": { "user": "root", "os": "", "ip": "127.0.0.1", "proxy": "" },
  "table_access_data": { "db": "test",
                         "table": "t1",
                         "query": "INSERT INTO t1 (i) VALUES(1),(2),(3)",
                         "sql_command": "insert" } }

The items in the following list appear at the top level of JSON-format audit records: Each item value is either a scalar or a JSON hash. For items that have a hash value, the description lists only the item names within that hash. For more complete descriptions of second-level hash items, see later in this section.

account
The MySQL account associated with the event. The value is a hash containing these items equivalent to the value of the CURRENT_USER() function within the section: user, host.
Example:
```
"account": { "user": "root", "host": "localhost" }
```

class

A string representing the event class. The class defines the type of event, when taken together with the event item that specifies the event subclass.

Example:

"class": "connection"

The following table shows the permitted combinations of class and event values.

Table 8.46 Audit Log Class and Event Combinations

Class Value	Permitted Event Values
`audit`	`startup`, `shutdown`
`connection`	`connect`, `change_user`, `disconnect`
`general`	`status`
`table_access_data`	`read`, `delete`, `insert`, `update`

connection_data
Information about a client connection. The value is a hash containing these items: connection_type, status, db, and possibly connection_attributes. This item occurs only for audit records with a class value of connection.
Example:
```
"connection_data": { "connection_type": "ssl",
                     "status": 0,
                     "db": "test" }
```
Events with a class value of connection and event value of connect may include a connection_attributes item to display the connection attributes passed by the client at connect time. (For information about these attributes, which are also exposed in Performance Schema tables, see Section 29.12.9, “Performance Schema Connection Attribute Tables”.)
The connection_attributes value is a hash that represents each attribute by its name and value.
Example:
```
"connection_attributes": {
  "_pid": "43236",
  "_os": "macos0.14",
  "_platform": "x86_64",
  "_client_version": "8.4.0",
  "_client_name": "libmysql",
  "program_name": "mysqladmin"
}
```
If no connection attributes are present in the event, none are logged and no connection_attributes item appears. This can occur if the connection attempt is unsuccessful, the client passes no attributes, or the connection occurs internally such as during server startup or when initiated by a plugin.
connection_id
An unsigned integer representing the client connection identifier. This is the same as the value returned by the CONNECTION_ID() function within the session.
Example:
```
"connection_id": 5
```
event
A string representing the subclass of the event class. The subclass defines the type of event, when taken together with the class item that specifies the event class. For more information, see the class item description.
Example:
```
"event": "connect"
```
general_data
Information about an executed statement or command. The value is a hash containing these items: command, sql_command, query, status. This item occurs only for audit records with a class value of general.
Example:
```
"general_data": { "command": "Query",
                  "sql_command": "show_variables",
                  "query": "SHOW VARIABLES",
                  "status": 0 }
```
id
An unsigned integer representing an event ID.
Example:
```
"id": 2
```
For audit records that have the same timestamp value, their id values distinguish them and form a sequence. Within the audit log, timestamp/id pairs are unique. These pairs are bookmarks that identify event locations within the log.
login
Information indicating how a client connected to the server. The value is a hash containing these items: user, os, ip, proxy.
Example:
```
"login": { "user": "root", "os": "", "ip": "::1", "proxy": "" }
```
query_statistics
Optional query statistics for outlier detection. The value is a hash containing these items: query_time, rows_sent, rows_examined, bytes_received, bytes_sent. For instructions to set up the query statistics, see Adding Query Statistics for Outlier Detection.
Example:
```
"query_statistics": { "query_time": 0.116250,
                      "bytes_sent": 18384,
                      "bytes_received": 78858,
                      "rows_sent": 3,
                      "rows_examined": 20878 }
```
shutdown_data
Information pertaining to audit log component termination. The value is a hash containing these items: server_id This item occurs only for audit records with class and event values of audit and shutdown, respectively.
Example:
```
"shutdown_data": { "server_id": 1 }
```

startup_data

Information pertaining to audit log component initialization. The value is a hash containing these items: server_id, os_version, mysql_version, args. This item occurs only for audit records with class and event values of audit and startup, respectively.

Example:

"startup_data": { "server_id": 1,
                  "os_version": "i686-Linux",
                  "mysql_version": "5.7.21-log",
                  "args": ["/usr/local/mysql/bin/mysqld",
                           "--log-error=log.err",
                           "--pid-file=mysqld.pid",
                           "--port=3306" ] }

table_access_data
Information about an access to a table. The value is a hash containing these items: db, table, query, sql_command, This item occurs only for audit records with a class value of table_access.
Example:
```
"table_access_data": { "db": "test",
                       "table": "t1",
                       "query": "INSERT INTO t1 (i) VALUES(1),(2),(3)",
                       "sql_command": "insert" }
```
time
This field is similar to that in the timestamp field, but the value is an integer and represents the UNIX timestamp value indicating the date and time when the audit event was generated.
Example:
```
"time" : 1618498687
```
The time field occurs in files only if the audit_log.format_unix_timestamp system variable is enabled.
timestamp
A string representing a UTC value in YYYY-MM-DD hh:mm:ss format indicating the date and time when the audit event was generated. For example, the event corresponding to execution of an SQL statement received from a client has a timestamp value occurring after the statement finishes, not when it was received.
Example:
```
"timestamp": "2019-10-03 13:50:01"
```
For audit records that have the same timestamp value, their id values distinguish them and form a sequence. Within the audit log, timestamp/id pairs are unique. These pairs are bookmarks that identify event locations within the log.

These items appear within hash values associated with top-level items of JSON-format audit records:

args
An array of options that were given on the command line or in option files when the MySQL server was started. The first option is the path to the server executable.
Example:
```
"args": ["/usr/local/mysql/bin/mysqld",
         "--log-error=log.err",
         "--pid-file=mysqld.pid",
         "--port=3306" ]
```
bytes_received
The number of bytes received from the client. This item is part of the optional query statistics. For this field to be populated, the system variable log_slow_extra must be set to ON.
Example:
```
"bytes_received": 78858
```
bytes_sent
The number of bytes sent to the client. This item is part of the optional query statistics. For this field to be populated, the system variable log_slow_extra must be set to ON.
Example:
```
"bytes_sent": 18384
```
command
A string representing the type of instruction that generated the audit event, such as a command that the server received from a client.
Example:
```
"command": "Query"
```
connection_type
The security state of the connection to the server. Permitted values are tcp/ip (TCP/IP connection established without encryption), ssl (TCP/IP connection established with encryption), socket (Unix socket file connection), named_pipe (Windows named pipe connection), and shared_memory (Windows shared memory connection).
Example:
```
"connection_type": "tcp/tcp"
```
db
A string representing a database name. For connection_data, it is the default database. For table_access_data, it is the table database.
Example:
```
"db": "test"
```
host
A string representing the client host name.
Example:
```
"host": "localhost"
```
ip
A string representing the client IP address.
Example:
```
"ip": "::1"
```
mysql_version
A string representing the MySQL server version. This is the same as the value of the VERSION() function or version system variable.
Example:
```
"mysql_version": "9.6.0-log"
```
os
A string representing the external user name used during the authentication process, as set by the component used to authenticate the client. With native (built-in) MySQL authentication, or if the component does not set the value, this attribute is empty. The value is the same as that of the external_user system variable. See Section 8.2.19, “Proxy Users”.
Example:
```
"os": "jeffrey"
```
os_version
A string representing the operating system on which the server was built or is running.
Example:
```
"os_version": "i686-Linux"
```
proxy
A string representing the proxy user (see Section 8.2.19, “Proxy Users”). The value is empty if user proxying is not in effect.
Example:
```
"proxy": "developer"
```
query
A string representing the text of an SQL statement. The value can be empty. Long values may be truncated. The string, like the audit log file itself, is written using UTF-8 (up to 4 bytes per character), so the value may be the result of conversion. For example, the original statement might have been received from the client as an SJIS string.
Example:
```
"query": "DELETE FROM t1"
```
query_time
The query execution time in microseconds (if the longlong data type is selected) or seconds (if the double data type is selected). This item is part of the optional query statistics.
Example:
```
"query_time": 0.116250
```
rows_examined
The number of rows accessed during the query. This item is part of the optional query statistics.
Example:
```
"rows_examined": 20878
```
rows_sent
The number of rows sent to the client as a result. This item is part of the optional query statistics.
Example:
```
"rows_sent": 3
```
server_id
An unsigned integer representing the server ID. This is the same as the value of the server_id system variable.
Example:
```
"server_id": 1
```
sql_command
A string that indicates the SQL statement type.
Example:
```
"sql_command": "insert"
```
The values correspond to the statement/sql/xxx command counters. For example, xxx is drop_table and select for DROP TABLE and SELECT statements, respectively. The following statement displays the possible names:
```
SELECT REPLACE(EVENT_NAME, 'statement/sql/', '') AS name
FROM performance_schema.events_statements_summary_global_by_event_name
WHERE EVENT_NAME LIKE 'statement/sql/%'
ORDER BY name;
```
status
An unsigned integer representing the command status: 0 for success, nonzero if an error occurred. This is the same as the value of the mysql_errno() C API function.
The audit log does not contain the SQLSTATE value or error message. To see the associations between error codes, SQLSTATE values, and messages, see Server Error Message Reference.
Warnings are not logged.
Example:
```
"status": 1051
```
table
A string representing a table name.
Example:
```
"table": "t1"
```
user
A string representing a user name. The meaning differs depending on the item within which user occurs:
- Within account items, user is a string representing the user that the server authenticated the client as. This is the user name that the server uses for privilege checking.
- Within login items, user is a string representing the user name sent by the client.
Example:
```
"user": "root"
```