Auditing Queries
Use the audit logs to find out which users have run or tried to run queries and the tables that those queries have accessed or tried to access.
Each analytical query against a cluster is logged. An analytical query is a query against a published project, that is issued from a Thrift endpoint, or that is issued from an XMLA endpoint. Queries from the Design Center for data previews and queries for setting up or testing connections are not audited.
How log files are managed
The log file, audit.log
, is located in the path
/opt/atscale/log/engine/
on the AtScale server. It is rotated daily.
Old log files are compressed and given the name
audit.yyyy-mm-dd.log.gz
. Ninety days of old log files are retained.
Content of log entries
Each entry in the audit log contains the following key/value pairs.
Note: Due to the removal of environments in AtScale 7.4.0, the Environment ID field is no longer written to the query audit logs.
Key | Value |
---|---|
queryID | A string that identifies the query. |
allowed | A Boolean value that indicates whether the user had permission to execute the query. Values: true | false |
isCanary | A Boolean value that indicates whether the query was a canary query. Values: true | false |
service or user | The name of the service or the user ID that executed or attempted to execute the query. |
ip | The IP address of the client that executed or attempted to execute the query.This name/value pair does not appear for queries that are issued by services. |
org_id | The name of the organization under which the query was executed or attempted to be executed. |
project_id | The name of the project against which the query was executed or attempted to be executed.This name/value pair might be missing for some queries. |
tables_read | The names of the tables that the query accessed or attempted to access. If the query is against a query dataset, the value is the text of the query. |