ScyllaDB University LIVE, FREE Virtual Training Event | March 21
Register for Free
ScyllaDB Documentation Logo Documentation
  • Server
  • Cloud
  • Tools
    • ScyllaDB Manager
    • ScyllaDB Monitoring Stack
    • ScyllaDB Operator
  • Drivers
    • CQL Drivers
    • DynamoDB Drivers
  • Resources
    • ScyllaDB University
    • Community Forum
    • Tutorials
Download
ScyllaDB Docs ScyllaDB Enterprise ScyllaDB for Administrators Security ScyllaDB Auditing Guide

Caution

You're viewing documentation for a previous version. Switch to the latest stable version.

ScyllaDB Auditing Guide¶

Auditing allows the administrator to monitor activities on a Scylla cluster, including queries and data changes. The information is stored in a Syslog or a Scylla table.

Prerequisite¶

Enable ScyllaDB Authentication and Authorization.

Enabling Audit¶

By default, auditing is disabled. Enabling auditing is controlled by the audit: parameter in the scylla.yaml file. You can set the following options:

  • none - Audit is disabled (default).

  • table - Audit is enabled, and messages are stored in a Scylla table.

  • syslog - Audit is enabled, and messages are sent to Syslog.

Configuring any other value results in an error at Scylla startup.

Configuring Audit¶

The audit can be tuned using the following flags or scylla.yaml entries:

Flag

Default Value

Description

audit_categories

“DCL,DDL,AUTH,ADMIN”

Comma-separated list of statement categories that should be audited

audit_tables

“”

Comma-separated list of table names that should be audited, in the format of <keyspacename>.<tablename>

audit_keyspaces

“”

Comma-separated list of keyspaces that should be audited. You must specify at least one keyspace. If you leave this option empty, no keyspace will be audited.

To audit all the tables in a keyspace, set the audit_keyspaces with the keyspace you want to audit and leave audit_tables empty.

You can use DCL, AUTH, and ADMIN audit categories without including any keyspace or table.

audit_categories parameter description¶

Parameter

Logs Description

AUTH

Logs login events

DML

Logs insert, update, delete, and other data manipulation language (DML) events

DDL

Logs object and role create, alter, drop, and other data definition language (DDL) events

DCL

Logs grant, revoke, create role, drop role, and list roles events

QUERY

Logs all queries

ADMIN

Logs service level operations: create, alter, drop, attach, detach, list. For service level auditing.

Note that audit for every DML or QUERY might impact performance and consume a lot of storage.

Configuring Audit Storage¶

Auditing messages can be sent to Syslog or stored in a Scylla table. Currently, auditing messages can only be saved to one location at a time. You cannot log into both a table and the Syslog.

Storing Audit Messages in Syslog¶

Procedure

  1. Set the audit parameter in the scylla.yaml file to syslog.

    For example:

    # audit setting
    # by default, Scylla does not audit anything.
    # It is possible to enable auditing to the following places:
    #   - audit.audit_log column family by setting the flag to "table"
    audit: "syslog"
    #
    # List of statement categories that should be audited.
    audit_categories: "DCL,DDL,AUTH"
    #
    # List of tables that should be audited.
    audit_tables: "mykespace.mytable"
    #
    # List of keyspaces that should be fully audited.
    # All tables in those keyspaces will be audited
    audit_keyspaces: "mykespace"
    
  2. Restart the Scylla node.

sudo systemctl restart scylla-server
docker exec -it some-scylla supervisorctl restart scylla

(without restarting some-scylla container)

By default, audit messages are written to the same destination as Scylla logging, with scylla-audit as the process name.

Logging output example (drop table):

Mar 18 09:53:52 ip-10-143-2-108 scylla-audit[28387]: "10.143.2.108", "DDL", "ONE", "team_roster", "nba", "DROP TABLE nba.team_roster ;", "127.0.0.1", "anonymous", "false"

To redirect the Syslog output to a file, follow the steps below (available only for CentOS) :

  1. Install rsyslog sudo dnf install rsyslog.

  2. Edit /etc/rsyslog.conf and append the following to the file: if $programname contains 'scylla-audit' then /var/log/scylla-audit.log.

  3. Start rsyslog systemctl start rsyslog.

  4. Enable rsyslog systemctl enable rsyslog.

Storing Audit Messages in a Table¶

Messages are stored in a Scylla table named audit.audit_log.

For example:

CREATE TABLE IF NOT EXISTS audit.audit_log (
      date timestamp,
      node inet,
      event_time timeuuid,
      category text,
      consistency text,
      table_name text,
      keyspace_name text,
      operation text,
      source inet,
      username text,
      error boolean,
      PRIMARY KEY ((date, node), event_time));

Note

The schema of audit.audit_log has been migrated in the 2024.2 version from SimpleStrategy RF=1 to NetworkTopologyStrategy RF=3:

  • By default every DC will contain 3 audit replicas. If a new DC is added, in order for it to also contain audit replicas, audit’s schema has to be manually altered.

  • CL for writes is still equal to 1, which implies that reading audit rows with CL=Quorum may fail, which is especially true for clusters with less than 3 nodes.

Procedure

  1. Set the audit parameter in the scylla.yaml file to table.

    For example:

    # audit setting
    # by default, Scylla does not audit anything.
    # It is possible to enable auditing to the following places:
    #   - audit.audit_log column family by setting the flag to "table"
    audit: "table"
    #
    # List of statement categories that should be audited.
    audit_categories: "DCL,DDL,AUTH"
    #
    # List of tables that should be audited.
    audit_tables: "mykespace.mytable"
    #
    # List of keyspaces that should be fully audited.
    # All tables in those keyspaces will be audited
    audit_keyspaces: "mykespace"
    
  2. Restart Scylla node.

    sudo systemctl restart scylla-server
    
    docker exec -it some-scylla supervisorctl restart scylla
    

    (without restarting some-scylla container)

    Table output example (drop table):

    SELECT * FROM audit.audit_log ;
    

    returns:

     date                    | node         | event_time                           | category | consistency | error | keyspace_name | operation                    | source          | table_name  | username |
    -------------------------+--------------+--------------------------------------+----------+-------------+-------+---------------+------------------------------+-----------------+-------------+----------+
    2018-03-18 00:00:00+0000 | 10.143.2.108 | 3429b1a5-2a94-11e8-8f4e-000000000001 |      DDL |         ONE | False |           nba | DROP TABLE nba.team_roster ; | 127.0.0.1       | team_roster | Scylla   |
    (1 row)
    

Handling Audit Failures¶

In some cases, auditing may not be possible, for example, when:

  • A table is used as the audit’s backend, and the audit partition where the audit row is saved is not available because the node that holds this partition is down.

  • Syslog is used as the audit’s backend, and the Syslog sink (a regular unix socket) is unresponsive/unavailable.

If the audit fails and audit messages are not stored in the configured audit’s backend, you can still review the audit log in the regular ScyllaDB logs.

The following example shows audit information in the regular ScyllaDB logs in the case when the Syslog backend is broken (for example, because the socket was closed) and you tried to connect to a node with incorrect credentials:

ERROR 2024-01-15 14:09:41,516 [shard 0:sl:d] audit - Unexpected exception when writing login log with: node_ip <IP:port> client_ip <IP:port> username <username> error true exception audit::audit_exception (Starting syslog audit backend failed (sending a message to <socket_path> resulted in sendto: No such file or directory).)

Additional Resources¶

  • Authorization

  • Authentication

Was this page helpful?

PREVIOUS
Role Based Access Control (RBAC)
NEXT
Encryption: Data in Transit Client to Node
  • Create an issue

On this page

  • ScyllaDB Auditing Guide
    • Prerequisite
    • Enabling Audit
    • Configuring Audit
      • audit_categories parameter description
    • Configuring Audit Storage
      • Storing Audit Messages in Syslog
      • Storing Audit Messages in a Table
    • Handling Audit Failures
    • Additional Resources
ScyllaDB Enterprise
  • enterprise
    • 2024.2
    • 2024.1
    • 2023.1
    • 2022.2
  • Getting Started
    • Install ScyllaDB Enterprise
      • ScyllaDB Web Installer for Linux
      • Install ScyllaDB Without root Privileges
      • Install scylla-jmx Package
      • Air-gapped Server Installation
      • ScyllaDB Housekeeping and how to disable it
      • ScyllaDB Developer Mode
      • Launch ScyllaDB on AWS
      • Launch ScyllaDB on GCP
      • Launch ScyllaDB on Azure
    • Configure ScyllaDB
    • ScyllaDB Configuration Reference
    • ScyllaDB Requirements
      • System Requirements
      • OS Support
      • Cloud Instance Recommendations
      • ScyllaDB in a Shared Environment
    • Migrate to ScyllaDB
      • Migration Process from Cassandra to ScyllaDB
      • ScyllaDB and Apache Cassandra Compatibility
      • Migration Tools Overview
    • Integration Solutions
      • Integrate ScyllaDB with Spark
      • Integrate ScyllaDB with KairosDB
      • Integrate ScyllaDB with Presto
      • Integrate ScyllaDB with Elasticsearch
      • Integrate ScyllaDB with Kubernetes
      • Integrate ScyllaDB with the JanusGraph Graph Data System
      • Integrate ScyllaDB with DataDog
      • Integrate ScyllaDB with Kafka
      • Integrate ScyllaDB with IOTA Chronicle
      • Integrate ScyllaDB with Spring
      • Shard-Aware Kafka Connector for ScyllaDB
      • Install ScyllaDB with Ansible
      • Integrate ScyllaDB with Databricks
      • Integrate ScyllaDB with Jaeger Server
      • Integrate ScyllaDB with MindsDB
    • Tutorials
  • ScyllaDB for Administrators
    • Administration Guide
    • Procedures
      • Cluster Management
      • Backup & Restore
      • Change Configuration
      • Maintenance
      • Best Practices
      • Benchmarking ScyllaDB
      • Migrate from Cassandra to ScyllaDB
      • Disable Housekeeping
    • Security
      • ScyllaDB Security Checklist
      • Enable Authentication
      • Enable and Disable Authentication Without Downtime
      • Creating a Custom Superuser
      • Generate a cqlshrc File
      • Reset Authenticator Password
      • Enable Authorization
      • Grant Authorization CQL Reference
      • Certificate-based Authentication
      • Role Based Access Control (RBAC)
      • ScyllaDB Auditing Guide
      • Encryption: Data in Transit Client to Node
      • Encryption: Data in Transit Node to Node
      • Generating a self-signed Certificate Chain Using openssl
      • Configure SaslauthdAuthenticator
      • Encryption at Rest
      • LDAP Authentication
      • LDAP Authorization (Role Management)
      • Software Bill Of Materials (SBOM)
    • Admin Tools
      • Nodetool Reference
      • CQLSh
      • Admin REST API
      • Tracing
      • ScyllaDB SStable
      • ScyllaDB Types
      • SSTableLoader
      • cassandra-stress
      • SSTabledump
      • SSTableMetadata
      • ScyllaDB Logs
      • Seastar Perftune
      • Virtual Tables
      • Reading mutation fragments
      • Maintenance socket
      • Maintenance mode
      • Task manager
    • Version Support Policy
    • ScyllaDB Monitoring Stack
    • ScyllaDB Operator
    • ScyllaDB Manager
    • Upgrade Procedures
      • About Upgrade
      • Upgrade Guides
    • System Configuration
      • System Configuration Guide
      • scylla.yaml
      • ScyllaDB Snitches
    • Benchmarking ScyllaDB
    • ScyllaDB Diagnostic Tools
  • ScyllaDB for Developers
    • Develop with ScyllaDB
    • Tutorials and Example Projects
    • Learn to Use ScyllaDB
    • ScyllaDB Alternator
    • ScyllaDB Drivers
      • ScyllaDB CQL Drivers
      • ScyllaDB DynamoDB Drivers
  • CQL Reference
    • CQLSh: the CQL shell
    • Appendices
    • Compaction
    • Consistency Levels
    • Consistency Level Calculator
    • Data Definition
    • Data Manipulation
      • SELECT
      • INSERT
      • UPDATE
      • DELETE
      • BATCH
    • Data Types
    • Definitions
    • Global Secondary Indexes
    • Expiring Data with Time to Live (TTL)
    • Functions
    • Wasm support for user-defined functions
    • JSON Support
    • Materialized Views
    • Non-Reserved CQL Keywords
    • Reserved CQL Keywords
    • DESCRIBE SCHEMA
    • Service Levels
    • ScyllaDB CQL Extensions
  • Features
    • Lightweight Transactions
    • Global Secondary Indexes
    • Local Secondary Indexes
    • Materialized Views
    • Counters
    • Change Data Capture
      • CDC Overview
      • The CDC Log Table
      • Basic operations in CDC
      • CDC Streams
      • CDC Stream Generations
      • Querying CDC Streams
      • Advanced column types
      • Preimages and postimages
      • Data Consistency in CDC
    • Workload Attributes
    • Workload Prioritization
  • ScyllaDB Architecture
    • Data Distribution with Tablets
    • ScyllaDB Ring Architecture
    • ScyllaDB Fault Tolerance
    • Consistency Level Console Demo
    • ScyllaDB Anti-Entropy
      • ScyllaDB Hinted Handoff
      • ScyllaDB Read Repair
      • ScyllaDB Repair
    • SSTable
      • ScyllaDB SSTable - 2.x
      • ScyllaDB SSTable - 3.x
    • Compaction Strategies
    • Raft Consensus Algorithm in ScyllaDB
    • Zero-token Nodes
  • Troubleshooting ScyllaDB
    • Errors and Support
      • Report a ScyllaDB problem
      • Error Messages
      • Change Log Level
    • ScyllaDB Startup
      • Ownership Problems
      • ScyllaDB will not Start
      • ScyllaDB Python Script broken
    • Upgrade
      • Inaccessible configuration files after ScyllaDB upgrade
    • Cluster and Node
      • Handling Node Failures
      • Failure to Add, Remove, or Replace a Node
      • Failed Decommission Problem
      • Cluster Timeouts
      • Node Joined With No Data
      • NullPointerException
      • Failed Schema Sync
    • Data Modeling
      • ScyllaDB Large Partitions Table
      • ScyllaDB Large Rows and Cells Table
      • Large Partitions Hunting
      • Failure to Update the Schema
    • Data Storage and SSTables
      • Space Utilization Increasing
      • Disk Space is not Reclaimed
      • SSTable Corruption Problem
      • Pointless Compactions
      • Limiting Compaction
    • CQL
      • Time Range Query Fails
      • COPY FROM Fails
      • CQL Connection Table
    • ScyllaDB Monitor and Manager
      • Manager and Monitoring integration
      • Manager lists healthy nodes as down
    • Installation and Removal
      • Removing ScyllaDB on Ubuntu breaks system packages
  • Knowledge Base
    • Upgrading from experimental CDC
    • Compaction
    • Consistency in ScyllaDB
    • Counting all rows in a table is slow
    • CQL Query Does Not Display Entire Result Set
    • When CQLSh query returns partial results with followed by “More”
    • Run ScyllaDB and supporting services as a custom user:group
    • Customizing CPUSET
    • Decoding Stack Traces
    • Snapshots and Disk Utilization
    • DPDK mode
    • Debug your database with Flame Graphs
    • Efficient Tombstone Garbage Collection in ICS
    • How to Change gc_grace_seconds for a Table
    • Gossip in ScyllaDB
    • Increase Permission Cache to Avoid Non-paged Queries
    • How does ScyllaDB LWT Differ from Apache Cassandra ?
    • Map CPUs to ScyllaDB Shards
    • ScyllaDB Memory Usage
    • NTP Configuration for ScyllaDB
    • Updating the Mode in perftune.yaml After a ScyllaDB Upgrade
    • POSIX networking for ScyllaDB
    • ScyllaDB consistency quiz for administrators
    • Recreate RAID devices
    • How to Safely Increase the Replication Factor
    • ScyllaDB and Spark integration
    • Increase ScyllaDB resource limits over systemd
    • ScyllaDB Seed Nodes
    • How to Set up a Swap Space
    • ScyllaDB Snapshots
    • ScyllaDB payload sent duplicated static columns
    • Stopping a local repair
    • System Limits
    • How to flush old tombstones from a table
    • Time to Live (TTL) and Compaction
    • ScyllaDB Nodes are Unresponsive
    • Update a Primary Key
    • Using the perf utility with ScyllaDB
    • Configure ScyllaDB Networking with Multiple NIC/IP Combinations
  • Reference
    • AWS Images
    • Azure Images
    • GCP Images
    • Configuration Parameters
    • Glossary
    • Limits
    • ScyllaDB Enterprise vs. Open Source Matrix
    • API Reference (BETA)
    • Metrics (BETA)
  • ScyllaDB University
  • ScyllaDB FAQ
  • Alternator: DynamoDB API in Scylla
    • Getting Started With ScyllaDB Alternator
    • ScyllaDB Alternator for DynamoDB users
    • Alternator-specific APIs
Docs Tutorials University Contact Us About Us
© 2025, ScyllaDB. All rights reserved. | Terms of Service | Privacy Policy | ScyllaDB, and ScyllaDB Cloud, are registered trademarks of ScyllaDB, Inc.
Last updated on 09 Apr 2025.
Powered by Sphinx 7.4.7 & ScyllaDB Theme 1.8.6