This document introduces the legacy audit rules for SQL Insight (Database Audit) in TencentDB for MySQL.
Rule Content
The following types of settings are supported:
Client IP address, database account, and database name can be matched using the [Include] or [Exclude] operation.
The Full Audit Rule is a special rule that audits all statements when it is enabled.
Rule Operations
The relationship between different SQL types within each rule is AND (&&). The SQL types are additional restrictive conditions.
Rules are related to each other by an OR (||) relationship.
You can specify one or more audit rules for each instance. If a statement matches any of the rules, it should be audited. For example, Rule A specifies to audit only operations by user1 with an execution time >= 1 second, while Rule B audits statements by user1 with an execution time < 1 second. Consequently, all statements by user1 will be audited.
Rule Details
For client IP address, database account, and database name, the [Include] or [Exclude] operation is supported, and only one operator can be set at a time.
Description of Database Names
If the statement belongs to the following table object types:
SQLCOM_SELECT, SQLCOM_CREATE_TABLE, SQLCOM_CREATE_INDEX, SQLCOM_ALTER_TABLE,
SQLCOM_UPDATE, SQLCOM_INSERT, SQLCOM_INSERT_SELECT, SQLCOM_DELETE, SQLCOM_TRUNCATE, SQLCOM_DROP_TABLE
For this type of action, the database name is subject to the database name for actual operation in the statement. For example, the current database is use db3, and the statement is:
select *from db1.test,db2.test;
The rule evaluation will use db1 and db2 as the target databases. If the rule is configured to audit database db1, the operation will be audited; if the rule is configured to audit db3, it will not be audited.
For statements that are not of the table object type mentioned above, the rule evaluation uses the current database specified by the USE statement as the target database. For example, if the current database is set to db1 using the USE statement and the executed statement is show databases, then db1 is used as the target database for rule evaluation. If the rule is configured to audit db1, the operation will be audited.
Special Notes
Only one value can be specified for [Include] or [Exclude]; if multiple values are written, they will be treated as a single string, resulting in incorrect matching.