Audit Log Filter file format overview¶
On each auditable event, the component appends a record to the log. After startup, the first record describes the server and startup options; later records cover connections, disconnections, executed SQL, and more.
Which server actions become audit records depends on audit_log_filter.event_mode, not on the file format. See that variable for REDUCED versus FULL and for releases before it existed.
If LOAD_DATA references files, the component does not log file contents.
Set format with audit_log_filter.format at startup. Options:
| Format Type | Command | Description |
|---|---|---|
| XML (new style) | audit_log_filter.format=NEW |
Default XML layout |
| XML (old style) | audit_log_filter.format=OLD |
Legacy XML layout |
| JSON | audit_log_filter.format=JSON |
One top-level JSON array of events |
| JSONL | audit_log_filter.format=JSONL |
Added in 8.4.9-9. One compact JSON object per line inside a wrapping array (see the JSON/JSONL topic). |
By default, new-style XML logs are neither compressed nor encrypted.
When you change audit_log_filter.format, rename audit_log_filter.file as well—for example use audit.json or audit.jsonl for JSON or JSONL. Reusing one base name obscures format changes across rotated files.
Additional reading¶
- Audit Log Filter overview
- Audit Log Filter format - XML (new style)
- Audit Log Filter format - XML (old style)
- Audit Log Filter format - JSON and JSONL
- Audit log filter functions, options, and variables —
audit_log_filter.format,audit_log_filter.file - Reading Audit Log Filter files
- Audit Log Filter compression and encryption