Skip to content
Percona Software for MySQL Documentation

Rate this page
Thanks for your feedback
Thank you! The feedback has been submitted.

For help, click the link below to get free database assistance or contact our experts for personalized support.

Get help from Percona

Redact audit log fields

Audit events that carry SQL statement text can leak sensitive values — credentials, personal data, secret literals — into the audit log. The Audit Log Filter can rewrite that text as a statement digest before the event is written, so the log records what kind of statement ran without capturing the literal values.

This page covers the print / replace mechanism. For base filter authoring, see Write audit_log_filter definitions.

What can be replaced

Only two fields are replaceable, and only with the query_digest function:

Event class Replaceable field
general general_query.str
table_access query.str

Replacement happens during filtering, so the choice of literal text vs. digest applies regardless of which log format (XML or JSON) is written later.

Shape

A print item goes inside a class or event block:

"print": {
  "field": {
    "name": "field_name",
    "print": condition,
    "replace": replacement_value
  }
}
  • name — the replaceable field (from the table above).
  • print — a condition. When it evaluates to true, the field is kept; when it evaluates to false, the field is replaced. Use "print": false to replace unconditionally.
  • replace — the replacement value, specified as a function item. Currently only query_digest (with no arguments) is permitted.

The conditional form lets you mix redacted and literal statements in the same filter.

Example 1: Redact every general event

Replace statement text in every general event with its digest:

{
  "filter": {
    "class": {
      "name": "general",
      "print": {
        "field": {
          "name": "general_query.str",
          "print": false,
          "replace": {
            "function": { "name": "query_digest" }
          }
        }
      }
    }
  }
}

Example 2: Redact both statement-carrying classes

general and table_access both carry statement text. Combine them into one filter:

{
  "filter": {
    "class": [
      {
        "name": "general",
        "print": {
          "field": {
            "name": "general_query.str",
            "print": false,
            "replace": { "function": { "name": "query_digest" } }
          }
        }
      },
      {
        "name": "table_access",
        "print": {
          "field": {
            "name": "query.str",
            "print": false,
            "replace": { "function": { "name": "query_digest" } }
          }
        }
      }
    ]
  }
}

The resulting audit stream contains only digests — no literal SQL text — which is a common baseline for PCI/PII environments.

Example 3: Redact only specific events

Scope replacement to a subset of events by nesting print inside an event block. This filter redacts query.str on insert and update table_access events but leaves read and delete alone:

{
  "filter": {
    "class": {
      "name": "table_access",
      "event": {
        "name": ["insert", "update"],
        "print": {
          "field": {
            "name": "query.str",
            "print": false,
            "replace": { "function": { "name": "query_digest" } }
          }
        }
      }
    }
  }
}

Example 4: Redact account-management statements

query_digest with an argument is a Boolean comparator — useful in a log condition to decide whether to log an event based on its digest. Combined with field checks, you can log (and redact) only specific statement types. This filter fires on general/status events for account-management DDL and replaces the literal statement with its digest:

{
  "filter": {
    "class": {
      "name": "general",
      "event": {
        "name": "status",
        "print": {
          "field": {
            "name": "general_query.str",
            "print": false,
            "replace": {
              "function": { "name": "query_digest" }
            }
          }
        },
        "log": {
          "or": [
            { "field": { "name": "general_sql_command.str", "value": "alter_user" } },
            { "field": { "name": "general_sql_command.str", "value": "alter_user_default_role" } },
            { "field": { "name": "general_sql_command.str", "value": "create_role" } },
            { "field": { "name": "general_sql_command.str", "value": "create_user" } }
          ]
        }
      }
    }
  }
}

For the full set of general_sql_command.str values, see Test event field values.

Conditional redaction

To keep literal text for most statements and redact only specific ones — or vice versa — use query_digest as a comparator inside print. With an argument, the function returns true when the current statement digest equals the argument.

Keep the literal text when the digest matches SELECT ?; replace otherwise:

"print": {
  "field": {
    "name": "general_query.str",
    "print": {
      "function": {
        "name": "query_digest",
        "args": "SELECT ?"
      }
    },
    "replace": {
      "function": { "name": "query_digest" }
    }
  }
}

Invert with not — redact only the matching statements, keep literal text for everything else:

"print": {
  "field": {
    "name": "general_query.str",
    "print": {
      "not": {
        "function": {
          "name": "query_digest",
          "args": "SELECT ?"
        }
      }
    },
    "replace": {
      "function": { "name": "query_digest" }
    }
  }
}

See also