# Percona Audit Plugin

Tessell offers an audit log plugin for MySQL Community edition based on open source [Percona Server Audit Plugin](https://docs.percona.com/percona-server/8.0/audit-log-plugin.html). This provides comprehensive tracking of database user activities including connections, queries, and data modifications to help meet compliance and auditing requirements. The audit logs are stored in a log file on each database node.

### Audit Log Settings

Tessell supports the following audit log parameters for the Percona Audit Plugin. For detailed parameter descriptions, refer to [Percona Audit Plugin Variables](https://docs.percona.com/percona-server/8.0/audit-log-plugin.html#system-variables) documentation.

| Parameter Setting              | Default Value                                           | Valid Values                                           | Description                                                                                           |
| ------------------------------ | ------------------------------------------------------- | ------------------------------------------------------ | ----------------------------------------------------------------------------------------------------- |
| audit\_log\_strategy           | ASYNCHRONOUS                                            | ASYNCHRONOUS, PERFORMANCE, SEMISYNCHRONOU, SYNCHRONOUS | Defines logging method. It is a static parameter.                                                     |
| audit\_log\_buffer\_size       | 1048576                                                 | 4096 - 18446744073709547520                            | Size of memory buffer used in ASYNCHRONOUS or PERFORMANCE modes (in bytes). It is a static parameter. |
| audit\_log\_format             | JSON                                                    | OLD, NEW, CSV, JSON                                    | This variable is used to specify the audit log format. It is a static parameter.                      |
| audit\_log\_exclude\_accounts  | "rep\_user@%,'root'@'localhost','tessell\_monitor'@'%'" | <p><br></p>                                            | Excludes specified user accounts; exclusive with include\_accounts. It is a dynamic parameter.        |
| audit\_log\_exclude\_databases | <p><br></p>                                             | <p><br></p>                                            | Excludes specified databases; exclusive with include\_databases. It is a dynamic parameter.           |
| audit\_log\_policy             | ALL                                                     | ALL, LOGINS, QUERIES, NONE                             | Determines the type of events to log. It is a dynamic parameter.                                      |
| audit\_log\_rotations          | 10                                                      | 0-100                                                  | Specifies how many rotated logs to keep. It is a static parameter.                                    |
| audit\_log\_rotate\_on\_size   | 10485760                                                | 0-18446744073709551615                                 | Log rotates when reaching this size. It is a dynamic parameter.                                       |

### MySQL Audit Plugin Support Matrix

| Tessell-managed MySQL Database | Supported via Option Profile? |
| ------------------------------ | ----------------------------- |
| MySQL Community Edition 8.0    | ✅ Yes                         |
| MySQL Community Edition 8.4    | ❌ No                          |
| MySQL Community Edition 5.7    | ❌ No                          |

### Enabling Percona Audit Plugin

You can enable the Percona Audit Plugin on a MySQL DB instance using an **Option Profile**. When enabled, Tessell automatically **reboots the DB instance**, so it is recommended to perform this action during a maintenance window or low-traffic period.

When applied to a DB cluster, the option profile is propagated to **all nodes** (Primary, HA, RR, and DR).

#### Steps to enable Percona Audit Plugin

1. **Sign in** to the Tessell Console.
2. From the left navigation pane, go to **Governance** and open the **DB Governance** App.
3. Go to the **Options** tab from the menu.
4. Click **Create** to create a new option profile.
5. In the **Source details** section:
   1. **DB Engine** : Choose MySQL from dropdown menu
   2. **Version** : Choose 8.0
   3. **Profile Name** : Provide a unique option profile name
   4. **Description (Optional)**: A brief description of the option profile.
6. In **Option** Section:
   1. Click **Option Settings** and it opens a pop up window to configure audit parameter settings.
   2. Change the settings of your desired parameters..
   3. Click **Submit** to save the changes.
7. Click **Create** button to begin the creation of option profile with audit log enabled.
8. After it is created, open the **My Services** App from the **DB Services** section in the left navigation pane.
9. Choose your DB service for which you want to enable Percona Audit Log Plugin.
10. Click on “︙” Icon in the right side of the pane and choose **Change Option Profile** from the menu.
11. In the **Option profile** dropdown, choose your newly created Option profile.
12. Provide your consent to apply this change immediately by checking the box and hitting the **Apply** button.
13. Tessell automatically reboots the db instance when you attach the option profile. After the option profile is associated with the DB instance, you should see status as “**In-sync**” for Option profile in the Instance tab of your DB service.

### Modifying Percona Audit Plugin Settings

After you enable the Percona Audit Plugin, you can modify the settings. You can only modify parameter values in a custom-created option profile; you cannot change the parameter values in a default option profile.&#x20;

When you modify dynamic parameters, changes are applied to DB instances immediately without a reboot. Static parameters require a database restart, which Tessell automatically performs reboot of the DB instance.

#### To modify parameters in Option profile:

1. **Sign in** to the Tessell Console.
2. From the left navigation pane, go to **Governance** and open the **DB Governance** App.
3. Go to the **Options** tab from the menu.
4. Select your option profile from the list.
5. Click on **Option** Settings in Percona Audit Plugin.&#x20;
   1. Modify your desired parameters.
   2. Click **Submit** to save the changes.
6. Click **Save** button to begin the modification of the DB instance associated with the option profile.

### Disabling Percona Audit Plugin&#x20;

Tessell does not support disabling Percona Audit logging directly. However, you may contact Tessell Support to have the plugin removed from the DB instance. Removing the Percona Audit Plugin requires  a database restart to stop auditing.

### Viewing and Download Audit Logs

Audit logs can be viewed at the individual node level, with support for time-based filtering.

#### Steps to View and download Audit Logs

1. **Sign in** to the Tessell Console.
2. From the left navigation pane, go to **DB Services** and open the **My Services** App.
3. Choose your MySQL DB service for which you want to check the database audit log.
4. Go to the **Logs** tab from the menu.
5. Select the **mysql\_audit\_log** in **MySQL Log** section from the left navigation menu to view the audit logs.
6. You can also download the logs to your local by clicking the **Download** button.
7. A .zip file is generated based on your selected log and time window.
8. Save the file to your local machine.