Audit Logging

Audit logging records information about changes made to a database. Enterprises use audit logs to track who made changes, what data changed and when changes were made. This data is crucial for:

• Regulatory compliance (HIPAA, SOX, PCI, etc.)
• Security compliance
• Debugging

What Gets Logged?

Audit logging has access to the information shown here. The default behavior is to write all of the fields to the log.

• user: User name (if available)
• host: Host IP, where the command is being executed
• source ip address: Source IP address where the request was initiated
• source port: Source port number where the request was initiated
• timestamp: unix timestamp
• type: Type of the request (SELECT, INSERT, etc.)
• category: Category of the request (DDL, DML, etc.)
• keyspace: Keyspace (if applicable) to which the request is targeted
• scope: Table/Aggregate name/function name/trigger name etc., as applicable
• operation: CQL command being executed

Enable Audit Logging

Audit logging is disabled by default in Cassandra. There are two ways to configure audit logging: dynamically using nodetool or statically using cassandra.yaml. A configuration using nodetool overrides a configuration defined in cassandra.yaml and does not persist across server restarts.

Configurable Properties

• enabled: This option enables/disables audit log
• logger: Class name of the logger/custom logger
• audit_logs_dir: Audit logs directory location, if not set, the default is cassandra.logdir.audit or cassandra.logdir + /audit/
• included_keyspaces: Comma separated list of keyspaces to be included in audit log, default - includes all keyspaces
• excluded_keyspaces: Comma separated list of keyspaces to be excluded from audit log, default - excludes no keyspace
• included_categories: Comma separated list of Audit Log Categories to be included in audit log, default - includes all categories
• excluded_categories: Comma separated list of Audit Log Categories to be excluded from audit log, default - excludes no category
• included_users: Comma separated list of users to be included in audit log, default - includes all users
• excluded_users: Comma separated list of users to be excluded from audit log, default - excludes no user

Security Best Practices

Use excludes to limit logs to the information actually required.

Use the operating system to control access to log files containing sensitive data.

Redact sensitive data before sharing log files.