From 1404a9f8b3447d7f8c947f7fbc98db402c8a0a3a Mon Sep 17 00:00:00 2001 From: shiyuhang <1136742008@qq.com> Date: Mon, 15 Sep 2025 18:25:55 +0800 Subject: [PATCH 1/8] refactor db audit log --- tidb-cloud/serverless-audit-logging.md | 332 ++++++++++++++++++++----- 1 file changed, 271 insertions(+), 61 deletions(-) diff --git a/tidb-cloud/serverless-audit-logging.md b/tidb-cloud/serverless-audit-logging.md index 5fb94cf7dabaf..372db20bc4be8 100644 --- a/tidb-cloud/serverless-audit-logging.md +++ b/tidb-cloud/serverless-audit-logging.md @@ -1,41 +1,98 @@ --- -title: Database Audit Logging for {{{ .starter }}} and Essential -summary: Learn about how to audit a {{{ .starter }}} or {{{ .essential }}} cluster in TiDB Cloud. +title: Database Audit Logging for {{{ .essential }}} +summary: Learn about how to audit a {{{ .essential }}} cluster in TiDB Cloud. --- -# Database Audit Logging (Beta) for {{{ .starter }}} and Essential +# Database Audit Logging (Beta) for {{{ .essential }}} -{{{ .starter }}} and {{{ .essential }}} provide you with a database audit logging feature to record a history of user access details (such as any SQL statements executed) in logs. +{{{ .essential }}} provide you with a database audit logging feature to record a history of user access details (such as any SQL statements executed) in logs. > **Note:** > -> Currently, the database audit logging feature is only available upon request. To request this feature, click **?** in the lower-right corner of the [TiDB Cloud console](https://tidbcloud.com) and click **Request Support**. Then, fill in "Apply for {{{ .starter }}} or {{{ .essential }}} database audit logging" in the **Description** field and click **Submit**. +> Currently, the database audit logging feature is only available upon request. To request this feature, click **?** in the lower-right corner of the [TiDB Cloud console](https://tidbcloud.com) and click **Request Support**. Then, fill in "Apply for {{{ .essential }}} database audit logging" in the **Description** field and click **Submit**. To assess the effectiveness of user access policies and other information security measures of your organization, it is a security best practice to conduct a periodic analysis of the database audit logs. The audit logging feature is disabled by default. To audit a cluster, you need to enable audit logging for it. -## Enable audit logging +## Audit logging configurations -To enable audit logging for a {{{ .starter }}} or {{{ .essential }}} cluster, use the [TiDB Cloud CLI](/tidb-cloud/ticloud-auditlog-config.md). +### Data redaction -```shell -ticloud serverless audit-log config -c --enabled +{{{ .essential }}} redact sensitive data in the audit logs by default. Take the following SQL statement as an example: + +```sql +INSERT INTO `test`.`users` (`id`, `name`, `password`) VALUES (1, 'Alice', '123456'); ``` -To disable audit logging for a {{{ .starter }}} or {{{ .essential }}} cluster, use the [TiDB Cloud CLI](/tidb-cloud/ticloud-auditlog-config.md). +It is redacted as follows: -```shell -ticloud serverless audit-log config -c --enabled=false +```sql +INSERT INTO `test`.`users` (`id`, `name`, `password`) VALUES ( ... ); ``` -> **Note:** -> -> Only enabling audit logging will not generate audit logs. You need to configure filters to specify what events to log. For more information, see [Manage audit logging filter rules](#manage-audit-logging-filter-rules). +### Log file rotation -## Manage audit logging filter rules +{{{ .essential }}} generate a new audit log file when either of the following conditions is met: + +- The size of the current log file reaches rotation size (100 MB by default). +- Rotation interval (one hour by default) has passed since the previous log generation. Depending on the internal scheduling mechanism, log generation might be delayed by a few minutes. + +## Audit logging locations + +You can store the audit logs to the following locations: + +- TiDB Cloud +- [Amazon S3](https://aws.amazon.com/s3/) +- [Google Cloud Storage](https://cloud.google.com/storage) +- [Azure Blob Storage](https://azure.microsoft.com/en-us/services/storage/blobs/) +- [Alibaba Cloud Object Storage Service (OSS)](https://www.alibabacloud.com/product/oss) + +### TiDB Cloud + +you can store audit logs in TiDB Cloud and download them to your local machine. The audit logs will be expired and deleted after 365 days. To request longer storage duration, contact [TiDB Cloud Support](/tidb-cloud/tidb-cloud-support.md). + +### Amazon S3 + +To store audit logs to Amazon S3, you need to provide the following information: + +- URI: `s3:////` +- One of the following access credentials: + - [An access key](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html): make sure the access key has the `s3:PutObject` and `s3:ListBucket` permissions. + - [A role ARN](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html): make sure the role ARN (Amazon Resource Name) has the `s3:PutObject` permissions. Note that only clusters hosted on AWS support the role ARN. + +For more information, see [Configure Amazon S3 access](/tidb-cloud/serverless-external-storage.md#configure-amazon-s3-access). + +### Google Cloud Storage + +To store audit logs to Google Cloud Storage, you need to provide the following information: + +- URI: `gs:////` +- Access credential: a **base64 encoded** [service account key](https://cloud.google.com/iam/docs/creating-managing-service-account-keys) for your bucket. Make sure the service account key has the `storage.objects.create` and `storage.objects.delete` permission. + +For more information, see [Configure GCS access](/tidb-cloud/serverless-external-storage.md#configure-gcs-access). + +### Azure Blob Storage + +To store audit logs to Azure Blob Storage, you need to provide the following information: + +- URI: `azure://.blob.core.windows.net///` or `https://.blob.core.windows.net///` +- Access credential: a [shared access signature (SAS) token](https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview) for your Azure Blob Storage container. Make sure the SAS token has the `Read` and `Write` permissions on the `Container` and `Object` resources. -To filter the audit logging, you need to create a filter rule to specify which events to log. You can use the [TiDB Cloud CLI](/tidb-cloud/ticloud-auditlog-filter-create.md) to manage the filter rules. +For more information, see [Configure Azure Blob Storage access](/tidb-cloud/serverless-external-storage.md#configure-azure-blob-storage-access). + +### Alibaba Cloud OSS + +To store audit logs to Alibaba Cloud OSS, you need to provide the following information: + +- URI: `oss:////` +- Access credential: An [AccessKey pair](https://www.alibabacloud.com/help/en/ram/user-guide/create-an-accesskey-pair) for your Alibaba Cloud account. Make sure the AccessKey pair has the `oss:PutObject` and `oss:GetBucketInfo` permissions to allow data export to the OSS bucket. + +For more information, see [Configure Alibaba Cloud Object Storage Service (OSS) access](/tidb-cloud/serverless-external-storage.md#configure-alibaba-cloud-object-storage-service-oss-access). + +## Audit logging filter rules + +To filter the audit logging, you need to create a filter rule to specify which events to log. The filter rule contains the following fields: @@ -66,90 +123,245 @@ Here is the summary of all event classes in database audit logging: | SELECT | Record all operations of the `SELECT` statements | QUERY | | QUERY_DDL | Record all operations of the DDL statements | QUERY | | AUDIT | Record all operations related to setting TiDB database auditing, including setting system variables and calling system functions | - | -| AUDIT_FUNC_CALL | Record all operations of calling system functions related to TiDB database auditing | AUDIT | +| AUDIT_FUNC_CALL | Record all operations of calling system functions related to TiDB database auditing | AUDIT -### Create a filter rule +## Enable Audit Logging + +You can enable audit logging for a {{{ .essential }}} cluster. + +> **Note:** +> +> Only enabling audit logging will not generate audit logs. You need to configure filters to specify what events to log. For more information, see [Manage audit logging filter rules](#manage-audit-logging-filter-rules). + + +
+ +1. Log in to the [TiDB Cloud console](https://tidbcloud.com/) and navigate to the [**Clusters**](https://tidbcloud.com/project/clusters) page of your project. + + > **Tip:** + > + > You can use the combo box in the upper-left corner to switch between organizations, projects, and clusters. -To create a filter rule that captures all audit logs, run the following command: +2. Click the name of your target cluster to go to its overview page, and then click **Settings** > **DB Audit Logging** in the left navigation pane. + +3. On the **DB Audit Logging** page, click **Enable**. + +4. Select the storage location of the audit logs and fill in the necessary information, then click **Test Connection and Next** or **Next**. For more information about the available storage locations, see [Audit logging locations](#audit-logging-locations). + +5. In the **Database Audit Logging Setting** pop-up, fill the log file rotation and log redaction settings, and then click **Save**. + +
+ +
+ +Take s3 storage as an example. Run the following command to enable audit logging and store the audit logs to Amazon S3: ```shell -ticloud serverless audit-log filter create --cluster-id --name --rule '{"users":["%@%"],"filters":[{}]}' +ticloud serverless audit-log config update -c --enabled --cloud-storage S3 --s3.uri --s3.access-key-id --s3.secret-access-key --rotation-size-mib --rotation-interval-minutes --unredacted= ``` -To create a filter rule that filters ALL EXECUTE events, run the following command: +`--rotation-size-mib`, `--rotation-interval-minutes`, and `--unredacted` are optional parameters. If not specified, the default values will be used. + +
+ + +## Configure audit logging + +You can configure the audit logging for a {{{ .essential }}} cluster after enabling it. + + +
+ +1. Log in to the [TiDB Cloud console](https://tidbcloud.com/) and navigate to the [**Clusters**](https://tidbcloud.com/project/clusters) page of your project. + + > **Tip:** + > + > You can use the combo box in the upper-left corner to switch between organizations, projects, and clusters. + +2. Click the name of your target cluster to go to its overview page, and then click **Settings** > **DB Audit Logging** in the left navigation pane. + +3. On the **DB Audit Logging** page, click **Settings**. + +4. In the **Database Audit Logging Setting** pop-up, fill the log file rotation and log redaction settings, and then click **Save**. + +
+ +
```shell -ticloud serverless audit-log filter create --cluster-id --name --rule '{"users":["%@%"],"filters":[{"classes":["EXECUTE"]]}' +ticloud serverless audit-log config update -c --rotation-size-mib --rotation-interval-minutes --unredacted= ``` + +
+ + +## Disable audit logging + +You can disable audit logging for a {{{ .essential }}} cluster. + + +
+ +1. Log in to the [TiDB Cloud console](https://tidbcloud.com/) and navigate to the [**Clusters**](https://tidbcloud.com/project/clusters) page of your project. + + > **Tip:** + > + > You can use the combo box in the upper-left corner to switch between organizations, projects, and clusters. + +2. Click the name of your target cluster to go to its overview page, and then click **Settings** > **DB Audit Logging** in the left navigation pane. -### Update a filter rule +3. On the **DB Audit Logging** page, click **...** in the upper-right corner, and then click **Disable**. -To disable a filter rule, run the following command: +4. Click **Disable** in the pop-up dialog to disable audit logging. + +
+ +
```shell -ticloud serverless audit-log filter update --cluster-id --name --enabled=false +ticloud serverless audit-log config update -c --disabled=true ``` + +
+ + +## Manage audit logging filter rules + +You can manage audit logging filter rules in the [TiDB Cloud console](https://tidbcloud.com/) or by using the [TiDB Cloud CLI](/tidb-cloud/ticloud-auditlog-config.md). + +### Create a filter rule -To update a filter rule, run the following command: + +
+ +1. Log in to the [TiDB Cloud console](https://tidbcloud.com/) and navigate to the [**Clusters**](https://tidbcloud.com/project/clusters) page of your project. + + > **Tip:** + > + > You can use the combo box in the upper-left corner to switch between organizations, projects, and clusters. + +2. Click the name of your target cluster to go to its overview page, and then click **Settings** > **DB Audit Logging** in the left navigation pane. + +3. On the **DB Audit Logging** page, click **Add Filter Rule**. + +4. Fill in the `Filter Name`, `SQL Users`, and `Filter Rules` fields in the **Add Filter Rule** pop-up dialog, and then click **Confirm**. For more information about the fields, see [Audit logging filter rules](#audit-logging-filter-rules). + +
+ +
```shell -ticloud serverless audit-log filter update --cluster-id --name --rule '{"users":["%@%"],"filters":[{"classes":["QUERY"],"tables":["test.t"]}]}' +ticloud serverless audit-log filter create --cluster-id --display-name --rule '{"users":["%@%"],"filters":[{}]} ``` + +
+ -Note that you need to pass the complete `--rule` field when updating. +### Edit a filter rule -### Delete a filter rule +1. Log in to the [TiDB Cloud console](https://tidbcloud.com/) and navigate to the [**Clusters**](https://tidbcloud.com/project/clusters) page of your project. -To delete a filter rule, run the following command: + > **Tip:** + > + > You can use the combo box in the upper-left corner to switch between organizations, projects, and clusters. + +2. Click the name of your target cluster to go to its overview page, and then click **Settings** > **DB Audit Logging** in the left navigation pane. + +3. On the **DB Audit Logging** page, Choose the filter rule you want to delete and click **...**. + +4. Click **Edit**. + +5. Fill in the `Filter Name`, `SQL Users`, and `Filter Rules` fields in the **Add Filter Rule** pop-up dialog, and then click **Confirm**. + + + +
```shell -ticloud serverless audit-log filter delete --cluster-id --name +ticloud serverless audit-log filter update --cluster-id --filter-rule-id --rule '{"users":["%@%"],"filters":[{"classes":["QUERY"],"tables":["test.t"]}]}' ``` + +
+ -## Configure audit logging +### Disable a filter rule -### Data redaction +1. Log in to the [TiDB Cloud console](https://tidbcloud.com/) and navigate to the [**Clusters**](https://tidbcloud.com/project/clusters) page of your project. -{{{ .starter }}} and {{{ .essential }}} redact sensitive data in the audit logs by default. Take the following SQL statement as an example: + > **Tip:** + > + > You can use the combo box in the upper-left corner to switch between organizations, projects, and clusters. -```sql -INSERT INTO `test`.`users` (`id`, `name`, `password`) VALUES (1, 'Alice', '123456'); -``` +2. Click the name of your target cluster to go to its overview page, and then click **Settings** > **DB Audit Logging** in the left navigation pane. -It is redacted as follows: +3. On the **DB Audit Logging** page, Choose the filter rule you want to disable -```sql -INSERT INTO `test`.`users` (`id`, `name`, `password`) VALUES ( ... ); +4. switch the slider to disable the filter rule. + + + +
+ +```shell +ticloud serverless audit-log filter update --cluster-id --filter-rule-id --enabled=false ``` + +
+ + +### Delete a filter rule + +1. Log in to the [TiDB Cloud console](https://tidbcloud.com/) and navigate to the [**Clusters**](https://tidbcloud.com/project/clusters) page of your project. + + > **Tip:** + > + > You can use the combo box in the upper-left corner to switch between organizations, projects, and clusters. -If you want to disable redaction, use the [TiDB Cloud CLI](/tidb-cloud/ticloud-auditlog-config.md). +2. Click the name of your target cluster to go to its overview page, and then click **Settings** > **DB Audit Logging** in the left navigation pane. + +3. On the **DB Audit Logging** page, Choose the filter rule you want to delete and click **...**. + +4. Click **Delete** and then click **I understand. Delete it** in the pop-up dialog to delete the filter rule. + + + +
```shell -ticloud serverless audit-log config --cluster-id --unredacted +ticloud serverless audit-log filter delete --cluster-id --filter-rule-id ``` + +
+ -### Log file rotation -{{{ .starter }}} and {{{ .essential }}} generate a new audit log file when either of the following conditions is met: +## Access audit logging with TiDB Cloud Storage -- The size of the current log file reaches 100 MiB. -- One hour has passed since the previous log generation. Depending on the internal scheduling mechanism, log generation might be delayed by a few minutes. +{{{ .essential }}} audit logs are stored as readable text files named `YYYY-MM-DD-.log`. When you store audit logs in TiDB Cloud, you can access and download them via the [TiDB Cloud Console](https://tidbcloud.com/) or by using the [TiDB Cloud CLI](/tidb-cloud/ticloud-auditlog-download.md). > **Note:** > -> Currently, Log file rotation settings are not configurable. {{{ .starter }}} and {{{ .essential }}} automatically rotate the audit log files based on the preceding conditions. +> {{{ .essential }}} do not guarantee sequential ordering of audit logs. The log file named `YYYY-MM-DD-.log` might contain the audit logs in previous days. +> If you want to retrieve all logs from a specific date (for example, January 1, 2025), specifying `--start-date 2025-01-01` and `--end-date 2025-01-02` usually works. But under extreme conditions, you might need to download all log files and order them by the `TIME` field. -## Access audit logging + +
-{{{ .starter }}} and {{{ .essential }}} audit logs are stored as readable text files named `YYYY-MM-DD-.log`. +1. Log in to the [TiDB Cloud console](https://tidbcloud.com/) and navigate to the [**Clusters**](https://tidbcloud.com/project/clusters) page of your project. -Currently, audit logs are stored within TiDB Cloud for 365 days. After this period, logs are automatically deleted. + > **Tip:** + > + > You can use the combo box in the upper-left corner to switch between organizations, projects, and clusters. -> **Note:** -> -> Contact [TiDB Cloud Support](https://docs.pingcap.com/tidbcloud/tidb-cloud-support) if you need to save audit logs in external storage (such as Amazon S3, Azure Blob Storage, Google Cloud Storage, and Alibaba Cloud OSS). +2. Click the name of your target cluster to go to its overview page, and then click **Settings** > **DB Audit Logging** in the left navigation pane. -To view and download audit logs, use the [TiDB Cloud CLI](/tidb-cloud/ticloud-auditlog-download.md): +3. On the **DB Audit Logging** page, you can view the list of audit logs under `TiDB Cloud Storage`. + +4. To download an audit log, select the audit logs and then click **Download**. + +
+ +
```shell ticloud serverless audit-log download --cluster-id --output-path --start-date --end-date @@ -157,11 +369,9 @@ ticloud serverless audit-log download --cluster-id --output-path **Note:** -> -> {{{ .starter }}} and {{{ .essential }}} do not guarantee sequential ordering of audit logs. The log file named `YYYY-MM-DD-.log` might contain the audit logs in previous days. -> If you want to retrieve all logs from a specific date (for example, January 1, 2025), specifying `--start-date 2025-01-01` and `--end-date 2025-01-02` usually works. But under extreme conditions, you might need to download all log files and order them by the `TIME` field. + +
+ ## Audit logging fields @@ -227,4 +437,4 @@ When the event class is `AUDIT` or a subclass of `AUDIT`, the audit logs contain - Audit logging is only available via TiDB Cloud CLI at present. - Audit logs can only be stored in TiDB Cloud at present. -- {{{ .starter }}} and {{{ .essential }}} do not guarantee the sequential order of audit logs, which means you might have to review all log files to view the latest events. To sort the logs chronologically, you can use the `TIME` field in the audit logs. +- {{{ .essential }}} do not guarantee the sequential order of audit logs, which means you might have to review all log files to view the latest events. To sort the logs chronologically, you can use the `TIME` field in the audit logs. From f255987aa865b45e1dfc813ffa2b731a5e289ad9 Mon Sep 17 00:00:00 2001 From: shi yuhang <52435083+shiyuhang0@users.noreply.github.com> Date: Mon, 15 Sep 2025 18:33:34 +0800 Subject: [PATCH 2/8] Apply suggestions from code review Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> --- tidb-cloud/serverless-audit-logging.md | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/tidb-cloud/serverless-audit-logging.md b/tidb-cloud/serverless-audit-logging.md index 372db20bc4be8..2ed007644f395 100644 --- a/tidb-cloud/serverless-audit-logging.md +++ b/tidb-cloud/serverless-audit-logging.md @@ -50,7 +50,7 @@ You can store the audit logs to the following locations: ### TiDB Cloud -you can store audit logs in TiDB Cloud and download them to your local machine. The audit logs will be expired and deleted after 365 days. To request longer storage duration, contact [TiDB Cloud Support](/tidb-cloud/tidb-cloud-support.md). +You can store audit logs in TiDB Cloud and download them to your local machine. The audit logs will be expired and deleted after 365 days. To request longer storage duration, contact [TiDB Cloud Support](/tidb-cloud/tidb-cloud-support.md). ### Amazon S3 @@ -68,7 +68,7 @@ For more information, see [Configure Amazon S3 access](/tidb-cloud/serverless-ex To store audit logs to Google Cloud Storage, you need to provide the following information: - URI: `gs:////` -- Access credential: a **base64 encoded** [service account key](https://cloud.google.com/iam/docs/creating-managing-service-account-keys) for your bucket. Make sure the service account key has the `storage.objects.create` and `storage.objects.delete` permission. +- Access credential: a **base64 encoded** [service account key](https://cloud.google.com/iam/docs/creating-managing-service-account-keys) for your bucket. Make sure the service account key has the `storage.objects.create` and `storage.objects.delete` permissions. For more information, see [Configure GCS access](/tidb-cloud/serverless-external-storage.md#configure-gcs-access). @@ -123,7 +123,7 @@ Here is the summary of all event classes in database audit logging: | SELECT | Record all operations of the `SELECT` statements | QUERY | | QUERY_DDL | Record all operations of the DDL statements | QUERY | | AUDIT | Record all operations related to setting TiDB database auditing, including setting system variables and calling system functions | - | -| AUDIT_FUNC_CALL | Record all operations of calling system functions related to TiDB database auditing | AUDIT +| AUDIT_FUNC_CALL | Record all operations of calling system functions related to TiDB database auditing | AUDIT ## Enable Audit Logging @@ -160,7 +160,7 @@ Take s3 storage as an example. Run the following command to enable audit logging ticloud serverless audit-log config update -c --enabled --cloud-storage S3 --s3.uri --s3.access-key-id --s3.secret-access-key --rotation-size-mib --rotation-interval-minutes --unredacted= ``` -`--rotation-size-mib`, `--rotation-interval-minutes`, and `--unredacted` are optional parameters. If not specified, the default values will be used. +`--rotation-size-mib`, `--rotation-interval-minutes`, and `--unredacted` are optional parameters. If you do not specify them, the default values are used. @@ -251,8 +251,7 @@ You can manage audit logging filter rules in the [TiDB Cloud console](https://ti
```shell -ticloud serverless audit-log filter create --cluster-id --display-name --rule '{"users":["%@%"],"filters":[{}]} -``` +ticloud serverless audit-log filter create --cluster-id --display-name --rule '{"users":["%@%"],"filters":[{}]}'
@@ -355,9 +354,9 @@ ticloud serverless audit-log filter delete --cluster-id --filter-ru 2. Click the name of your target cluster to go to its overview page, and then click **Settings** > **DB Audit Logging** in the left navigation pane. -3. On the **DB Audit Logging** page, you can view the list of audit logs under `TiDB Cloud Storage`. +3. On the **DB Audit Logging** page, you can view the list of audit logs under `TiDB Cloud Storage`. -4. To download an audit log, select the audit logs and then click **Download**. +4. To download audit logs, select one or more logs from the list and then click **Download**. From a62a762988214b688fea83be2fc9e86cf6e536f3 Mon Sep 17 00:00:00 2001 From: shiyuhang <1136742008@qq.com> Date: Mon, 15 Sep 2025 18:40:18 +0800 Subject: [PATCH 3/8] fix according to ai --- tidb-cloud/serverless-audit-logging.md | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/tidb-cloud/serverless-audit-logging.md b/tidb-cloud/serverless-audit-logging.md index 2ed007644f395..b2642900d46ba 100644 --- a/tidb-cloud/serverless-audit-logging.md +++ b/tidb-cloud/serverless-audit-logging.md @@ -258,6 +258,9 @@ ticloud serverless audit-log filter create --cluster-id --display-n ### Edit a filter rule + +
+ 1. Log in to the [TiDB Cloud console](https://tidbcloud.com/) and navigate to the [**Clusters**](https://tidbcloud.com/project/clusters) page of your project. > **Tip:** @@ -266,11 +269,9 @@ ticloud serverless audit-log filter create --cluster-id --display-n 2. Click the name of your target cluster to go to its overview page, and then click **Settings** > **DB Audit Logging** in the left navigation pane. -3. On the **DB Audit Logging** page, Choose the filter rule you want to delete and click **...**. - -4. Click **Edit**. +3. On the **DB Audit Logging** page, find the filter rule you want to edit, click **...** in its row, and then click **Edit**. -5. Fill in the `Filter Name`, `SQL Users`, and `Filter Rules` fields in the **Add Filter Rule** pop-up dialog, and then click **Confirm**. +4. Fill in the `Filter Name` and `Filter Rules` fields in the **Edit Filter Rule** pop-up dialog, and then click **Confirm**.
@@ -285,6 +286,9 @@ ticloud serverless audit-log filter update --cluster-id --filter-ru ### Disable a filter rule + +
+ 1. Log in to the [TiDB Cloud console](https://tidbcloud.com/) and navigate to the [**Clusters**](https://tidbcloud.com/project/clusters) page of your project. > **Tip:** @@ -293,7 +297,7 @@ ticloud serverless audit-log filter update --cluster-id --filter-ru 2. Click the name of your target cluster to go to its overview page, and then click **Settings** > **DB Audit Logging** in the left navigation pane. -3. On the **DB Audit Logging** page, Choose the filter rule you want to disable +3. On the **DB Audit Logging** page, Choose the filter rule you want to disable. 4. switch the slider to disable the filter rule. @@ -310,6 +314,9 @@ ticloud serverless audit-log filter update --cluster-id --filter-ru ### Delete a filter rule + +
+ 1. Log in to the [TiDB Cloud console](https://tidbcloud.com/) and navigate to the [**Clusters**](https://tidbcloud.com/project/clusters) page of your project. > **Tip:** From ecc3fcf65e8b0e6e89292e3c2d9b6b79f299090e Mon Sep 17 00:00:00 2001 From: shiyuhang <1136742008@qq.com> Date: Mon, 15 Sep 2025 18:48:55 +0800 Subject: [PATCH 4/8] fix lint --- tidb-cloud/serverless-audit-logging.md | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/tidb-cloud/serverless-audit-logging.md b/tidb-cloud/serverless-audit-logging.md index b2642900d46ba..3fcf7f7ed8230 100644 --- a/tidb-cloud/serverless-audit-logging.md +++ b/tidb-cloud/serverless-audit-logging.md @@ -125,7 +125,9 @@ Here is the summary of all event classes in database audit logging: | AUDIT | Record all operations related to setting TiDB database auditing, including setting system variables and calling system functions | - | | AUDIT_FUNC_CALL | Record all operations of calling system functions related to TiDB database auditing | AUDIT -## Enable Audit Logging +## Configure audit logging + +### Enable audit logging You can enable audit logging for a {{{ .essential }}} cluster. @@ -165,9 +167,9 @@ ticloud serverless audit-log config update -c --enabled --cloud-sto
-## Configure audit logging +### Edit audit logging -You can configure the audit logging for a {{{ .essential }}} cluster after enabling it. +You can Edit the audit logging for a {{{ .essential }}} cluster after enabling it.
@@ -195,7 +197,7 @@ ticloud serverless audit-log config update -c --rotation-size-mib <
-## Disable audit logging +### Disable audit logging You can disable audit logging for a {{{ .essential }}} cluster. @@ -252,6 +254,7 @@ You can manage audit logging filter rules in the [TiDB Cloud console](https://ti ```shell ticloud serverless audit-log filter create --cluster-id --display-name --rule '{"users":["%@%"],"filters":[{}]}' +```
@@ -340,10 +343,9 @@ ticloud serverless audit-log filter delete --cluster-id --filter-ru - ## Access audit logging with TiDB Cloud Storage -{{{ .essential }}} audit logs are stored as readable text files named `YYYY-MM-DD-.log`. When you store audit logs in TiDB Cloud, you can access and download them via the [TiDB Cloud Console](https://tidbcloud.com/) or by using the [TiDB Cloud CLI](/tidb-cloud/ticloud-auditlog-download.md). +{{{ .essential }}} audit logs are stored as readable text files named `YYYY-MM-DD-.log`. When you store audit logs in TiDB Cloud, you can access and download them. > **Note:** > From 7e433800227ffa5944ea23340bd1a96c85f35d62 Mon Sep 17 00:00:00 2001 From: shi yuhang <52435083+shiyuhang0@users.noreply.github.com> Date: Mon, 15 Sep 2025 18:50:03 +0800 Subject: [PATCH 5/8] Apply suggestions from code review Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- tidb-cloud/serverless-audit-logging.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tidb-cloud/serverless-audit-logging.md b/tidb-cloud/serverless-audit-logging.md index 3fcf7f7ed8230..675e8d25373d4 100644 --- a/tidb-cloud/serverless-audit-logging.md +++ b/tidb-cloud/serverless-audit-logging.md @@ -123,7 +123,7 @@ Here is the summary of all event classes in database audit logging: | SELECT | Record all operations of the `SELECT` statements | QUERY | | QUERY_DDL | Record all operations of the DDL statements | QUERY | | AUDIT | Record all operations related to setting TiDB database auditing, including setting system variables and calling system functions | - | -| AUDIT_FUNC_CALL | Record all operations of calling system functions related to TiDB database auditing | AUDIT +| AUDIT_FUNC_CALL | Record all operations of calling system functions related to TiDB database auditing | AUDIT | ## Configure audit logging @@ -300,7 +300,7 @@ ticloud serverless audit-log filter update --cluster-id --filter-ru 2. Click the name of your target cluster to go to its overview page, and then click **Settings** > **DB Audit Logging** in the left navigation pane. -3. On the **DB Audit Logging** page, Choose the filter rule you want to disable. +3. On the **DB Audit Logging** page, choose the filter rule you want to disable. 4. switch the slider to disable the filter rule. @@ -328,7 +328,7 @@ ticloud serverless audit-log filter update --cluster-id --filter-ru 2. Click the name of your target cluster to go to its overview page, and then click **Settings** > **DB Audit Logging** in the left navigation pane. -3. On the **DB Audit Logging** page, Choose the filter rule you want to delete and click **...**. +3. On the **DB Audit Logging** page, choose the filter rule you want to delete and click **...**. 4. Click **Delete** and then click **I understand. Delete it** in the pop-up dialog to delete the filter rule. From 9b5876a7818ec0abcd58d779ab5700f904b6a963 Mon Sep 17 00:00:00 2001 From: shiyuhang <1136742008@qq.com> Date: Mon, 15 Sep 2025 18:53:08 +0800 Subject: [PATCH 6/8] remove some limit --- tidb-cloud/serverless-audit-logging.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/tidb-cloud/serverless-audit-logging.md b/tidb-cloud/serverless-audit-logging.md index 675e8d25373d4..e92312106f951 100644 --- a/tidb-cloud/serverless-audit-logging.md +++ b/tidb-cloud/serverless-audit-logging.md @@ -443,6 +443,4 @@ When the event class is `AUDIT` or a subclass of `AUDIT`, the audit logs contain ## Audit logging limitations -- Audit logging is only available via TiDB Cloud CLI at present. -- Audit logs can only be stored in TiDB Cloud at present. -- {{{ .essential }}} do not guarantee the sequential order of audit logs, which means you might have to review all log files to view the latest events. To sort the logs chronologically, you can use the `TIME` field in the audit logs. +- Do not guarantee the sequential order of audit logs, which means you might have to review all log files to view the latest events. To sort the logs chronologically, you can use the `TIME` field in the audit logs. From 9a0f9289bec1ff292a13197bb4e6729db6819c40 Mon Sep 17 00:00:00 2001 From: shiyuhang <1136742008@qq.com> Date: Mon, 15 Sep 2025 20:19:31 +0800 Subject: [PATCH 7/8] add toc and cli --- TOC-tidb-cloud-essential.md | 13 +++ ...d => serverless-database-audit-logging.md} | 0 tidb-cloud/ticloud-auditlog-config.md | 61 -------------- tidb-cloud/ticloud-auditlog-download.md | 52 ------------ ...d-serverless-audit-log-config-describe.md} | 31 +++----- ...loud-serverless-audit-log-config-update.md | 79 +++++++++++++++++++ .../ticloud-serverless-audit-log-download.md | 50 ++++++++++++ ...erverless-audit-log-filter-rule-create.md} | 32 +++----- ...erverless-audit-log-filter-rule-delete.md} | 26 +++--- ...verless-audit-log-filter-rule-describe.md} | 24 ++---- ...-serverless-audit-log-filter-rule-list.md} | 30 +++---- ...verless-audit-log-filter-rule-template.md} | 24 ++---- ...erverless-audit-log-filter-rule-update.md} | 37 ++++----- 13 files changed, 218 insertions(+), 241 deletions(-) rename tidb-cloud/{serverless-audit-logging.md => serverless-database-audit-logging.md} (100%) delete mode 100644 tidb-cloud/ticloud-auditlog-config.md delete mode 100644 tidb-cloud/ticloud-auditlog-download.md rename tidb-cloud/{ticloud-auditlog-describe.md => ticloud-serverless-audit-log-config-describe.md} (59%) create mode 100644 tidb-cloud/ticloud-serverless-audit-log-config-update.md create mode 100644 tidb-cloud/ticloud-serverless-audit-log-download.md rename tidb-cloud/{ticloud-auditlog-filter-create.md => ticloud-serverless-audit-log-filter-rule-create.md} (58%) rename tidb-cloud/{ticloud-auditlog-filter-delete.md => ticloud-serverless-audit-log-filter-rule-delete.md} (61%) rename tidb-cloud/{ticloud-auditlog-filter-describe.md => ticloud-serverless-audit-log-filter-rule-describe.md} (63%) rename tidb-cloud/{ticloud-auditlog-filter-list.md => ticloud-serverless-audit-log-filter-rule-list.md} (57%) rename tidb-cloud/{ticloud-auditlog-filter-template.md => ticloud-serverless-audit-log-filter-rule-template.md} (58%) rename tidb-cloud/{ticloud-auditlog-filter-update.md => ticloud-serverless-audit-log-filter-rule-update.md} (55%) diff --git a/TOC-tidb-cloud-essential.md b/TOC-tidb-cloud-essential.md index 83664bac8e801..d8312039de87e 100644 --- a/TOC-tidb-cloud-essential.md +++ b/TOC-tidb-cloud-essential.md @@ -266,6 +266,7 @@ - [TLS Connections to TiDB Cloud](/tidb-cloud/secure-connections-to-serverless-clusters.md) - Audit Management - [Console Audit Logging](/tidb-cloud/tidb-cloud-console-auditing.md) + - [Database Audit Logging](/tidb-cloud/serverless-database-audit-logging.md) - Billing - [Invoices](/tidb-cloud/tidb-cloud-billing.md#invoices) - [Billing Details](/tidb-cloud/tidb-cloud-billing.md#billing-details) @@ -605,6 +606,18 @@ - [delete](/tidb-cloud/ticloud-serverless-authorized-network-delete.md) - [list](/tidb-cloud/ticloud-serverless-authorized-network-list.md) - [update](/tidb-cloud/ticloud-serverless-authorized-network-update.md) + - audit-log + - config + - [update](/tidb-cloud/ticloud-serverless-audit-log-config-update.md) + - [describe](/tidb-cloud/ticloud-serverless-audit-log-config-describe.md) + - filter-rule + - [create](/tidb-cloud/ticloud-serverless-audit-log-filter-rule-create.md) + - [delete](/tidb-cloud/ticloud-serverless-audit-log-filter-rule-delete.md) + - [describe](/tidb-cloud/ticloud-serverless-audit-log-filter-rule-describe.md) + - [list](/tidb-cloud/ticloud-serverless-audit-log-filter-rule-list.md) + - [update](/tidb-cloud/ticloud-serverless-audit-log-filter-rule-update.md) + - [template](/tidb-cloud/ticloud-serverless-audit-log-filter-rule-template.md) + - [download](/tidb-cloud/ticloud-serverless-audit-log-download.md) - [ai](/tidb-cloud/ticloud-ai.md) - [completion](/tidb-cloud/ticloud-completion.md) - config diff --git a/tidb-cloud/serverless-audit-logging.md b/tidb-cloud/serverless-database-audit-logging.md similarity index 100% rename from tidb-cloud/serverless-audit-logging.md rename to tidb-cloud/serverless-database-audit-logging.md diff --git a/tidb-cloud/ticloud-auditlog-config.md b/tidb-cloud/ticloud-auditlog-config.md deleted file mode 100644 index 2b2c88d0abd80..0000000000000 --- a/tidb-cloud/ticloud-auditlog-config.md +++ /dev/null @@ -1,61 +0,0 @@ ---- -title: ticloud serverless audit-log config -summary: The reference of `ticloud serverless audit-log config`. ---- - -# ticloud serverless audit-log config - -Configure the database audit logging for a {{{ .starter }}} or {{{ .essential }}} cluster. - -```shell -ticloud serverless audit-log config [flags] -``` - -## Examples - -Configure the database audit logging in interactive mode: - -```shell -ticloud serverless audit-log config -``` - -Enable the database audit logging in non-interactive mode: - -```shell -ticloud serverless audit-log config -c --enabled -``` - -Disable the database audit logging in non-interactive mode: - -```shell -ticloud serverless audit-log config -c --enabled=false -``` - -Unredact the database audit logging in non-interactive mode: - -```shell -ticloud serverless audit-log config -c --unredacted -``` - -## Flags - -In non-interactive mode, you need to manually enter the required flags. In interactive mode, you can just follow CLI prompts to fill them in. - -| Flag | Description | Required | Note | -|-------------------------|-----------------------------------------------------------------------------|----------|------------------------------------------------------| -| -c, --cluster-id string | The ID of the cluster. | Yes | Only works in non-interactive mode. | -| --enabled | Enable or disable the database audit logging. | No | Only works in non-interactive mode. | -| --unredacted | Enable or disable data redaction in audit logs. | No | Only works in non-interactive mode. | -| -h, --help | Shows help information for this command. | No | Works in both non-interactive and interactive modes. | - -## Inherited flags - -| Flag | Description | Required | Note | -|----------------------|------------------------------------------------------------------------------------------------------|----------|------------------------------------------------------------------------------------------------------------------| -| --no-color | Disables color in output. | No | Only works in non-interactive mode. In interactive mode, disabling color might not work with some UI components. | -| -P, --profile string | Specifies the active [user profile](/tidb-cloud/cli-reference.md#user-profile) used in this command. | No | Works in both non-interactive and interactive modes. | -| -D, --debug | Enables debug mode. | No | Works in both non-interactive and interactive modes. | - -## Feedback - -If you have any questions or suggestions on the TiDB Cloud CLI, feel free to create an [issue](https://github.com/tidbcloud/tidbcloud-cli/issues/new/choose). Also, we welcome any contributions. diff --git a/tidb-cloud/ticloud-auditlog-download.md b/tidb-cloud/ticloud-auditlog-download.md deleted file mode 100644 index 9ac6a5f522938..0000000000000 --- a/tidb-cloud/ticloud-auditlog-download.md +++ /dev/null @@ -1,52 +0,0 @@ ---- -title: ticloud serverless audit-log download -summary: The reference of `ticloud serverless audit-log download`. ---- - -# ticloud serverless audit-log download - -Download the database audit logs from a {{{ .starter }}} or {{{ .essential }}} cluster. - -```shell -ticloud serverless audit-log download [flags] -``` - -## Examples - -Download the database audit logs in interactive mode: - -```shell -ticloud serverless audit-log download -``` - -Download the database audit logs in non-interactive mode: - -```shell -ticloud serverless audit-log download -c --start-date --end-date -``` - -## Flags - -In non-interactive mode, you need to manually enter the required flags. In interactive mode, you can just follow CLI prompts to fill them in. - -| Flag | Description | Required | Note | -|-------------------------|---------------------------------------------------------------------------------------------------------------------|----------|------------------------------------------------------| -| -c, --cluster-id string | Cluster ID. | Yes | Only works in non-interactive mode. | -| --start-date string | The start date of the audit log you want to download in the format of `YYYY-MM-DD`, for example `2025-01-01`. | Yes | Only works in non-interactive mode. | -| --end-date string | The end date of the audit log you want to download in the format of `YYYY-MM-DD`, for example `2025-01-01`. | Yes | Only works in non-interactive mode. | -| --output-path string | The path where you want to download the audit logs. If not specified, logs are downloaded to the current directory. | No | Only works in non-interactive mode. | -| --concurrency int | Download concurrency (`3` by default). | No | Works in both non-interactive and interactive modes. | -| --force | Download without confirmation. | No | Works in both non-interactive and interactive modes. | -| -h, --help | Shows help information for this command. | No | Works in both non-interactive and interactive modes. | - -## Inherited flags - -| Flag | Description | Required | Note | -|----------------------|------------------------------------------------------------------------------------------------------|----------|------------------------------------------------------------------------------------------------------------------| -| --no-color | Disables color in output. | No | Only works in non-interactive mode. In interactive mode, disabling color might not work with some UI components. | -| -P, --profile string | Specifies the active [user profile](/tidb-cloud/cli-reference.md#user-profile) used in this command. | No | Works in both non-interactive and interactive modes. | -| -D, --debug | Enables debug mode. | No | Works in both non-interactive and interactive modes. | - -## Feedback - -If you have any questions or suggestions on the TiDB Cloud CLI, feel free to create an [issue](https://github.com/tidbcloud/tidbcloud-cli/issues/new/choose). Also, we welcome any contributions. diff --git a/tidb-cloud/ticloud-auditlog-describe.md b/tidb-cloud/ticloud-serverless-audit-log-config-describe.md similarity index 59% rename from tidb-cloud/ticloud-auditlog-describe.md rename to tidb-cloud/ticloud-serverless-audit-log-config-describe.md index 34fed7e537a89..98aabe3ed0636 100644 --- a/tidb-cloud/ticloud-auditlog-describe.md +++ b/tidb-cloud/ticloud-serverless-audit-log-config-describe.md @@ -1,20 +1,14 @@ --- -title: ticloud serverless audit-log describe -summary: The reference of `ticloud serverless audit-log describe`. +title: ticloud serverless audit-log config describe +summary: The reference of `ticloud serverless audit-log config describe`. --- -# ticloud serverless audit-log describe +# ticloud serverless audit-log config describe -Describe the database audit logging configuration for a {{{ .starter }}} or {{{ .essential }}} cluster. +Describe the database audit logging configuration for a TiDB Cloud Essential cluster. ```shell -ticloud serverless audit-log describe [flags] -``` - -Or use the following alias command: - -```shell -ticloud serverless audit-log get [flags] +ticloud serverless audit-log config describe [flags] ``` ## Examples @@ -22,31 +16,30 @@ ticloud serverless audit-log get [flags] Get the database audit logging configuration in interactive mode: ```shell -ticloud serverless audit-log describe +ticloud serverless audit-log config describe ``` Get the database audit logging configuration in non-interactive mode: ```shell -ticloud serverless audit-log describe -c +ticloud serverless audit-log config describe -c ``` ## Flags -In non-interactive mode, you need to manually enter the required flags. In interactive mode, you can just follow CLI prompts to fill them in. - | Flag | Description | Required | Note | |-------------------------|----------------------------|----------|------------------------------------------------------| | -c, --cluster-id string | The cluster ID. | Yes | Only works in non-interactive mode. | -| -h, --help | Shows help information for this command. | No | Works in both non-interactive and interactive modes. | +| -h, --help | Shows help information for this command. | No | Works in both interactive and non-interactive modes. | ## Inherited flags | Flag | Description | Required | Note | |----------------------|------------------------------------------------------------------------------------------------------|----------|------------------------------------------------------------------------------------------------------------------| -| --no-color | Disables color in output. | No | Only works in non-interactive mode. In interactive mode, disabling color might not work with some UI components. | -| -D, --debug | Enables debug mode. | No | Works in both non-interactive and interactive modes. | +| -D, --debug | Enable debug mode. | No | Works in both interactive and non-interactive modes. | +| --no-color | Disable color output. | No | Only works in non-interactive mode. | +| -P, --profile string | Profile to use from your configuration file. | No | Works in both interactive and non-interactive modes. | ## Feedback -If you have any questions or suggestions on the TiDB Cloud CLI, feel free to create an [issue](https://github.com/tidbcloud/tidbcloud-cli/issues/new/choose). Also, we welcome any contributions. \ No newline at end of file +If you have any questions or suggestions on the TiDB Cloud CLI, feel free to create an [issue](https://github.com/tidbcloud/tidbcloud-cli/issues/new/choose). Also, we welcome any contributions. diff --git a/tidb-cloud/ticloud-serverless-audit-log-config-update.md b/tidb-cloud/ticloud-serverless-audit-log-config-update.md new file mode 100644 index 0000000000000..e1d3061e9509d --- /dev/null +++ b/tidb-cloud/ticloud-serverless-audit-log-config-update.md @@ -0,0 +1,79 @@ +--- +title: ticloud serverless audit-log config update +summary: The reference of `ticloud serverless audit-log config update`. +--- + +# ticloud serverless audit-log config update + +Update the database audit logging configuration for a TiDB Cloud Essential cluster. + +```shell +ticloud serverless audit-log config update [flags] +``` + +## Examples + +Configure database audit logging in interactive mode: + +```shell +ticloud serverless audit-log config update +``` + +Unredact the database audit log in non-interactive mode: + +```shell +ticloud serverless audit-log config update -c --unredacted +``` + +Enable database audit logging with S3 Cloud Storage in non-interactive mode: + +```shell +ticloud serverless audit-log config update -c --enabled --cloud-storage S3 --s3.uri --s3.access-key-id --s3.secret-access-key +``` + +Configure database audit logging rotation strategy in non-interactive mode: + +```shell +ticloud serverless audit-log config update -c --rotation-interval-minutes --rotation-size-mib +``` + +Disable database audit logging in non-interactive mode: + +```shell +ticloud serverless audit-log config update -c --enabled=false +``` + +## Flags + +| Flag | Description | Required | Note | +|------|-------------|----------|------| +| --azblob.sas-token string | The SAS token of Azure Blob. | No | Only works in non-interactive mode. | +| --azblob.uri string | The Azure Blob URI in `azure://.blob.core.windows.net//` format. | No | Only works in non-interactive mode. | +| --cloud-storage string | The cloud storage. One of ["TIDB_CLOUD", "S3", "GCS", "AZURE_BLOB", "OSS"]. | No | Only works in non-interactive mode. | +| -c, --cluster-id string | The ID of the cluster to be updated. | Yes | Only works in non-interactive mode. | +| --enabled | Enable or disable database audit logging. | No | Only works in non-interactive mode. | +| --gcs.service-account-key string | The base64 encoded service account key of GCS. | No | Only works in non-interactive mode. | +| --gcs.uri string | The GCS URI in `gs:///` format. | No | Only works in non-interactive mode. | +| --oss.access-key-id string | The access key ID of the OSS. | No | Only works in non-interactive mode. | +| --oss.access-key-secret string | The access key secret of the OSS. | No | Only works in non-interactive mode. | +| --oss.uri string | The OSS URI in `oss:///` format. | No | Only works in non-interactive mode. | +| --rotation-interval-minutes int32 | The rotation interval in minutes, range [10, 1440]. | No | Only works in non-interactive mode. | +| --rotation-size-mib int32 | The rotation size in MiB, range [1, 1024]. | No | Only works in non-interactive mode. | +| --s3.access-key-id string | The access key ID of the S3. You only need to set one of the s3.role-arn and [s3.access-key-id, s3.secret-access-key]. | No | Only works in non-interactive mode. | +| --s3.role-arn string | The role arn of the S3. You only need to set one of the s3.role-arn and [s3.access-key-id, s3.secret-access-key]. | No | Only works in non-interactive mode. | +| --s3.secret-access-key string | The secret access key of the S3. You only need to set one of the s3.role-arn and [s3.access-key-id, s3.secret-access-key]. | No | Only works in non-interactive mode. | +| --s3.uri string | The S3 URI in `s3:///` format. | No | Only works in non-interactive mode. | +| --unredacted | Unredact or redact the database audit log. | No | Only works in non-interactive mode. | +| -h, --help | Shows help information for this command. | No | Works in both interactive and non-interactive modes. | + +## Inherited flags + +| Flag | Description | Required | Note | +|------|-------------|----------|------| +| -D, --debug | Enable debug mode. | No | Works in both interactive and non-interactive modes. | +| --no-color | Disable color output. | No | Only works in non-interactive mode. | +| -P, --profile string | Profile to use from your configuration file. | No | Works in both interactive and non-interactive modes. | + +## Feedback + +If you have any questions or suggestions on the TiDB Cloud CLI, feel free to create an [issue](https://github.com/tidbcloud/tidbcloud-cli/issues/new/choose). Also, we welcome any \ No newline at end of file diff --git a/tidb-cloud/ticloud-serverless-audit-log-download.md b/tidb-cloud/ticloud-serverless-audit-log-download.md new file mode 100644 index 0000000000000..18d5360d40621 --- /dev/null +++ b/tidb-cloud/ticloud-serverless-audit-log-download.md @@ -0,0 +1,50 @@ +--- +title: ticloud serverless audit-log download +summary: The reference of `ticloud serverless audit-log download`. +--- + +# ticloud serverless audit-log download + +Download the database audit log files from a TiDB Cloud Essential cluster. + +```shell +ticloud serverless audit-log download [flags] +``` + +## Examples + +Download the database audit logs in interactive mode: + +```shell +ticloud serverless audit-log download +``` + +Download the database audit logs in non-interactive mode: + +```shell +ticloud serverless audit-log download -c --start-date --end-date +``` + +## Flags + +| Flag | Description | Required | Note | +|-------------------------|-----------------------------------------------------------------------------------------------|----------|------------------------------------------------------| +| -c, --cluster-id string | Cluster ID. | Yes | Only works in non-interactive mode. | +| --start-date string | The start date of the audit log you want to download in the format of 'YYYY-MM-DD', e.g. '2025-01-01'. | Yes | Only works in non-interactive mode. | +| --end-date string | The end date of the audit log you want to download in the format of 'YYYY-MM-DD', e.g. '2025-01-01'. | Yes | Only works in non-interactive mode. | +| --output-path string | The path where you want to download to. If not specified, download to the current directory. | No | Only works in non-interactive mode. | +| --concurrency int | Download concurrency. (default 3) | No | Works in both interactive and non-interactive modes. | +| --force | Download without confirmation. | No | Works in both interactive and non-interactive modes. | +| -h, --help | Shows help information for this command. | No | Works in both interactive and non-interactive modes. | + +## Inherited flags + +| Flag | Description | Required | Note | +|----------------------|------------------------------------------------------------------------------------------------------|----------|------------------------------------------------------------------------------------------------------------------| +| -D, --debug | Enable debug mode. | No | Works in both interactive and non-interactive modes. | +| --no-color | Disable color output. | No | Only works in non-interactive mode. | +| -P, --profile string | Profile to use from your configuration file. | No | Works in both interactive and non-interactive modes. | + +## Feedback + +If you have any questions or suggestions on the TiDB Cloud CLI, feel free to create an [issue](https://github.com/tidbcloud/tidbcloud-cli/issues/new/choose). Also, we welcome any contributions. diff --git a/tidb-cloud/ticloud-auditlog-filter-create.md b/tidb-cloud/ticloud-serverless-audit-log-filter-rule-create.md similarity index 58% rename from tidb-cloud/ticloud-auditlog-filter-create.md rename to tidb-cloud/ticloud-serverless-audit-log-filter-rule-create.md index f52e858b1a8c0..72ab87c159a7b 100644 --- a/tidb-cloud/ticloud-auditlog-filter-create.md +++ b/tidb-cloud/ticloud-serverless-audit-log-filter-rule-create.md @@ -5,56 +5,48 @@ summary: The reference of `ticloud serverless audit-log filter-rule create`. # ticloud serverless audit-log filter-rule create -Create an audit log filter rule for a {{{ .starter }}} or {{{ .essential }}} cluster. +Create an audit log filter rule for a TiDB Cloud Essential cluster. ```shell ticloud serverless audit-log filter-rule create [flags] ``` -Or use the following alias command: - -```shell -ticloud serverless audit-log filter create [flags] -``` - ## Examples Create a filter rule in interactive mode: ```shell -ticloud serverless audit-log filter create +ticloud serverless audit-log filter-rule create ``` -Create a filter rule that captures all audit logs in non-interactive mode: +Create a filter rule which filters all audit logs in non-interactive mode: ```shell -ticloud serverless audit-log filter create --cluster-id --name --rule '{"users":["%@%"],"filters":[{}]}' +ticloud serverless audit-log filter-rule create --cluster-id --display-name --rule '{"users":["%@%"],"filters":[{}]}' ``` -Create a filter rule that filters `QUERY` and `EXECUTE` events for the `test.t` table and filters `QUERY` events for all tables in non-interactive mode: +Create a filter rule which filters QUERY and EXECUTE for `test.t` and filters QUERY for all tables in non-interactive mode: ```shell -ticloud serverless audit-log filter create --cluster-id --name --rule '{"users":["%@%"],"filters":[{"classes":["QUERY","EXECUTE"],"tables":["test.t"]},{"classes":["QUERY"]}]}' +ticloud serverless audit-log filter-rule create --cluster-id --display-name --rule '{"users":["%@%"],"filters":[{"classes":["QUERY","EXECUTE"],"tables":["test.t"]},{"classes":["QUERY"]}]}' ``` ## Flags -In non-interactive mode, you need to manually enter the required flags. In interactive mode, you can just follow CLI prompts to fill them in. - | Flag | Description | Required | Note | |-------------------------|-------------------------------------------------------------------------------------------------------------|----------|------------------------------------------------------| | -c, --cluster-id string | The ID of the cluster. | Yes | Only works in non-interactive mode. | -| --name string | The name of the filter rule. | Yes | Only works in non-interactive mode. | -| --rule string | Filter rule expressions. Use `ticloud serverless audit-log filter template` to see filter templates. | Yes | Only works in non-interactive mode. | -| -h, --help | Shows help information for this command. | No | Works in both non-interactive and interactive modes. | +| --display-name string | The display name of the filter rule. | Yes | Only works in non-interactive mode. | +| --rule string | Filter rule expressions. Use "ticloud serverless audit-log filter template" to see filter templates. | Yes | Only works in non-interactive mode. | +| -h, --help | Shows help information for this command. | No | Works in both interactive and non-interactive modes. | ## Inherited flags | Flag | Description | Required | Note | |----------------------|------------------------------------------------------------------------------------------------------|----------|------------------------------------------------------------------------------------------------------------------| -| --no-color | Disables color in output. | No | Only works in non-interactive mode. In interactive mode, disabling color might not work with some UI components. | -| -P, --profile string | Specifies the active [user profile](/tidb-cloud/cli-reference.md#user-profile) used in this command. | No | Works in both non-interactive and interactive modes. | -| -D, --debug | Enables debug mode. | No | Works in both non-interactive and interactive modes. | +| -D, --debug | Enable debug mode. | No | Works in both interactive and non-interactive modes. | +| --no-color | Disable color output. | No | Only works in non-interactive mode. | +| -P, --profile string | Profile to use from your configuration file. | No | Works in both interactive and non-interactive modes. | ## Feedback diff --git a/tidb-cloud/ticloud-auditlog-filter-delete.md b/tidb-cloud/ticloud-serverless-audit-log-filter-rule-delete.md similarity index 61% rename from tidb-cloud/ticloud-auditlog-filter-delete.md rename to tidb-cloud/ticloud-serverless-audit-log-filter-rule-delete.md index 62c84224a68ff..2d47dc0f9d17d 100644 --- a/tidb-cloud/ticloud-auditlog-filter-delete.md +++ b/tidb-cloud/ticloud-serverless-audit-log-filter-rule-delete.md @@ -5,50 +5,42 @@ summary: The reference of `ticloud serverless audit-log filter-rule delete`. # ticloud serverless audit-log filter-rule delete -Delete an audit log filter rule for a {{{ .starter }}} or {{{ .essential }}} cluster. +Delete an audit log filter rule for a TiDB Cloud Essential cluster. ```shell ticloud serverless audit-log filter-rule delete [flags] ``` -Or use the following alias command: - -```shell -ticloud serverless audit-log filter delete [flags] -``` - ## Examples Delete an audit log filter rule in interactive mode: ```shell -ticloud serverless audit-log filter delete +ticloud serverless audit-log filter-rule delete ``` Delete an audit log filter rule in non-interactive mode: ```shell -ticloud serverless audit-log filter delete --cluster-id --name +ticloud serverless audit-log filter-rule delete --cluster-id --filter-rule-id ``` ## Flags -In non-interactive mode, you need to manually enter the required flags. In interactive mode, you can just follow CLI prompts to fill them in. - | Flag | Description | Required | Note | |-------------------------|-----------------------------------------------------|----------|------------------------------------------------------| | -c, --cluster-id string | The ID of the cluster. | Yes | Only works in non-interactive mode. | -| --name string | The name of the filter rule. | Yes | Only works in non-interactive mode. | -| --force | Deletes the filter rule without confirmation. | No | Works in both non-interactive and interactive modes. | -| -h, --help | Shows help information for this command. | No | Works in both non-interactive and interactive modes. | +| --filter-rule-id string | The ID of the filter rule. | Yes | Only works in non-interactive mode. | +| --force | Delete without confirmation. | No | Works in both interactive and non-interactive modes. | +| -h, --help | Shows help information for this command. | No | Works in both interactive and non-interactive modes. | ## Inherited flags | Flag | Description | Required | Note | |----------------------|------------------------------------------------------------------------------------------------------|----------|------------------------------------------------------------------------------------------------------------------| -| --no-color | Disables color in output. | No | Only works in non-interactive mode. In interactive mode, disabling color might not work with some UI components. | -| -P, --profile string | Specifies the active [user profile](/tidb-cloud/cli-reference.md#user-profile) used in this command. | No | Works in both non-interactive and interactive modes. | -| -D, --debug | Enables debug mode. | No | Works in both non-interactive and interactive modes. | +| -D, --debug | Enable debug mode. | No | Works in both interactive and non-interactive modes. | +| --no-color | Disable color output. | No | Only works in non-interactive mode. | +| -P, --profile string | Profile to use from your configuration file. | No | Works in both interactive and non-interactive modes. | ## Feedback diff --git a/tidb-cloud/ticloud-auditlog-filter-describe.md b/tidb-cloud/ticloud-serverless-audit-log-filter-rule-describe.md similarity index 63% rename from tidb-cloud/ticloud-auditlog-filter-describe.md rename to tidb-cloud/ticloud-serverless-audit-log-filter-rule-describe.md index 583a8c54bab95..da05cc59cf357 100644 --- a/tidb-cloud/ticloud-auditlog-filter-describe.md +++ b/tidb-cloud/ticloud-serverless-audit-log-filter-rule-describe.md @@ -5,49 +5,41 @@ summary: The reference of `ticloud serverless audit-log filter-rule describe`. # ticloud serverless audit-log filter-rule describe -Describe an audit log filter rule for a {{{ .starter }}} or {{{ .essential }}} cluster. +Describe an audit log filter rule for a TiDB Cloud Essential cluster. ```shell ticloud serverless audit-log filter-rule describe [flags] ``` -Or use the following alias command: - -```shell -ticloud serverless audit-log filter describe [flags] -``` - ## Examples Describe an audit log filter rule in interactive mode: ```shell -ticloud serverless audit-log filter describe +ticloud serverless audit-log filter-rule describe ``` Describe an audit log filter rule in non-interactive mode: ```shell -ticloud serverless audit-log filter describe --cluster-id --name +ticloud serverless audit-log filter-rule describe --cluster-id --filter-rule-id ``` ## Flags -In non-interactive mode, you need to manually enter the required flags. In interactive mode, you can just follow CLI prompts to fill them in. - | Flag | Description | Required | Note | |-------------------------|------------------------------|----------|------------------------------------------------------| | -c, --cluster-id string | The ID of the cluster. | Yes | Only works in non-interactive mode. | -| --name string | The name of the filter rule. | Yes | Only works in non-interactive mode. | -| -h, --help | Shows help information for this command. | No | Works in both non-interactive and interactive modes. | +| --filter-rule-id string | The ID of the filter rule. | Yes | Only works in non-interactive mode. | +| -h, --help | Shows help information for this command. | No | Works in both interactive and non-interactive modes. | ## Inherited flags | Flag | Description | Required | Note | |----------------------|------------------------------------------------------------------------------------------------------|----------|------------------------------------------------------------------------------------------------------------------| -| --no-color | Disables color in output. | No | Only works in non-interactive mode. In interactive mode, disabling color might not work with some UI components. | -| -P, --profile string | Specifies the active [user profile](/tidb-cloud/cli-reference.md#user-profile) used in this command. | No | Works in both non-interactive and interactive modes. | -| -D, --debug | Enables debug mode. | No | Works in both non-interactive and interactive modes. | +| -D, --debug | Enable debug mode. | No | Works in both interactive and non-interactive modes. | +| --no-color | Disable color output. | No | Only works in non-interactive mode. | +| -P, --profile string | Profile to use from your configuration file. | No | Works in both interactive and non-interactive modes. | ## Feedback diff --git a/tidb-cloud/ticloud-auditlog-filter-list.md b/tidb-cloud/ticloud-serverless-audit-log-filter-rule-list.md similarity index 57% rename from tidb-cloud/ticloud-auditlog-filter-list.md rename to tidb-cloud/ticloud-serverless-audit-log-filter-rule-list.md index a56588e260cea..194647e5f0124 100644 --- a/tidb-cloud/ticloud-auditlog-filter-list.md +++ b/tidb-cloud/ticloud-serverless-audit-log-filter-rule-list.md @@ -5,55 +5,49 @@ summary: The reference of `ticloud serverless audit-log filter-rule list`. # ticloud serverless audit-log filter-rule list -List audit log filter rules for a {{{ .starter }}} or {{{ .essential }}} cluster. +List audit log filter rules for a TiDB Cloud Essential cluster. ```shell ticloud serverless audit-log filter-rule list [flags] ``` -Or use the following alias command: - -```shell -ticloud serverless audit-log filter list [flags] -``` - ## Examples List all audit log filter rules in interactive mode: ```shell -ticloud serverless audit-log filter list +ticloud serverless audit-log filter-rule list ``` List all audit log filter rules in non-interactive mode: ```shell -ticloud serverless audit-log filter list -c +ticloud serverless audit-log filter-rule list -c ``` List all audit log filter rules with JSON format in non-interactive mode: ```shell -ticloud serverless audit-log filter list -c -o json +ticloud serverless audit-log filter-rule list -c -o json ``` ## Flags -In non-interactive mode, you need to manually enter the required flags. In interactive mode, you can just follow CLI prompts to fill them in. - | Flag | Description | Required | Note | |-------------------------|---------------------------------------------------------------------------------------------------|----------|------------------------------------------------------| -| -c, --cluster-id string | The ID of the cluster whose audit log filter rules you want to list. | No | Only works in non-interactive mode. | -| -o, --output string | Specifies the output format (`human` by default). Valid values are `human` or `json`. To get a complete result, use the `json` format. | No | Works in both non-interactive and interactive modes. | -| -h, --help | Shows help information for this command. | No | Works in both non-interactive and interactive modes. | +| -c, --cluster-id string | The cluster ID of the audit log filter rules to be listed. | No | Only works in non-interactive mode. | +| -o, --output string | Output format, one of ["human", "json"]. For the complete result, please use json format. (default "human") | No | Works in both interactive and non-interactive modes. | +| -h, --help | Shows help information for this command. | No | Works in both interactive and non-interactive modes. | ## Inherited flags | Flag | Description | Required | Note | |----------------------|------------------------------------------------------------------------------------------------------|----------|------------------------------------------------------------------------------------------------------------------| -| --no-color | Disables color in output. | No | Only works in non-interactive mode. In interactive mode, disabling color might not work with some UI components. | -| -P, --profile string | Specifies the active [user profile](/tidb-cloud/cli-reference.md#user-profile) used in this command. | No | Works in both non-interactive and interactive modes. | -| -D, --debug | Enables debug mode. | No | Works in both non-interactive and interactive modes. | +| -D, --debug | Enable debug mode. | No | Works in both interactive and non-interactive modes. | +| --no-color | Disable color output. | No | Only works in non-interactive mode. | +| -P, --profile string | Profile to use from your configuration file. | No | Works in both interactive and non-interactive modes. | + +## SEE ALSO ## Feedback diff --git a/tidb-cloud/ticloud-auditlog-filter-template.md b/tidb-cloud/ticloud-serverless-audit-log-filter-rule-template.md similarity index 58% rename from tidb-cloud/ticloud-auditlog-filter-template.md rename to tidb-cloud/ticloud-serverless-audit-log-filter-rule-template.md index cf6482a239b69..ce91f014a4357 100644 --- a/tidb-cloud/ticloud-auditlog-filter-template.md +++ b/tidb-cloud/ticloud-serverless-audit-log-filter-rule-template.md @@ -5,48 +5,40 @@ summary: The reference of `ticloud serverless audit-log filter-rule template`. # ticloud serverless audit-log filter-rule template -Show audit log filter rule templates for a {{{ .starter }}} or {{{ .essential }}} cluster. +Show audit log filter rule templates for a TiDB Cloud Essential cluster. ```shell ticloud serverless audit-log filter-rule template [flags] ``` -Or use the following alias command: - -```shell -ticloud serverless audit-log filter template [flags] -``` - ## Examples Show filter templates in interactive mode: ```shell -ticloud serverless audit-log filter template +ticloud serverless audit-log filter-rule template ``` Show filter templates in non-interactive mode: ```shell -ticloud serverless audit-log filter template --cluster-id +ticloud serverless audit-log filter-rule template --cluster-id ``` ## Flags -In non-interactive mode, you need to manually enter the required flags. In interactive mode, you can just follow CLI prompts to fill them in. - | Flag | Description | Required | Note | |-------------------------|------------------------------|----------|------------------------------------------------------| -| -c, --cluster-id string | The ID of the cluster (optional, for context if templates might become cluster-specific). | No | Only works in non-interactive mode. | -| -h, --help | Shows help information for this command. | No | Works in both non-interactive and interactive modes. | +| -c, --cluster-id string | The ID of the cluster. | No | Only works in non-interactive mode. | +| -h, --help | Shows help information for this command. | No | Works in both interactive and non-interactive modes. | ## Inherited flags | Flag | Description | Required | Note | |----------------------|------------------------------------------------------------------------------------------------------|----------|------------------------------------------------------------------------------------------------------------------| -| --no-color | Disables color in output. | No | Only works in non-interactive mode. In interactive mode, disabling color might not work with some UI components. | -| -P, --profile string | Specifies the active [user profile](/tidb-cloud/cli-reference.md#user-profile) used in this command. | No | Works in both non-interactive and interactive modes. | -| -D, --debug | Enables debug mode. | No | Works in both non-interactive and interactive modes. | +| -D, --debug | Enable debug mode. | No | Works in both interactive and non-interactive modes. | +| --no-color | Disable color output. | No | Only works in non-interactive mode. | +| -P, --profile string | Profile to use from your configuration file. | No | Works in both interactive and non-interactive modes. | ## Feedback diff --git a/tidb-cloud/ticloud-auditlog-filter-update.md b/tidb-cloud/ticloud-serverless-audit-log-filter-rule-update.md similarity index 55% rename from tidb-cloud/ticloud-auditlog-filter-update.md rename to tidb-cloud/ticloud-serverless-audit-log-filter-rule-update.md index 376cd4760ea38..21b6fe2e204ca 100644 --- a/tidb-cloud/ticloud-auditlog-filter-update.md +++ b/tidb-cloud/ticloud-serverless-audit-log-filter-rule-update.md @@ -5,63 +5,56 @@ summary: The reference of `ticloud serverless audit-log filter-rule update`. # ticloud serverless audit-log filter-rule update -Update an audit log filter rule for a {{{ .starter }}} or {{{ .essential }}} cluster. +Update an audit log filter rule for a TiDB Cloud Essential cluster. ```shell ticloud serverless audit-log filter-rule update [flags] ``` -Or use the following alias command: - -```shell -ticloud serverless audit-log filter update [flags] -``` - ## Examples Update an audit log filter rule in interactive mode: ```shell -ticloud serverless audit-log filter update +ticloud serverless audit-log filter-rule update ``` -Enable an audit log filter rule in non-interactive mode: +Enable audit log filter rule in non-interactive mode: ```shell -ticloud serverless audit-log filter update --cluster-id --name --enabled +ticloud serverless audit-log filter-rule update --cluster-id --filter-rule-id --enabled ``` -Disable an audit log filter rule in non-interactive mode: +Disable audit log filter rule in non-interactive mode: ```shell -ticloud serverless audit-log filter update --cluster-id --name --enabled=false +ticloud serverless audit-log filter-rule update --cluster-id --filter-rule-id --enabled=false ``` Update filters of an audit log filter rule in non-interactive mode: ```shell -ticloud serverless audit-log filter update --cluster-id --name --rule '{"users":["%@%"],"filters":[{"classes":["QUERY"],"tables":["test.t"]}]}' +ticloud serverless audit-log filter-rule update --cluster-id --filter-rule-id --rule '{"users":["%@%"],"filters":[{"classes":["QUERY"],"tables":["test.t"]}]}' ``` ## Flags -In non-interactive mode, you need to manually enter the required flags. In interactive mode, you can just follow CLI prompts to fill them in. - | Flag | Description | Required | Note | |-------------------------|-------------------------------------------------------------------------------------------------------------|----------|------------------------------------------------------| | -c, --cluster-id string | The ID of the cluster. | Yes | Only works in non-interactive mode. | -| --name string | The name of the filter rule to update. | Yes | Only works in non-interactive mode. | -| --enabled | Enables or disables the filter rule. | No | Only works in non-interactive mode. | -| --rule string | The new, complete filter rule expression. Use `ticloud serverless audit-log filter template` to see filter templates. | No | Only works in non-interactive mode. | -| -h, --help | Shows help information for this command. | No | Works in both non-interactive and interactive modes. | +| --display-name string | The display name of the filter rule. | No | Only works in non-interactive mode. | +| --enabled | Enable or disable the filter rule. | No | Only works in non-interactive mode. | +| --filter-rule-id string | The ID of the filter rule. | Yes | Only works in non-interactive mode. | +| --rule string | Complete filter rule expressions. Use "ticloud serverless audit-log filter template" to see filter templates. | No | Only works in non-interactive mode. | +| -h, --help | Shows help information for this command. | No | Works in both interactive and non-interactive modes. | ## Inherited flags | Flag | Description | Required | Note | |----------------------|------------------------------------------------------------------------------------------------------|----------|------------------------------------------------------------------------------------------------------------------| -| --no-color | Disables color in output. | No | Only works in non-interactive mode. In interactive mode, disabling color might not work with some UI components. | -| -P, --profile string | Specifies the active [user profile](/tidb-cloud/cli-reference.md#user-profile) used in this command. | No | Works in both non-interactive and interactive modes. | -| -D, --debug | Enables debug mode. | No | Works in both non-interactive and interactive modes. | +| -D, --debug | Enable debug mode. | No | Works in both interactive and non-interactive modes. | +| --no-color | Disable color output. | No | Only works in non-interactive mode. | +| -P, --profile string | Profile to use from your configuration file. | No | Works in both interactive and non-interactive modes. | ## Feedback From 698ed20361cec6011ca77061a21ec22478ea21df Mon Sep 17 00:00:00 2001 From: shiyuhang <1136742008@qq.com> Date: Tue, 16 Sep 2025 11:21:19 +0800 Subject: [PATCH 8/8] fix invalid link --- tidb-cloud/serverless-database-audit-logging.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tidb-cloud/serverless-database-audit-logging.md b/tidb-cloud/serverless-database-audit-logging.md index e92312106f951..3476fc5f54270 100644 --- a/tidb-cloud/serverless-database-audit-logging.md +++ b/tidb-cloud/serverless-database-audit-logging.md @@ -1,6 +1,7 @@ --- title: Database Audit Logging for {{{ .essential }}} summary: Learn about how to audit a {{{ .essential }}} cluster in TiDB Cloud. +aliases: ['/tidbcloud/serverless-audit-logging'] --- # Database Audit Logging (Beta) for {{{ .essential }}} @@ -229,8 +230,6 @@ ticloud serverless audit-log config update -c --disabled=true ## Manage audit logging filter rules -You can manage audit logging filter rules in the [TiDB Cloud console](https://tidbcloud.com/) or by using the [TiDB Cloud CLI](/tidb-cloud/ticloud-auditlog-config.md). - ### Create a filter rule