安全审计
大约 9 分钟
安全审计
1. 引言
审计日志是数据库的记录凭证,通过审计日志功能可以查询数据库中增删改查等各项操作,以保证信息安全。IoTDB 审计日志功能支持以下特性:
- 可通过配置决定是否开启审计日志功能
- 可通过参数设置审计日志记录的操作类型和权限级别
- 可通过参数设置审计日志文件的存储周期,包括基于 TTL 实现时间滚动和基于 SpaceTL 实现空间滚动。
- 可通过参数设置统计任意时间段内写入和查询延时大于阈值(默认3000毫秒)的慢请求个数。
- 审计日志文件默认加密存储
注意:该功能从 V2.0.8 版本开始提供。
2. 配置参数
通过编辑配置文件 iotdb-system.properties 中如下参数来启动审计日志功能。
- V2.0.8.1
| 参数名称 | 参数描述 | 数据类型 | 默认值 | 生效方式 |
|---|---|---|---|---|
enable_audit_log | 是否开启审计日志。 true:启用。false:禁用。 | Boolean | false | 热加载 |
auditable_operation_type | 操作类型选择。 DML :所有 DML 都会记录审计日志; DDL :所有 DDL 都会记录审计日志; QUERY :所有 QUERY 都会记录审计日志; CONTROL:所有控制语句都会记录审计日志; | String | DML,DDL,QUERY,CONTROL | 热加载 |
auditable_operation_level | 权限级别选择。 global :记录全部的审计日志; object:仅针对数据实例的事件的审计日志会被记录; 包含关系:object < global。 例如:设置为 global 时,所有审计日志正常记录;设置为 object 时,仅记录对具体数据实例的操作。 | String | global | 热加载 |
auditable_operation_result | 审计结果选择。 success:只记录成功事件的审计日志; fail:只记录失败事件的审计日志; | String | success, fail | 热加载 |
audit_log_ttl_in_days | 审计日志的 TTL,生成审计日志的时间达到该阈值后过期。 | Double | -1.0(永远不会被删除) | 热加载 |
audit_log_space_tl_in_GB | 审计日志的 SpaceTL,审计日志总空间达到该阈值后开始轮转删除。 | Double | 1.0 | 热加载 |
audit_log_batch_interval_in_ms | 审计日志批量写入的时间间隔 | Long | 1000 | 热加载 |
audit_log_batch_max_queue_bytes | 用于批量处理审计日志的队列最大字节数。当队列大小超过此值时,后续的写入操作将被阻塞。 | Long | 268435456 | 热加载 |
- V2.0.9.2
| 参数名称 | 参数描述 | 数据类型 | 默认值 | 生效方式 |
|---|---|---|---|---|
enable_audit_log | 是否开启审计日志。 true:启用。false:禁用。 | Boolean | false | 热加载 |
auditable_operation_type | 操作类型选择。 DML :所有 DML 都会记录审计日志; DDL :所有 DDL 都会记录审计日志; QUERY :所有 QUERY 都会记录审计日志; CONTROL:所有控制语句都会记录审计日志; | String | DML,DDL,QUERY,CONTROL | 热加载 |
auditable_dml_event_type | 审计DML操作时的事件类型。OBJECT_AUTHENTICATION:对象鉴权,SLOW_OPERATION:慢操作 | String | OBJECT_AUTHENTICATION,SLOW_OPERATION | 热加载 |
auditable_ddl_event_type | 审计DDL操作时的事件类型。OBJECT_AUTHENTICATION:对象鉴权,SLOW_OPERATION:慢操作 | String | OBJECT_AUTHENTICATION,SLOW_OPERATION | 热加载 |
auditable_query_event_type | 审计查询操作时的事件类型。OBJECT_AUTHENTICATION:对象鉴权,SLOW_OPERATION:慢操作 | String | OBJECT_AUTHENTICATION,SLOW_OPERATION | 热加载 |
auditable_control_event_type | 审计控制操作时的事件类型。CHANGE_AUDIT_OPTION:审计选项变更,OBJECT_AUTHENTICATION:对象鉴权,LOGIN:登录,LOGOUT:退出登录,DN_SHUTDOWN:数据节点关机,SLOW_OPERATION:慢操作 | String | CHANGE_AUDIT_OPTION,OBJECT_AUTHENTICATION,LOGIN,LOGOUT,DN_SHUTDOWN,SLOW_OPERATION | 热加载 |
auditable_operation_level | 权限级别选择。 global :记录全部的审计日志; object:仅针对数据实例的事件的审计日志会被记录; 包含关系:object < global。 例如:设置为 global 时,所有审计日志正常记录;设置为 object 时,仅记录对具体数据实例的操作。 | String | global | 热加载 |
auditable_operation_result | 审计结果选择。 success:只记录成功事件的审计日志; fail:只记录失败事件的审计日志; | String | success, fail | 热加载 |
audit_log_ttl_in_days | 审计日志的 TTL,生成审计日志的时间达到该阈值后过期。 | Double | -1.0(永远不会被删除) | 热加载 |
audit_log_space_tl_in_GB | 审计日志的 SpaceTL,审计日志总空间达到该阈值后开始轮转删除。 | Double | 1.0 | 热加载 |
audit_log_batch_interval_in_ms | 审计日志批量写入的时间间隔 | Long | 1000 | 热加载 |
audit_log_batch_max_queue_bytes | 用于批量处理审计日志的队列最大字节数。当队列大小超过此值时,后续的写入操作将被阻塞。 | Long | 268435456 | 热加载 |
关于对象鉴权和慢操作的说明:
- 当
auditable_dml_event_type、auditable_ddl_event_type、auditable_query_event_type、auditable_control_event_type参数值设置为OBJECT_AUTHENTICATION(对象鉴权)时,则对应的事件类型会被记录审计日志。 - 当
auditable_dml_event_type、auditable_ddl_event_type、auditable_query_event_type、auditable_control_event_type参数值设置为SLOW_OPERATION(慢操作),则操作时间大于slow_query_threshold参数值(默认 3000 ms)的对应事件类型才会被记录审计日志。slow_query_threshold参数值可通过 iotdb-system.properties 文件进行配置。
3. 查阅方法
支持通过 SQL 直接阅读、获取审计日志相关信息。
3.1 SQL 语法
SELECT (<audit_log_field>, )* log FROM <AUDIT_LOG_PATH> WHERE whereclause ORDER BY order_expression其中:
AUDIT_LOG_PATH:审计日志存储位置__audit.audit_log;audit_log_field:查询字段请参考下一小节元数据结构。- 支持 Where 条件搜索和 Order By 排序。
3.2 元数据结构
| 字段 | 含义 | 类型 |
|---|---|---|
time | 事件开始的的日期和时间 | timestamp |
username | 用户名称 | string |
cli_hostname | 用户主机标识 | string |
audit_event_type | 审计事件类型,WRITE_DATA, GENERATE_KEY, SLOW_OPERATION 等 | string |
operation_type | 审计事件的操作类型,DML, DDL, QUERY, CONTROL | string |
privilege_type | 审计事件使用的权限,WRITE_DATA, MANAGE_USER 等 | string |
privilege_level | 事件的权限级别,global, object | string |
result | 事件结果,success=1, fail=0 | boolean |
database | 数据库名称 | string |
sql_string | 用户的原始 SQL | string |
log | 具体的事件描述 | string |
3.3 使用示例
- 查询成功执行了DML操作的时间、用户名及主机信息
IoTDB:__audit> select time,username,cli_hostname from audit_log where result = true and operation_type='DML'
+-----------------------------+--------+------------+
| time|username|cli_hostname|
+-----------------------------+--------+------------+
|2026-01-23T11:43:46.697+08:00| root| 127.0.0.1|
|2026-01-23T11:45:39.950+08:00| root| 127.0.0.1|
+-----------------------------+--------+------------+
Total line number = 2
It costs 0.284s- 查询最近一次操作的时间、用户名、主机信息、操作类型以及原始 SQL
IoTDB:__audit> select time,username,cli_hostname,operation_type,sql_string from audit_log order by time desc limit 1
+-----------------------------+--------+------------+--------------+------------------------------------------------------------------------------------------------------+
| time|username|cli_hostname|operation_type| sql_string|
+-----------------------------+--------+------------+--------------+------------------------------------------------------------------------------------------------------+
|2026-01-23T11:46:31.026+08:00| root| 127.0.0.1| QUERY|select time,username,cli_hostname,operation_type,sql_string from audit_log order by time desc limit 1|
+-----------------------------+--------+------------+--------------+------------------------------------------------------------------------------------------------------+
Total line number = 1
It costs 0.053s- 查询所有事件结果为false的操作数据库、操作类型及日志信息
IoTDB:__audit> select time,database,operation_type,log from audit_log where result=false
+-----------------------------+--------+--------------+----------------------------------------------------------------------+
| time|database|operation_type| log|
+-----------------------------+--------+--------------+----------------------------------------------------------------------+
|2026-01-23T11:47:42.136+08:00| | CONTROL|User user1 (ID=-1) login failed with code: 804, Authentication failed.|
+-----------------------------+--------+--------------+----------------------------------------------------------------------+
Total line number = 1
It costs 0.011s- 设置 slow_query_threshold = 1 (ms),查询审计事件类型为慢操作的记录
IoTDB:__audit> select * from audit_log where audit_event_type='SLOW_OPERATION' limit 3
+-----------------------------+-------+-------+--------+------------+----------------+--------------+--------------+---------------+------+---------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| time|node_id|user_id|username|cli_hostname|audit_event_type|operation_type|privilege_type|privilege_level|result| database| sql_string| log|
+-----------------------------+-------+-------+--------+------------+----------------+--------------+--------------+---------------+------+---------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|2026-05-06T14:57:57.468+08:00| node_1| u_0| root| 127.0.0.1| SLOW_OPERATION| QUERY| [SELECT]| OBJECT| true| | show databases| SLOW_QUERY: cost 10 ms, show databases|
|2026-05-06T14:58:38.149+08:00| node_1| u_0| root| 127.0.0.1| SLOW_OPERATION| DML| [INSERT]| OBJECT| true|database1|INSERT INTO table1(region, plant_id, device_id, model_id, maintenance, time, temperature, humidity, status, arrival_time) VALUES ('北京', '1001', '100', 'A', '180', '2024-11-26 13:37:00', 90.0, 35.1, true, '2024-11-26 13:37:34'), ('北京', '1001', '100', 'A', '180', '2024-11-26 13:38:00', 90.0, 35.1, true, '2024-11-26 13:38:25'), ('北京', '1001', '101', 'B', '180', '2024-11-27 16:38:00', NULL, 35.1, true, '2024-11-27 16:37:01'), ('北京', '1001', '101', 'B', '180', '2024-11-27 16:39:00', 85.0, 35.3, NULL, Null), ('北京', '1001', '101', 'B', '180', '2024-11-27 16:40:00', 85.0, NULL, NULL, '2024-11-27 16:37:03'), ('北京', '1001', '101', 'B', '180', '2024-11-27 16:41:00', 85.0, NULL, NULL, '2024-11-27 16:37:04'), ('北京', '1001', '101', 'B', '180', '2024-11-27 16:42:00', NULL, 35.2, false, Null), ('北京', '1001', '101', 'B', '180', '2024-11-27 16:43:00', NULL, Null, false, Null), ('北京', '1001', '101', 'B', '180', '2024-11-27 16:44:00', NULL, Null, false, '2024-11-27 16:37:08'), ('上海', '3001', '100', 'C', '90', '2024-11-28 08:00:00', 85.0, Null, NULL, '2024-11-28 08:00:09'), ('上海', '3001', '100', 'C', '90', '2024-11-28 09:00:00', NULL, 40.9, true, NULL), ('上海', '3001', '100', 'C', '90', '2024-11-28 10:00:00', 85.0, 35.2, NULL, '2024-11-28 10:00:11'), ('上海', '3001', '100', 'C', '90', '2024-11-28 11:00:00', 88.0, 45.1, true, '2024-11-28 11:00:12'), ('上海', '3001', '101', 'D', '360', '2024-11-29 10:00:00', 85.0, NULL, NULL, '2024-11-29 10:00:13'), ('上海', '3002', '100', 'E', '180', '2024-11-29 11:00:00', NULL, 45.1, true, NULL), ('上海', '3002', '100', 'E', '180', '2024-11-29 18:30:00', 90.0, 35.4, true, '2024-11-29 18:30:15'), ('上海', '3002', '101', 'F', '360', '2024-11-30 09:30:00', 90.0, 35.2, true, NULL), ('上海', '3002', '101', 'F', '360', '2024-11-30 14:30:00', 90.0, 34.8, true, '2024-11-30 14:30:17')|Execution: INSERT INTO table1(region, plant_id, device_id, model_id, maintenance, time, temperature, humidity, status, arrival_time) VALUES ('北京', '1001', '100', 'A', '180', '2024-11-26 13:37:00', 90.0, 35.1, true, '2024-11-26 13:37:34'), ('北京', '1001', '100', 'A', '180', '2024-11-26 13:38:00', 90.0, 35.1, true, '2024-11-26 13:38:25'), ('北京', '1001', '101', 'B', '180', '2024-11-27 16:38:00', NULL, 35.1, true, '2024-11-27 16:37:01'), ('北京', '1001', '101', 'B', '180', '2024-11-27 16:39:00', 85.0, 35.3, NULL, Null), ('北京', '1001', '101', 'B', '180', '2024-11-27 16:40:00', 85.0, NULL, NULL, '2024-11-27 16:37:03'), ('北京', '1001', '101', 'B', '180', '2024-11-27 16:41:00', 85.0, NULL, NULL, '2024-11-27 16:37:04'), ('北京', '1001', '101', 'B', '180', '2024-11-27 16:42:00', NULL, 35.2, false, Null), ('北京', '1001', '101', 'B', '180', '2024-11-27 16:43:00', NULL, Null, false, Null), ('北京', '1001', '101', 'B', '180', '2024-11-27 16:44:00', NULL, Null, false, '2024-11-27 16:37:08'), ('上海', '3001', '100', 'C', '90', '2024-11-28 08:00:00', 85.0, Null, NULL, '2024-11-28 08:00:09'), ('上海', '3001', '100', 'C', '90', '2024-11-28 09:00:00', NULL, 40.9, true, NULL), ('上海', '3001', '100', 'C', '90', '2024-11-28 10:00:00', 85.0, 35.2, NULL, '2024-11-28 10:00:11'), ('上海', '3001', '100', 'C', '90', '2024-11-28 11:00:00', 88.0, 45.1, true, '2024-11-28 11:00:12'), ('上海', '3001', '101', 'D', '360', '2024-11-29 10:00:00', 85.0, NULL, NULL, '2024-11-29 10:00:13'), ('上海', '3002', '100', 'E', '180', '2024-11-29 11:00:00', NULL, 45.1, true, NULL), ('上海', '3002', '100', 'E', '180', '2024-11-29 18:30:00', 90.0, 35.4, true, '2024-11-29 18:30:15'), ('上海', '3002', '101', 'F', '360', '2024-11-30 09:30:00', 90.0, 35.2, true, NULL), ('上海', '3002', '101', 'F', '360', '2024-11-30 14:30:00', 90.0, 34.8, true, '2024-11-30 14:30:17') cost 329 ms, with status code: TSStatus(code:200, message:)|
|2026-05-06T14:58:45.534+08:00| node_1| u_0| root| 127.0.0.1| SLOW_OPERATION| QUERY| [SELECT]| OBJECT| true|database1| select * from table1| SLOW_QUERY: cost 121 ms, select * from table1|
+-----------------------------+-------+-------+--------+------------+----------------+--------------+--------------+---------------+------+---------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
Total line number = 3
It costs 0.026s