Audit Log (Enterprise)

Memgraph supports all query audit logging. When enabled, the audit log contains records of all queries executed on the database. Each executed query is one entry (one line) in the audit log. The audit log itself is a CSV file.

All audit logs are written to <MEMGRAPH_DURABILITY_DIRECTORY>/audit/audit.log. The log is rotated using logrotate, so entries in the audit.log file are always the newest entries. Entries in audit.log.1, audit.log.2.gz, etc. are older entries. The default log rotation configuration can be found in /etc/logrotate.d/memgraph. By default, the log is rotated every day and a full year of entries is preserved. You can modify the values to your own needs and preferences.

Format

The audit log contains the following information formatted into a CSV file:

<timestamp>,<address>,<username>,<query>,<params>

For each query, the supplied query parameters are also logged. The query is escaped and quoted so that commas in queries don't affect the correctness of the CSV. The parameters are encoded as JSON objects and are then escaped and quoted.

Example

This is an example of the audit log:

1551376833.225395,127.0.0.1,admin,"MATCH (n) DETACH DELETE n","{}"
1551376833.257825,127.0.0.1,admin,"CREATE (n {name: $name})","{\"name\":\"alice\"}"
1551376833.273546,127.0.0.1,admin,"MATCH (n), (m) CREATE (n)-[:e {when: $when}]->(m)","{\"when\":42}"
1551376833.300955,127.0.0.1,admin,"MATCH (n), (m) SET n.value = m.value","{}"

We can see that all of the queries were executed from the loopback address and were executed by the user admin. The executed queries are:

Query

Parameters

MATCH (n) DETACH DELETE n

{}

CREATE (n {name: $name})

{"name": "alice"}

MATCH (n), (m) CREATE (n)-[:e {when: $when}]->(m)

{"when": 42}

MATCH (n), (m) SET n.value = m.value

{}

Parsing the Log

If you wish to parse the log, the following Python snippet shows how to extract data from the audit log:

import csv
import json
‚Äč
with open("audit.log") as f:
reader = csv.reader(f, delimiter=',', doublequote=False,
escapechar='\\', lineterminator='\n',
quotechar='"', quoting=csv.QUOTE_MINIMAL,
skipinitialspace=False, strict=True)
for line in reader:
timestamp, address, username, query, params = line
params = json.loads(params)
# Rest of your code that processes the logs.

Flags

This section contains the list of flags that are used to configure audit logging in Memgraph.

Flag

Description

--audit-enabled

Enables audit logging.

--audit-buffer-size

Controls the in-memory buffer size used for audit logs.

--audit-buffer-flush-interval-ms

Controls the time interval (in milliseconds) used for flushing the in-memory buffer to disk.