Audit Logging
VeloDB Cloud records organization activity, SQL activity, and infrastructure events so you can answer who did what, when, from where, and how the system responded. This guide maps each audit source to where you view and query it for security reviews and incident investigation.
Audit Log Sources
| Source | What it records | Where to find it |
|---|---|---|
| Organization Activity Logs | Console and control-plane actions, including member changes, role changes, billing changes, and warehouse lifecycle actions. | Account and Organization |
| Database audit log | SQL and query activity executed against a warehouse, stored in the __internal_schema.audit_log system table. | audit_log table schema |
| Infrastructure events | Cloud-provider operational events for resources in your cloud account, especially in BYOC deployments. | Your cloud-provider audit logs, such as AWS CloudTrail or Google Cloud Audit Logs. |
You can review the SQL audit log with SQL against the audit_log table, or in the console with Query Audit and Log Explorer. Audit retention is managed on the audit_log table itself.
Query the Audit Log Table
Query the __internal_schema.audit_log table directly when you need SQL-based filtering, aggregation, export, or repeatable evidence collection. Each record can include the user, client address, statement type, statement text, execution time, execution status, error information, scanned data, returned rows, workload group, and related query identifiers. For the full schema, see Audit Event Reference.
Example: review recent failed statements.
SELECT
time,
user,
client_ip,
stmt_type,
state,
error_code,
error_message,
stmt
FROM __internal_schema.audit_log
WHERE time >= NOW() - INTERVAL 1 DAY
AND state = 'ERR'
ORDER BY time DESC
LIMIT 100;
Example: summarize query activity by user.
SELECT
user,
COUNT(*) AS statement_count,
MAX(time) AS last_seen
FROM __internal_schema.audit_log
WHERE time >= NOW() - INTERVAL 7 DAY
GROUP BY user
ORDER BY statement_count DESC;
Audit Log Retention
The SQL audit log is stored in the __internal_schema.audit_log system table. The table is partitioned by time, and retention is controlled by the table's dynamic partition properties.
To check the current retention setting, run:
SHOW CREATE TABLE __internal_schema.audit_log;
In the output, look for dynamic partition properties such as:
"dynamic_partition.enable" = "true",
"dynamic_partition.time_unit" = "DAY",
"dynamic_partition.start" = "-30"
For day-based partitions, dynamic_partition.start = -30 means the table keeps roughly the most recent 30 days of audit data. This is a common default window for database audit logs in managed analytics services. Your actual environment may use a different value, so use SHOW CREATE TABLE as the source of truth.
To change the retention window, modify the dynamic partition start value. For example, to keep roughly 90 days of SQL audit data:
ALTER TABLE __internal_schema.audit_log
SET (
"dynamic_partition.start" = "-90"
);
Longer retention provides a larger investigation window, but it also consumes more storage and can increase query cost when searching a wide time range. Choose a value that matches your compliance requirements, incident-response process, and storage budget.
Query Audit Logs in the Console
Use Monitoring > Query Audit to review query activity from the console without writing SQL.
Use Log Explorer when you want interactive field filters, keyword search, SQL mode, trend charts, row detail, JSON view, or surrounding context for log-table data such as internal_schema > audit_log.
Infrastructure Events
Infrastructure events are operational and platform-level events. They are not the same as SQL audit records.
In BYOC deployments, infrastructure resources run in your own cloud account, so infrastructure-level audit evidence usually comes from your cloud provider's native logging service, such as AWS CloudTrail or Google Cloud Audit Logs.
Audit Evidence Checklist
When responding to a security questionnaire, the most useful evidence usually includes:
| Question | Evidence source |
|---|---|
| Who changed organization settings or access? | Activity Logs |
| Who ran a SQL statement or accessed data through SQL? | The __internal_schema.audit_log table or Monitoring > Query Audit |
| How long SQL audit records are retained? | SHOW CREATE TABLE __internal_schema.audit_log |
| How is SQL audit retention changed? | ALTER TABLE __internal_schema.audit_log SET ("dynamic_partition.start" = "-N") |
| Where can infrastructure events be reviewed in BYOC? | Your cloud-provider audit logs |