VeloDB Cloud 26.x·Apache Doris 4.x (≤ 4.0 supported)·"Since X.Y" tags refer to Doris versionsversion mapping →
audit_log
Overview
Store audit logs
Database
__internal_schema
Table Information
| Column Name | Type | Description |
|---|---|---|
| query_id | varchar(48) | ID of the Query |
| time | datetime(3) | Time when the query was executed(in milliseconds) |
| client_ip | varchar(128) | IP address of the client sending the query |
| user | varchar(128) | User |
| catalog | varchar(128) | Current Catalog during statement execution |
| db | varchar(128) | Current Database during statement execution |
| state | varchar(128) | Execution status of the statement |
| error_code | int | Error code |
| error_message | text | Error message |
| query_time | bigint | Execution time of the statement |
| scan_bytes | bigint | Amount of data scanned |
| scan_rows | bigint | Number of rows scanned |
| return_rows | bigint | Number of rows returned |
| shuffleSendRows | bigint | The number of rows transferred between nodes during statement execution. Supported since version 3.0. |
| shuffleSendBytes | bigint | The amount of data transferred between nodes during statement execution. Supported since version 3.0. |
| scanBytesFromLocalStorage | bigint | The amount of data read from the local disk. Supported since version 3.0. |
| scanBytesFromRemoteStorage | bigint | The amount of data read from the remote storage. Supported since version 3.0. |
| stmt_id | bigint | Statement ID |
| stmt_type | string | Statement type. Supported since version 3.0. |
| is_query | tinyint | Whether it is a query |
| is_nereids | booean | Is using Nereids Optimizer. |
| frontend_ip | varchar(128) | IP address of the connected Frontend |
| cpu_time_ms | bigint | Cumulative CPU time (in milliseconds) consumed by the Backend for statement execution |
| sql_hash | varchar(128) | Hash value of the statement |
| sql_digest | varchar(128) | Digest (signature) of the statement |
| peak_memory_bytes | bigint | Peak memory usage of the Backend during statement execution |
| workload_group | text | Workload Group used for statement execution |
| compute_group | string | In storage and computation decouped mode, the compute group used by the execution statement. Supported since version 3.0. |
| trace_id | string | Trace ID set when executing the statement. Removed since version 3.0.3 |
| stmt | text | Statement text |
Retention
The audit_log table is partitioned by time. To inspect the current retention setting, run:
SHOW CREATE TABLE __internal_schema.audit_log;
In the output, check the table properties for dynamic partition settings. For day-based partitions, a value such as "dynamic_partition.start" = "-30" means the table keeps roughly the most recent 30 days of audit records.
You can change the retention window by modifying the dynamic partition start value. For example, to keep roughly 90 days of audit records:
ALTER TABLE __internal_schema.audit_log
SET (
"dynamic_partition.start" = "-90"
);
Longer retention increases the investigation window, but it also consumes more storage and can increase the amount of data scanned by audit queries.
Description
client_ip: If a proxy service is used and the IP pass-through is not enabled, the proxy service IP may be recorded here instead of the real client IP.state:EOFindicates that the query is executed successfully.OKindicates that the DDL and DML statements are executed successfully.ERRindicates that the statement execution fails.