Query audit#

Presto can log and keep an audit trail about query executions. It logs a timestamp value, the initiating user, the query ID and the SQL statement. Log entries are stored in textual format in log files that are automatically compressed and rotated at the end of a day.

Note

Query audit logger requires a valid Starburst Enterprise Presto license.

The log file contains one log entry per line and the values are separated by a tab character. The timestamp is using ISO 8601 format.

2020-04-06T17:33:23+0000    admin   20200406_173323_00003_sae98    select * from customer

Note

An alternative to the query audit feature is the more powerful Event Logger.

Query audit logging is implemented as a event listener and can be enabled by creating a configuration file called etc/event-listener.properties with the following properties.

Query Audit Configuration Properties#

Property Name

Description

Default

event-listener.name

The name needs to be set to the audit-log value.

audit-log.path

Path of the security audit log file.

var/log/presto/security.log

audit-log.max-size

Maximum size of a single security audit log file.

100MB

audit-log.max-history

Maximum number of security audit log files.

30

cloud-watch-logs-directory

Optional log directory so that Amazon CloudWatch can use them.

The CFT deployment automatically automatically configures query audit as part of the default configuration.