Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Configure Audit Log Events for MySQL Flexible Servers

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that the audit log events recorded for your Azure MySQL flexible database servers include "CONNECTION" events in order to help detect unauthorized access, troubleshoot connection issues, and meet regulatory requirements.

Security
Reliability
Operational
excellence
Performance
efficiency

By enabling "CONNECTION" log events, your Azure MySQL flexible database server can capture information about both successful and unsuccessful attempts to connect to the server. This log data is valuable for identifying, troubleshooting, and resolving configuration issues and performance problems.

Audit

To determine if the "audit_log_events" configuration parameter includes "CONNECTION", perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Azure Database for MySQL flexible server, and choose Apply to list only the Azure MySQL flexible servers available in the selected subscription.

05 Click on the name (link) of the MySQL flexible server that you want to examine.

06 In the resource navigation panel, under Settings, select Server parameters to access the configuration parameters available for the selected MySQL server.

07 On the Server parameters page, select the All tab, and perform the following actions:

  1. Find the audit_log_enabled configuration parameter using the Search to filter items in All Tab search box. Check the audit_log_enabled parameter value, listed in the Value column to determine the logging feature status. If the parameter value is set to ON, audit logs are enabled for the selected server and you can continue the Audit process with the next step.
  2. Find the audit_log_events configuration parameter using the Search to filter items in All Tab search box. Check the audit_log_events parameter values, listed for the configuration dropdown, in the Value column, to determine the events captured within the audit logs. If CONNECTION is not included in the audit_log_events parameter values, the Audit Logging configuration for the selected MySQL flexible database server is not compliant.

08 Repeat steps no. 5 - 7 for each MySQL flexible server deployed within the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run mysql flexible-server list command (Windows/macOS/Linux) with custom output filters to list the name of each MySQL flexible server (and the name of the associated resource group) available in the selected Azure subscription: 

az mysql flexible-server list
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup}'

05 The command output should return a table with requested MySQL server information: 

Name                  ResourceGroup
--------------------  ------------------------------
cc-mysql-flexible-db  cloud-shell-storage-westeurope
cc-project5-mysql-db  cloud-shell-storage-westeurope

06 Run mysql flexible-server parameter show command (Windows/macOS/Linux) with the name of the Azure MySQL flexible server that you want to examine and its associated resource group as the identifier parameters, to get the audit_log_enabled parameter value for the selected MySQL server in order to determine the logging feature status: 

az mysql flexible-server parameter show
	--server-name "cc-mysql-flexible-db"
	--resource-group "cloud-shell-storage-westeurope"
	--name audit_log_enabled
	--query 'value'

07 The command output should return the requested configuration value. If the mysql flexible-server parameter show command output returns "ON", as shown in the example below, audit logs are enabled for the selected database server and you can continue the Audit process with the next step. 

"ON"

08 Run mysql flexible-server parameter show command (Windows/macOS/Linux) to get the audit_log_events parameter value for the selected MySQL database server in order to determine the scope of events captured by the audit logs: 

az mysql flexible-server parameter show
	--server-name "cc-mysql-flexible-db"
	--resource-group "cloud-shell-storage-westeurope"
	--name audit_log_events
	--query 'value'

09 The command output should return the requested configuration value(s): 

"ADMIN,GENERAL"

Check the mysql flexible-server parameter show command output to identify the events captured within the audit logs. If CONNECTION is not included in the list of events returned by the command output, the Audit Logging configuration for the selected MySQL flexible database server is not compliant.

10 Repeat steps no. 6 - 9 for each MySQL flexible server provisioned in the selected Azure subscription.

11 Repeat steps no. 3 – 10 for each subscription available within your Microsoft Azure cloud account.

Remediation / Resolution

To configure audit log events for your Azure MySQL flexible database servers, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Azure Database for MySQL flexible server, and choose Apply to list only the Azure MySQL flexible servers available in the selected subscription.

05 Click on the name (link) of the MySQL flexible server that you want to configure.

06 In the resource navigation panel, under Settings, select Server parameters to access the configuration parameters available for the selected MySQL server.

07 On the Server parameters page, perform the following actions:

  1. Ensure that the audit_log_enabled server parameter is enabled. Follow the steps outlined here to enable the required parameter.
  2. Select the All tab and find the audit_log_events configuration parameter using the Search to filter items in All Tab search box.
  3. Once the audit_log_events server parameter is found, configure the parameter by selecting CONNECTION from the configuration dropdown list available in the Value column.
  4. Choose Save to apply the configuration changes. This will add CONNECTION to the scope of events captured by audit logs for the selected Azure MySQL flexible database server.

08 Repeat steps no. 5 - 7 for each MySQL flexible server deployed in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Ensure that the audit_log_enabled server parameter is enabled. Follow the steps outlined here to enable the required parameter.

02 Run mysql flexible-server parameter set command (Windows/macOS/Linux) with the name of the MySQL flexible server that you want to configure as the identifier parameter, to configure the audit_log_events server parameter for the selected database server. The following command will add CONNECTION to the existing scope of events captured by audit logs for the selected MySQL flexible database server: 

az mysql flexible-server parameter set
	--server-name "cc-mysql-flexible-db"
	--resource-group "cloud-shell-storage-westeurope"
	--name audit_log_events
	--value CONNECTION,ADMIN,GENERAL

03 The command output should return the information available for the configured server parameter: 

{
	"allowedValues": "DDL,DML_SELECT,DML_NONSELECT,DCL,ADMIN,DML,GENERAL,CONNECTION,CONNECTION_V2,TABLE_ACCESS",
	"currentValue": "CONNECTION,ADMIN,GENERAL",
	"dataType": "Set",
	"defaultValue": "CONNECTION",
	"description": "Select the events to audit logs.",
	"documentationLink": "https://docs.microsoft.com/en-us/azure/mysql/concepts-audit-logs",
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DBforMySQL/flexibleServers/cc-mysql-flexible-db/configurations/audit_log_events",
	"isConfigPendingRestart": "False",
	"isDynamicConfig": "True",
	"isReadOnly": "False",
	"name": "audit_log_events",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"source": "user-override",
	"systemData": null,
	"type": "Microsoft.DBforMySQL/flexibleServers/configurations",
	"value": "CONNECTION,ADMIN,GENERAL"
}

04 Repeat steps no. 1 and 2 for each MySQL flexible server provisioned in the selected Azure subscription.

05 Repeat steps no. 1 – 3 for each subscription created within your Microsoft Azure cloud account.

References

Publication date Feb 12, 2025

Related Sql rules