Audit Database Access

Logged queries.

Overview

Database access auditing logs every query against the production database with user attribution, timestamp, source, and query categorisation. The audit trail is the load-bearing artifact for compliance certifications (SOC 2, HIPAA, PCI), the forensic record for breach investigation, and the input to anomaly detection that catches insider threats. The discipline is in engine-native logging (pgaudit, MySQL Enterprise Audit), tamper-resistant storage, and retention matched to regulatory requirements.

• Logged queries. Every SQL statement with who, when, from where; the forensic record for compliance and investigation.
• User attribution. Each query maps to an authenticated user; service accounts have distinct identities so the audit shows the actor.
• Query categorization. SELECT vs DML vs DDL; supports differentiated alerting (DDL on production tables fires faster than read).
• Tamper-resistant storage plus retention. Append-only storage prevents log tampering; retention matched to regulatory requirements (SOC 2, HIPAA, PCI all specify minimums).

The approach

The practical approach is engine-native auditing (pgaudit for Postgres, MySQL Enterprise Audit for MySQL) for high-fidelity logs, separate audit storage from application data to reduce tampering risk, anomaly alerting on unusual access patterns (off-hours queries, unusual volume, new source IPs), and a documented audit policy committed to the security handbook covering what is logged, how long, and who can access.

• pgaudit (PostgreSQL). Engine-native audit module; produces high-fidelity logs with user, query, timestamp, and source.
• MySQL Enterprise Audit. Native audit plugin for MySQL; matches the engine’s native logging surface.
• Separate audit storage. Audit logs in different storage from app data; reduces tampering risk if app data is compromised.
• Alert on anomalies plus documented policy. Unusual access patterns trigger alerts (off-hours, unusual volume, new sources); per-team audit policy committed to the security handbook.

Why this compounds

Audit logging compounds across years. Each retained log preserves forensic capability for the compliance window; each anomaly investigation teaches the team what normal looks like; the discipline becomes the foundation for both compliance certifications and incident response. Without it, breach investigation becomes guesswork and compliance audits become exercises in archaeology.

• Security. Audit logs catch insider threats; the unusual query pattern surfaces in monitoring before it becomes a breach.
• Compliance evidence. Auditors see real logs; the certification process moves through evidence rather than promises.
• Incident response. Forensic data for breach investigation; the team can answer "what did the attacker access" with data.
• Institutional knowledge. Each anomaly investigation teaches access patterns; the team learns what normal database access looks like.

Database access auditing is an operational discipline that pays off across years. Nova AI Ops integrates with database telemetry, surfaces audit patterns, and supports the team’s database security discipline.