All Products
Search

This Product

    E-MapReduce:Use the EMR Event Listener to obtain basic audit logs

    Document Center

    E-MapReduce:Use the EMR Event Listener to obtain basic audit logs

    Last Updated:Mar 26, 2026

    Apache Trino does not include audit logging out of the box. E-MapReduce (EMR) Trino adds a built-in file-based event listener that writes query audit logs to local disk — no extra infrastructure required. Each log entry records the query ID, catalog, schema, user, creation time, and SQL statement.

    Prerequisites

    Before you begin, ensure that you have:

    • An EMR cluster running V3.46.0 or a later minor version, or V5.12.0 or a later minor version

    • Access to the EMR on ECS console

    Considerations

    • Enabling the event listener slightly affects query performance. If your workload has extremely high query speed requirements, keep the event listener disabled.

    • During peak hours, storing logs over a long period can consume significant disk space. Set the retention period to match your actual needs.

    • Audit logs record only the query start time. Query duration and end time are not available.

    Enable the event listener

    Step 1: Go to the Services tab

    1. Log on to the EMR on ECS console.

    2. In the top navigation bar, select the region where your cluster resides and select a resource group.

    3. Find the cluster and click Services in the Actions column.

    Step 2: Turn on EmrEventListener

    1. On the Services tab, find the Trino service and click Status.

    2. In the Service Overview section, turn on EmrEventListener.

    3. In the message that appears, click OK.

    Step 3: Restart Trino

    1. On the Status tab, choose More > Restart in the upper-right corner.

    2. In the dialog box that appears, set the Execution Reason parameter and click OK.

    3. In the Confirm message, click OK.

    View audit logs

    Run a query, then open the audit log file at the default path:

    /mnt/disk1/log/trino/var/log/trino-audit.log

    Each line follows this format:

    QueryId: xxx; Catalog: xxx; Schema: xxx; User: xxx; Query Created Time: xxx; SQL: xxx
    image..png

    In the early morning of each day, the previous day's logs are rotated to a new file in the same directory. The file name follows the format trino-audit_{Date}.log.

    Configure the event listener

    Modify configuration properties on the emr-event-listener.properties tab of the Configure tab on the Trino service page. By default, only the first two properties are shown — add any others manually. For details, see Manage configuration items.

    The default emr-event-listener.properties file contains:

    event-listener.name=trino-emr-event-listener
audit.file.path=/mnt/disk1/log/trino/var/log/trino-audit.log
    Important

    After changing any configuration, restart TrinoMaster for the changes to take effect.

    Configuration item Default value Description
    event-listener.name trino-emr-event-listener The name of the event listener. Do not modify this value.
    audit.file.path /mnt/disk1/log/trino/var/log/trino-audit.log The path where audit logs are stored.
    audit.file.failure.path None The path for logs of failed queries. If left blank, failed queries are not logged separately. If set to a valid path, the log includes the failure time and error message.
    audit.file.plan.enabled false Whether to include the execution plan in failed-query logs when audit.file.failure.path is set. Enable only when necessary — setting this to true reduces log readability.
    audit.file.store.time 7 The retention period for audit logs, in days. Logs older than this value are cleared automatically.