Audit logs record all SQL operations executed in your EMR Serverless StarRocks instance. The AuditLoader plugin reads logs from a local file and loads them into a StarRocks table, making them queryable through standard SQL—so you can investigate slow queries, trace errors, and audit user activity without external tooling.
Do not delete the _starrocks_audit_db_ database or the starrocks_audit_tbl table. Deleting either prevents the SQL task query feature from working in StarRocks Manager.
How it works
StarRocks writes all audit log entries to a local file at fe/log/fe.audit.log. You cannot access these logs through the internal system database. The AuditLoader plugin reads this file and imports the entries into the starrocks_audit_tbl table in the _starrocks_audit_db_ database using the HTTP PUT method.
The audit log feature is enabled by default and cannot be disabled.
Constraints
Audit logs use dynamic partitioning. By default, the last 30 days of data are retained. To change the retention period, modify the
dynamic_partition.startanddynamic_partition.endparameter values in the table properties.
View audit logs in StarRocks Manager
To locate the audit log database and table in the StarRocks Manager UI:
Go to the Metadata Management page.
In the Data Directory pane, expand default_catalog.
Find the
_starrocks_audit_db_database and thestarrocks_audit_tbltable.
Query audit logs
To query audit logs, run SQL statements against the starrocks_audit_tbl table.
Example: Find slow queries from a specific user
SELECT queryId, timestamp, queryTime, stmt
FROM _starrocks_audit_db_.starrocks_audit_tbl
WHERE queryType = 'slow_query'
AND user = 'root'
ORDER BY queryTime DESC
LIMIT 20;Example: Check recent errors
SELECT queryId, timestamp, user, errorCode, errorMsg, stmt
FROM _starrocks_audit_db_.starrocks_audit_tbl
WHERE state = 'ERR'
ORDER BY timestamp DESC
LIMIT 20;Audit log table schema
To view the full table creation statement, run:
SHOW CREATE TABLE starrocks_audit_tbl;The starrocks_audit_tbl table uses the OLAP engine with queryId, timestamp, and queryTime as duplicate keys, partitioned by timestamp (range partitioning), and distributed by queryId across 3 buckets. The default storage uses LZ4 compression with a single replica.
Column reference
| Column | Type | Description |
|---|---|---|
queryId | varchar(64) | Unique ID of the query |
timestamp | datetime | Time when the query started |
queryTime | bigint | Query execution time, in milliseconds |
queryType | varchar(12) | Query type: query (standard query), slow_query (query that exceeded the slow query threshold), or connection (connection event) |
clientIp | varchar(32) | IP address of the client |
user | varchar(64) | Username that ran the query |
authorizedUser | varchar(64) | User identity in user_identity format, for example, 'root'@'%' |
resourceGroup | varchar(64) | Resource group used by the query |
catalog | varchar(32) | Data catalog where the query ran |
db | varchar(96) | Database where the query ran |
state | varchar(8) | Query status: EOF (completed normally with results returned), ERR (failed with an error), or OK (succeeded without result rows) |
errorCode | varchar(512) | Error code, if the query failed |
errorMsg | varchar(1048576) | Error details, if the query failed |
scanBytes | bigint | Bytes scanned by the query |
scanRows | bigint | Rows scanned by the query |
returnRows | bigint | Rows returned by the query |
cpuCostNs | bigint | CPU time consumed by the query, in nanoseconds |
memCostBytes | bigint | Memory consumed by the query, in bytes |
planCpuCosts | double | CPU time consumed during query planning, in nanoseconds |
planMemCosts | double | Memory consumed during query planning, in bytes |
pendingTimeMs | bigint | Time the query waited in the queue, in milliseconds |
stmtId | int | Incremental ID of the SQL statement |
stmtType | varchar(8) | SQL statement type: DQL, DML, DDL, DCL, or OTHER |
isQuery | tinyint | Whether the statement is a query: 1 (yes) or 0 (no) |
isFilter | tinyint | Whether the statement was filtered by the AuditLoader filter condition: 1 (yes) or 0 (no) |
feIp | varchar(128) | IP address of the frontend (FE) node that executed the statement |
stmt | varchar(1048576) | Original SQL statement |
digest | varchar(32) | Fingerprint of the slow SQL statement |
warehouse | varchar(96) | Compute group used by the query |
candidateMVs | varchar(65533) | List of candidate materialized views (MVs) considered for the query |
hitMvs | varchar(65533) | List of materialized views that the query hit |