MySQL Audit
MySQL Enterprise Audit Plugin events (ECS-compatible JSON) covering all four audit classes — connection, general, table_access, and audit. Generates connect/disconnect lifecycle, DML queries (SELECT/INSERT/UPDATE/DELETE), table access tracking, DDL schema changes, GRANT/REVOKE privileges, admin commands, query errors, and failed authentication attempts with realistic query statistics.
Quick Start
uv tool install eventum-generator
git clone https://github.com/eventum-generator/content-packs.git
cd content-packs
eventum generate \
--path generators/database-mysql-audit/generator.yml \
--id mysql \
--live-mode trueEvent Types
| Event ID | Description | Frequency | Category |
|---|---|---|---|
| query-select | SELECT queries on tables and views | ~30.0% | database |
| connect | Successful client connections | ~13.5% | authentication |
| disconnect | Client disconnections | ~12.7% | authentication |
| query-update | UPDATE statements | ~11.3% | database |
| query-insert | INSERT statements | ~7.6% | database |
| table-access-read | Table read access events | ~7.5% | database |
| table-access-write | Table write access (insert/update/delete) | ~4.4% | database |
| query-admin | Admin commands (SHOW, FLUSH, OPTIMIZE) | ~4.2% | database |
| connect-failure | Failed authentication attempts | ~2.8% | authentication |
| query-error | Failed queries (syntax, permission, deadlock) | ~1.7% | database |
| query-delete | DELETE statements | ~2.3% | database |
| query-ddl | DDL: CREATE, ALTER, DROP (tables, indexes, views) | ~1.2% | configuration |
| query-grant | GRANT/REVOKE privilege changes | ~0.8% | iam |
Realism Features
- Session-correlated events — connect creates a session reused by query/table_access templates, disconnect pops it, ensuring consistent user/IP/connection context
- 5-host MySQL fleet — production pair, staging, reporting, and dev instances with unique agent IDs, IPs, and MySQL server IDs
- 12 MySQL users — root, application service accounts (app_service, web_api, etl_loader), reporting, admin (jsmith, mchen), dev, backup, monitoring, and replication users with weighted selection
- Parameterized SQL statements — schema-qualified queries with realistic WHERE clauses and parameterized values across multiple databases
- Query statistics — bytes_received, bytes_sent, query_time, rows_examined, rows_sent for every general-class event
- Monotonic counters — per-host event IDs and connection IDs increment across all templates
- Failed authentication with error codes — incorrect passwords, unknown users, and host-blocked connection failures
Sample Output
{
"@timestamp": "2026-03-06T14:22:31.456789+00:00",
"agent": {
"id": "b3c4d5e6-f7a8-9012-bcde-f01234567891",
"name": "mysql-prod-01",
"type": "filebeat",
"version": "8.17.0"
},
"client": {
"domain": "app-server-01",
"ip": "192.168.1.50",
"port": 45678
},
"data_stream": {
"dataset": "mysql_enterprise.audit",
"namespace": "default",
"type": "logs"
},
"event": {
"action": "mysql-query",
"category": ["database"],
"dataset": "mysql_enterprise.audit",
"kind": "event",
"module": "mysql_enterprise",
"outcome": "success",
"type": ["access"]
},
"mysqlenterprise": {
"audit": {
"account": { "host": "app-server-01", "user": "app_service" },
"class": "general",
"connection_id": "142",
"general_data": {
"command": "Query",
"query": "SELECT * FROM `ecommerce`.`orders` WHERE `id` = ?",
"sql_command": "select",
"status": 0
},
"id": "1042",
"login": { "ip": "192.168.1.50", "user": "app_service" },
"query_statistics": {
"bytes_received": 78,
"bytes_sent": 4521,
"query_time": 0.001234,
"rows_examined": 1,
"rows_sent": 1
}
}
},
"user": { "name": "app_service" }
}Parameters
| Parameter | Default | Description |
|---|---|---|
| agent_version | 8.17.0 | Filebeat/Elastic Agent version string |
Related Generators
Microsoft SQL Server Audit
SQL Server Audit via Windows Event ID 33205 — login/logout lifecycle, DML queries (SELECT/INSERT/UPDATE/DELETE), stored procedure execution, schema changes (CREATE/ALTER/DROP), permission management (GRANT/DENY/REVOKE), role membership, backups, DBCC commands, and password changes.
PostgreSQL Audit Logs
PostgreSQL with pgAudit — SELECT/INSERT/UPDATE/DELETE queries with parameterized statements, connection lifecycle, authentication failures, DDL operations, role management (GRANT/REVOKE), and database errors (deadlocks, constraint violations).
Windows Security Event Log
The Security channel of Windows Event Log — logon/logoff sessions, process creation, privilege escalation, account management, and audit policy changes from a 120-host Active Directory fleet.