On-Premise Deployment

Deploy On-Premise

Full control over your database audit infrastructure. Deploy DB Audit in your own data center with Docker, Kubernetes, and S3-compatible storage for complete data sovereignty.

On-Premise Features

Full Data Sovereignty

All audit data stays within your infrastructure. No data leaves your network, ensuring complete control and compliance.

Kubernetes Native

Deploy using Helm charts on any Kubernetes distribution. Automatic scaling, health checks, and rolling updates included.

S3-Compatible Storage

Store audit logs in MinIO or any S3-compatible storage. Full encryption at rest with your own keys.

Prerequisites

Docker 20.10+ or Kubernetes 1.24+
Minimum 4 CPU cores and 8 GB RAM for the collector
Network access to databases being monitored
S3-compatible storage (MinIO, Ceph, etc.) or local storage
TLS certificates for secure communication

On-Premise Configuration Reference

Setting	Type	Required	Description
storage_type	string	Yes	Storage backend: minio, s3, local, or nfs
storage_endpoint	string	Yes	S3-compatible endpoint URL (e.g., https://minio.local:9000)
storage_bucket	string	Yes	Bucket name for storing audit logs
storage_access_key	string	Yes	Access key for S3-compatible storage
storage_secret_key	string	Yes	Secret key for S3-compatible storage
encryption_key	string	Yes	32-byte encryption key for data at rest
retention_days	number	No	Number of days to retain audit logs (default: 90)
ha_enabled	boolean	No	Enable high availability mode (default: false)

Deployment Steps

Set Up Storage (MinIO)

Deploy MinIO or configure another S3-compatible storage for audit log storage. For production, use distributed mode with at least 4 nodes.

# Deploy MinIO using Helm

# Add MinIO Helm repository
helm repo add minio https://charts.min.io/
helm repo update

# Create namespace
kubectl create namespace minio

# Install MinIO in distributed mode
helm install minio minio/minio \
  --namespace minio \
  --set mode=distributed \
  --set replicas=4 \
  --set persistence.size=100Gi \
  --set resources.requests.memory=1Gi \
  --set rootUser=${MINIO_ACCESS_KEY} \
  --set rootPassword=${MINIO_SECRET_KEY}

# Create bucket for audit logs
kubectl run --rm -it minio-client \
  --image=minio/mc \
  --restart=Never \
  --command -- mc alias set myminio http://minio.minio.svc.cluster.local:9000 \
  ${MINIO_ACCESS_KEY} ${MINIO_SECRET_KEY} && \
  mc mb myminio/audit-logs && \
  mc policy set private myminio/audit-logs

Configure DB Audit

Create your on-premise configuration file with storage, encryption, and database connection settings.

# /etc/dbaudit/config.yaml
# On-Premise DB Audit Configuration

mode: on-premise

# Storage configuration
storage:
  type: minio
  endpoint: https://minio.internal:9000
  bucket: audit-logs
  access_key: ${MINIO_ACCESS_KEY}
  secret_key: ${MINIO_SECRET_KEY}
  use_ssl: true
  region: us-east-1

  # Retention policy
  retention:
    enabled: true
    days: 90
    archive_to_glacier: false

# Encryption settings
encryption:
  key: ${DBAUDIT_ENCRYPTION_KEY}
  algorithm: AES-256-GCM
  rotate_interval: 90d

# Database connections to monitor
databases:
  - name: production-postgres
    type: postgresql
    host: postgres.internal
    port: 5432
    database: production
    username: dbaudit
    password: ${PG_PASSWORD}
    ssl: true

  - name: analytics-mysql
    type: mysql
    host: mysql.internal
    port: 3306
    database: analytics
    username: dbaudit
    password: ${MYSQL_PASSWORD}

  - name: mongodb-cluster
    type: mongodb
    host: mongo.internal
    port: 27017
    replica_set: rs0
    username: dbaudit
    password: ${MONGO_PASSWORD}

# Collector settings
collector:
  log_level: info
  buffer_size: 5000
  flush_interval: 5s
  max_connections: 100

  # High availability
  ha:
    enabled: true
    redis_url: redis://redis.internal:6379
    leader_election: true

  # Metrics endpoint
  metrics:
    enabled: true
    port: 9090
    path: /metrics

# Alert configuration
alerts:
  enabled: true
  channels:
    - type: email
      smtp_host: smtp.internal
      smtp_port: 587
      from: dbaudit@company.com
      recipients:
        - security@company.com

    - type: webhook
      url: https://siem.internal/api/events
      headers:
        Authorization: Bearer ${SIEM_TOKEN}

# Security settings
security:
  mask_sensitive_data: true
  ip_allowlist:
    - 10.0.0.0/8
    - 192.168.0.0/16
  tls:
    enabled: true
    cert_file: /etc/dbaudit/certs/server.crt
    key_file: /etc/dbaudit/certs/server.key
    ca_file: /etc/dbaudit/certs/ca.crt

Deploy the Collector

Choose your preferred deployment method: Docker Compose for simple setups or Kubernetes with Helm for production.

Option A: Docker Compose (Development/Small Scale)

version: '3.8'

services:
  # DB Audit Collector
  dbaudit-collector:
    image: dbaudit/collector:2.4.1
    container_name: dbaudit-collector
    restart: unless-stopped
    ports:
      - "8080:8080"
      - "9090:9090"  # Metrics
    environment:
      - DBAUDIT_MODE=on-premise
      - DBAUDIT_STORAGE_TYPE=minio
      - DBAUDIT_STORAGE_ENDPOINT=http://minio:9000
      - DBAUDIT_STORAGE_BUCKET=audit-logs
      - DBAUDIT_STORAGE_ACCESS_KEY=${MINIO_ACCESS_KEY}
      - DBAUDIT_STORAGE_SECRET_KEY=${MINIO_SECRET_KEY}
      - DBAUDIT_ENCRYPTION_KEY=${ENCRYPTION_KEY}
      - DBAUDIT_LOG_LEVEL=info
    volumes:
      - ./config:/etc/dbaudit:ro
      - dbaudit-data:/data
    networks:
      - dbaudit-network
    depends_on:
      - minio
      - redis

  # MinIO for S3-compatible storage
  minio:
    image: minio/minio:RELEASE.2025-01-01
    container_name: dbaudit-minio
    command: server /data --console-address ":9001"
    ports:
      - "9000:9000"
      - "9001:9001"
    environment:
      - MINIO_ROOT_USER=${MINIO_ACCESS_KEY}
      - MINIO_ROOT_PASSWORD=${MINIO_SECRET_KEY}
    volumes:
      - minio-data:/data
    networks:
      - dbaudit-network
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:9000/minio/health/live"]
      interval: 30s
      timeout: 20s
      retries: 3

  # Redis for caching and queuing
  redis:
    image: redis:7-alpine
    container_name: dbaudit-redis
    restart: unless-stopped
    ports:
      - "6379:6379"
    volumes:
      - redis-data:/data
    networks:
      - dbaudit-network
    command: redis-server --appendonly yes

  # Web UI (optional)
  dbaudit-ui:
    image: dbaudit/ui:2.4.1
    container_name: dbaudit-ui
    restart: unless-stopped
    ports:
      - "3000:3000"
    environment:
      - API_ENDPOINT=http://dbaudit-collector:8080
    networks:
      - dbaudit-network
    depends_on:
      - dbaudit-collector

volumes:
  dbaudit-data:
  minio-data:
  redis-data:

networks:
  dbaudit-network:
    driver: bridge

Option B: Kubernetes with Helm (Production)

# values.yaml for DB Audit Helm chart

replicaCount: 3

image:
  repository: dbaudit/collector
  tag: "2.4.1"
  pullPolicy: IfNotPresent

mode: on-premise

storage:
  type: minio
  endpoint: https://minio.dbaudit.svc.cluster.local:9000
  bucket: audit-logs
  existingSecret: dbaudit-storage-credentials
  # accessKey and secretKey in secret

encryption:
  existingSecret: dbaudit-encryption-key

redis:
  enabled: true
  architecture: replication
  auth:
    enabled: true
    existingSecret: dbaudit-redis-password

collector:
  logLevel: info
  bufferSize: 5000
  flushInterval: 5s

  resources:
    requests:
      cpu: 500m
      memory: 512Mi
    limits:
      cpu: 2000m
      memory: 2Gi

  autoscaling:
    enabled: true
    minReplicas: 2
    maxReplicas: 10
    targetCPUUtilizationPercentage: 70

  podDisruptionBudget:
    enabled: true
    minAvailable: 1

metrics:
  enabled: true
  serviceMonitor:
    enabled: true
    interval: 30s

ingress:
  enabled: true
  className: nginx
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
  hosts:
    - host: dbaudit.internal.company.com
      paths:
        - path: /
          pathType: Prefix
  tls:
    - secretName: dbaudit-tls
      hosts:
        - dbaudit.internal.company.com

# MinIO subchart
minio:
  enabled: true
  mode: distributed
  replicas: 4
  persistence:
    size: 100Gi
  resources:
    requests:
      memory: 1Gi

# Persistence for local buffering
persistence:
  enabled: true
  size: 10Gi
  storageClass: standard

# Add the DB Audit Helm repository
helm repo add dbaudit https://charts.dbaudit.ai
helm repo update

# Create namespace
kubectl create namespace dbaudit

# Create secrets
kubectl create secret generic dbaudit-storage-credentials \
  --from-literal=accessKey=${MINIO_ACCESS_KEY} \
  --from-literal=secretKey=${MINIO_SECRET_KEY} \
  -n dbaudit

kubectl create secret generic dbaudit-encryption-key \
  --from-literal=key=${ENCRYPTION_KEY} \
  -n dbaudit

kubectl create secret generic dbaudit-db-credentials \
  --from-literal=pg-password=${PG_PASSWORD} \
  --from-literal=mysql-password=${MYSQL_PASSWORD} \
  --from-literal=mongo-password=${MONGO_PASSWORD} \
  -n dbaudit

# Install the chart
helm install dbaudit dbaudit/on-premise \
  --namespace dbaudit \
  --values values.yaml \
  --wait

# Verify installation
kubectl get pods -n dbaudit
kubectl get svc -n dbaudit

Option C: Single Docker Container

# Single-node Docker deployment

# Generate encryption key
ENCRYPTION_KEY=$(openssl rand -base64 32)

# Create config directory
mkdir -p /etc/dbaudit/certs

# Copy your TLS certificates
cp server.crt server.key ca.crt /etc/dbaudit/certs/

# Run the collector
docker run -d \
  --name dbaudit-collector \
  --restart unless-stopped \
  -p 8080:8080 \
  -p 9090:9090 \
  -e DBAUDIT_MODE=on-premise \
  -e DBAUDIT_STORAGE_TYPE=minio \
  -e DBAUDIT_STORAGE_ENDPOINT=https://minio.internal:9000 \
  -e DBAUDIT_STORAGE_BUCKET=audit-logs \
  -e DBAUDIT_STORAGE_ACCESS_KEY=${MINIO_ACCESS_KEY} \
  -e DBAUDIT_STORAGE_SECRET_KEY=${MINIO_SECRET_KEY} \
  -e DBAUDIT_ENCRYPTION_KEY=${ENCRYPTION_KEY} \
  -v /etc/dbaudit:/etc/dbaudit:ro \
  -v /var/lib/dbaudit:/data \
  dbaudit/collector:2.4.1

Configure Backups

Set up automated backups for your audit data and configuration. For on-premise deployments, this is critical for disaster recovery.

# Backup script for on-premise DB Audit

#!/bin/bash
# backup-dbaudit.sh

set -e

BACKUP_DIR="/backups/dbaudit/$(date +%Y-%m-%d)"
MINIO_ALIAS="dbaudit-minio"
BUCKET="audit-logs"

# Create backup directory
mkdir -p ${BACKUP_DIR}

# Backup MinIO data
mc mirror ${MINIO_ALIAS}/${BUCKET} ${BACKUP_DIR}/minio/

# Backup Redis data
kubectl exec -n dbaudit redis-0 -- redis-cli BGSAVE
kubectl cp dbaudit/redis-0:/data/dump.rdb ${BACKUP_DIR}/redis/dump.rdb

# Backup configuration
kubectl get configmap dbaudit-config -n dbaudit -o yaml > ${BACKUP_DIR}/configmap.yaml
kubectl get secret dbaudit-storage-credentials -n dbaudit -o yaml > ${BACKUP_DIR}/secrets.yaml

# Compress backup
tar -czf /backups/dbaudit-$(date +%Y-%m-%d).tar.gz ${BACKUP_DIR}

# Upload to offsite storage (optional)
# aws s3 cp /backups/dbaudit-$(date +%Y-%m-%d).tar.gz s3://backups/

# Clean up old backups (keep last 30 days)
find /backups -name "dbaudit-*.tar.gz" -mtime +30 -delete

echo "Backup completed: /backups/dbaudit-$(date +%Y-%m-%d).tar.gz"

Verify Deployment

Confirm your on-premise deployment is running correctly.

Check collector health endpoint: curl http://localhost:8080/health

Verify MinIO bucket contains audit data

Check Prometheus metrics at http://localhost:9090/metrics

Run a test query on your database and verify it appears in the UI

Test backup and restore procedures

Architecture Overview

On-Premise Deployment Architecture

Databases

PostgreSQL, MySQL, etc.

DB Audit Collector

Docker / Kubernetes

MinIO / S3

Audit Storage

Redis

Prometheus

Grafana

Web UI

Air-Gapped Deployments

DB Audit fully supports air-gapped environments with zero outbound connections. No telemetry, no license phone-home, no DNS lookups. All components run entirely within your network boundary.

Our dedicated air-gapped guide covers offline image transfer, offline licensing, offline updates with signature verification, and a verification checklist to confirm zero external connectivity.

View Air-Gapped Deployment Guide

Security Best Practices

Encrypt All Data at Rest

Use AES-256-GCM encryption with your own keys. Rotate encryption keys every 90 days.

Enable TLS Everywhere

Use TLS 1.3 for all internal communication. Issue certificates from your internal CA.

Network Segmentation

Deploy the collector in a dedicated network segment with strict firewall rules. Only allow necessary database ports.

Regular Security Audits

Conduct regular security audits of the on-premise deployment. Review access logs and configuration changes.

Backup and Disaster Recovery

Implement automated backups with offsite replication. Test restore procedures regularly.

Principle of Least Privilege

Use dedicated database users with read-only access. Limit network access to only required services.

Troubleshooting

Collector cannot connect to MinIO

Verify the MinIO endpoint is reachable from the collector. Check that access keys are correct and the bucket exists. Ensure TLS certificates are valid if using HTTPS.

High memory usage

Reduce buffer_size in configuration. Increase flush_interval to send data more frequently. Consider scaling horizontally with multiple collector instances.

Data not appearing in storage

Check collector logs for errors. Verify storage credentials and bucket permissions. Ensure the encryption key is correctly configured.

Redis connection failures

Verify Redis is running and accessible. Check authentication credentials. Ensure Redis has enough memory for the queue size.

Kubernetes pods in CrashLoopBackOff

Check pod logs with kubectl logs. Verify all secrets are created and mounted correctly. Ensure resource limits are sufficient.

Next Steps

Advanced Configuration

Database Connectors

Set Up Audit Policies

Air-Gapped Deployment Guide

Security Hardening Guide

Security & Trust Center

Need Help with On-Premise Deployment?

Our team can help you design and deploy DB Audit in your data center. We offer professional services for complex on-premise deployments.

Start Free Trial Contact Sales