Configuration

Configure DB Audit

Customize every aspect of your database auditing setup. From collector performance to alert rules, DB Audit offers fine-grained control over your security monitoring.

Configuration Sections

Collector Settings

Core collector configuration options for performance and behavior.

Database Connections

Configure connections to your monitored databases.

Alerting & Notifications

Set up real-time alerts via email, Slack, PagerDuty, and webhooks.

Security & Access

Configure authentication, encryption, and access controls.

Complete Configuration Example

Here's a complete configuration file showing all available options. Copy this as a starting point and customize for your environment.

# /etc/dbaudit/config.yaml
# DB Audit Collector Configuration

api_key: ${DBAUDIT_API_KEY}
endpoint: https://api.dbaudit.ai

collector:
  # Logging level: debug, info, warn, error
  log_level: info

  # Buffer size for events before flush
  buffer_size: 1000

  # How often to flush events to the server
  flush_interval: 10s

  # Maximum concurrent database connections
  max_connections: 50

  # Enable TLS verification for API calls
  tls_verify: true

# Database connections to monitor
databases:
  - name: production-postgres
    type: postgresql
    host: db.example.com
    port: 5432
    ssl: true

  - name: analytics-mysql
    type: mysql
    host: mysql.example.com
    port: 3306

# Alert configuration
alerts:
  enabled: true
  channels:
    - type: email
      recipients:
        - security@example.com
    - type: slack
      webhook_url: ${SLACK_WEBHOOK_URL}
      channel: "#security-alerts"

# Security settings
security:
  # Mask sensitive data in logs
  mask_sensitive_data: true

  # Encryption key for local cache
  encryption_key: ${DBAUDIT_ENCRYPTION_KEY}

  # IP allowlist for collector API
  ip_allowlist:
    - 10.0.0.0/8
    - 192.168.0.0/16

Environment Variables

Use environment variables for sensitive values like API keys and passwords. These take precedence over config file values.

Variable	Required	Description
DBAUDIT_API_KEY	Yes	Your DB Audit API key from the dashboard
DBAUDIT_ENDPOINT	No	API endpoint (default: https://api.dbaudit.ai)
DBAUDIT_LOG_LEVEL	No	Logging level: debug, info, warn, error (default: info)
DBAUDIT_CONFIG_PATH	No	Path to config file (default: /etc/dbaudit/config.yaml)
DBAUDIT_ENCRYPTION_KEY	No	32-byte key for encrypting local cache

# Required
DBAUDIT_API_KEY=your_api_key_here
DBAUDIT_ENDPOINT=https://api.dbaudit.ai

# Database credentials (recommended over config file)
PG_PASSWORD=your_postgres_password
MYSQL_PASSWORD=your_mysql_password
MONGO_PASSWORD=your_mongodb_password
MSSQL_PASSWORD=your_sqlserver_password

# Alert integrations
SLACK_WEBHOOK_URL=https://hooks.slack.com/services/...
PAGERDUTY_KEY=your_pagerduty_routing_key
SIEM_TOKEN=your_siem_api_token

# Security
DBAUDIT_ENCRYPTION_KEY=your_32_byte_encryption_key

Collector Settings

Configure the collector's core behavior including logging, buffering, and performance tuning.

log_level Set logging verbosity. Use debug for troubleshooting, info for normal operation.

buffer_size Number of events to buffer before sending. Higher values reduce network calls but increase memory usage.

flush_interval Maximum time between event flushes. Shorter intervals provide more real-time monitoring.

max_connections Maximum concurrent connections to monitored databases. Tune based on database capacity.

collector:
  # Logging level: debug, info, warn, error
  log_level: info

  # Number of events to buffer before sending
  buffer_size: 1000

  # Interval between flushes to the server
  flush_interval: 10s

  # Maximum concurrent database connections
  max_connections: 50

  # Enable TLS verification for API calls
  tls_verify: true

  # Local cache directory for offline resilience
  cache_dir: /var/lib/dbaudit/cache

  # Maximum cache size in MB
  max_cache_size: 500

  # Health check port
  health_port: 8080

Database Connections

Configure connections to each database you want to monitor. DB Audit supports PostgreSQL, MySQL, MongoDB, SQL Server, Oracle, and more.

PostgreSQL

MySQL

MongoDB

SQL Server

Oracle

MariaDB

Redis

Snowflake

Security Best Practice

Create a dedicated read-only user for DB Audit. Never use your admin credentials. See our integration guides for database-specific instructions.

databases:
  # PostgreSQL example
  - name: production-postgres
    type: postgresql
    host: db.example.com
    port: 5432
    database: myapp
    username: dbaudit_reader
    password: ${PG_PASSWORD}
    ssl: true
    ssl_mode: verify-full
    ssl_cert: /etc/dbaudit/certs/client.crt
    ssl_key: /etc/dbaudit/certs/client.key

  # MySQL example
  - name: analytics-mysql
    type: mysql
    host: mysql.example.com
    port: 3306
    database: analytics
    username: dbaudit
    password: ${MYSQL_PASSWORD}
    tls: true

  # MongoDB example
  - name: user-data-mongo
    type: mongodb
    host: mongo.example.com
    port: 27017
    replica_set: rs0
    auth_source: admin
    username: dbaudit
    password: ${MONGO_PASSWORD}

  # SQL Server example
  - name: legacy-sqlserver
    type: sqlserver
    host: sql.example.com
    port: 1433
    database: LegacyApp
    username: dbaudit
    password: ${MSSQL_PASSWORD}
    encrypt: true

Alerting & Notifications

Configure real-time alerts for security events. Route alerts to different channels based on severity and create custom rules for your security policies.

Send alerts to one or more email addresses with customizable templates.

Slack

Post alerts to Slack channels with rich formatting and action buttons.

PagerDuty

Trigger incidents for on-call teams with automatic escalation.

Webhooks

Send events to any HTTP endpoint for SIEM integration.

alerts:
  enabled: true

  # Global alert settings
  cooldown: 5m              # Minimum time between duplicate alerts
  batch_window: 30s         # Window for batching similar alerts

  # Alert channels
  channels:
    # Email notifications
    - type: email
      name: security-team
      recipients:
        - security@example.com
        - dba-team@example.com
      severity: [critical, high]

    # Slack integration
    - type: slack
      name: slack-alerts
      webhook_url: ${SLACK_WEBHOOK_URL}
      channel: "#security-alerts"
      severity: [critical, high, medium]

    # PagerDuty for critical alerts
    - type: pagerduty
      name: pagerduty-critical
      routing_key: ${PAGERDUTY_KEY}
      severity: [critical]

    # Custom webhook
    - type: webhook
      name: siem-integration
      url: https://siem.example.com/api/events
      headers:
        Authorization: Bearer ${SIEM_TOKEN}
      severity: [critical, high, medium, low]

  # Alert rules
  rules:
    - name: privileged-access
      description: Alert on privileged user access
      condition: user IN ('root', 'admin', 'sa', 'postgres')
      severity: high

    - name: after-hours-access
      description: Alert on access outside business hours
      condition: hour NOT BETWEEN 8 AND 18
      severity: medium

    - name: bulk-data-access
      description: Alert on large data exports
      condition: rows_affected > 10000
      severity: high

    - name: schema-changes
      description: Alert on DDL operations
      condition: operation IN ('CREATE', 'ALTER', 'DROP')
      severity: critical

Security & Access

Configure data masking, encryption, and access controls to protect sensitive information and meet compliance requirements.

Data Masking

Automatically mask PII, credit cards, SSNs, and other sensitive data in query logs using regex patterns.

Encryption at Rest

Encrypt the local event cache with AES-256-GCM to protect data if the collector is compromised.

IP Allowlisting

Restrict API access to specific IP ranges for network-level security.

TLS Configuration

Enforce TLS 1.2+ with strong cipher suites for all connections.

security:
  # Data masking
  mask_sensitive_data: true
  mask_patterns:
    - name: credit-card
      pattern: '\b\d{4}[- ]?\d{4}[- ]?\d{4}[- ]?\d{4}\b'
      replacement: '****-****-****-XXXX'
    - name: ssn
      pattern: '\b\d{3}-\d{2}-\d{4}\b'
      replacement: '***-**-XXXX'
    - name: email
      pattern: '[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}'
      replacement: '***@***.***'

  # Encryption
  encryption_key: ${DBAUDIT_ENCRYPTION_KEY}
  encryption_algorithm: AES-256-GCM

  # Network security
  ip_allowlist:
    - 10.0.0.0/8
    - 192.168.0.0/16
    - 172.16.0.0/12

  # TLS settings
  tls:
    min_version: "1.2"
    cipher_suites:
      - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
      - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  # Audit logging
  audit_log:
    enabled: true
    path: /var/log/dbaudit/audit.log
    max_size: 100MB
    max_age: 90d

Validate Configuration

Before deploying, validate your configuration file to catch errors early.

# Validate configuration syntax
dbaudit-collector validate --config /etc/dbaudit/config.yaml

# Test database connections
dbaudit-collector test-connections --config /etc/dbaudit/config.yaml

# Dry run with verbose output
dbaudit-collector --config /etc/dbaudit/config.yaml --dry-run --verbose