Neo4j Connector
Comprehensive audit logging for Neo4j graph databases. Monitor Cypher queries, track node and relationship access, and capture authentication events across your knowledge graphs.
Native Deep Integration
DB Audit leverages Neo4j's security.log and query.log for comprehensive audit coverage including Cypher queries, graph traversals, and role-based access control events.
Cypher Query Auditing
Capture all Cypher queries with parameters, execution plans, and performance metrics.
Security Events
Track authentication, authorization, and privilege changes in real-time.
Graph Traversal Monitoring
Monitor access patterns across nodes, relationships, and graph properties.
Prerequisites
Supported Versions
- Neo4j 4.4 and later
- Neo4j 5.x (recommended)
- Neo4j Aura (all tiers)
- Enterprise Edition (for security.log)
Network Requirements
- Port 7687 (Bolt protocol)
- Port 7473 (HTTPS) - Optional
- SSL/TLS encryption (recommended)
Configuration Reference
1 Basic Connection
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| name | string | Yes | - | A unique, descriptive name for this connection (e.g., "neo4j-knowledge-graph-prod") |
| db_type | select | Yes | neo4j | Database type - select "Neo4j" |
| host | string | Yes | - | Neo4j server hostname (e.g., "neo4j.example.com" or Neo4j Aura hostname) |
| port | number | Yes | 7687 | Neo4j Bolt port (default: 7687) |
| database_name | string | Yes | neo4j | Target database name (e.g., "neo4j", "mydb") |
| username | string | Yes | - | Neo4j user with audit privileges (e.g., "dbaudit_reader") |
| password | password | Yes | - | Password for the Neo4j user |
2 SSL/TLS Configuration
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| use_ssl | boolean | No | true | Enable SSL/TLS encryption for Bolt connections |
| ssl_mode | select | No | require | SSL mode: disable, require, verify-ca, verify-full |
| ssl_ca_cert | textarea | No | - | CA certificate for verifying the Neo4j server certificate |
| trust_strategy | select | No | trust_system_cas | Trust strategy: trust_system_cas, trust_custom_ca, trust_all (not recommended) |
3 Neo4j Aura Configuration
| Field | Type | Required | Description |
|---|---|---|---|
| cloud_provider | select | No | Cloud provider: neo4j_aura, aws, azure, gcp |
| aura_instance_id | string | No | Neo4j Aura instance ID |
| aura_tenant_id | string | No | Neo4j Aura tenant ID |
4 Log Collection Configuration
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| log_collection_type | select | Yes | native_audit | Log collection method: native_audit (security.log), query_log (query.log), custom_query |
| use_security_log | boolean | No | true | Collect from security.log for auth events |
| use_query_log | boolean | No | true | Collect from query.log for Cypher queries |
| poll_interval | number | No | 30 | How often to poll for new audit events (in seconds) |
| include_query_parameters | boolean | No | true | Include Cypher query parameters in audit logs |
Log Collection Methods
Security Log
RecommendedNeo4j Enterprise security.log for authentication and authorization events
Advantages:
- Complete auth events
- Role-based access tracking
- Enterprise feature
- Built-in security
Query Log
RecommendedNeo4j query.log for Cypher query tracking with performance metrics
Advantages:
- Full Cypher queries
- Execution times
- Parameter logging
- Query planning info
System Procedures
Query dbms.* procedures for real-time monitoring
Advantages:
- Real-time data
- No log configuration
- Works with Community
Setup Instructions
Create Audit User
Create a dedicated Neo4j user for DB Audit with read and monitoring privileges.
// Create a dedicated audit user (Neo4j Enterprise)
CREATE USER dbaudit_reader SET PASSWORD 'secure_password' CHANGE NOT REQUIRED;
// Create audit role with read access
CREATE ROLE audit_reader;
// Grant necessary privileges
GRANT MATCH {*} ON GRAPH * TO audit_reader;
GRANT ACCESS ON DATABASE * TO audit_reader;
GRANT SHOW TRANSACTION (*) ON DATABASE * TO audit_reader;
GRANT TERMINATE TRANSACTION (*) ON DATABASE * TO audit_reader;
// For system database access (monitoring)
GRANT ACCESS ON DATABASE system TO audit_reader;
GRANT EXECUTE PROCEDURE dbms.* ON DBMS TO audit_reader;
// Assign role to user
GRANT ROLE audit_reader TO dbaudit_reader;
Note: Role-based access control requires Neo4j Enterprise Edition.
Enable Security Logging
Configure Neo4j to enable security event logging.
# neo4j.conf - Security logging configuration
# Enable security logging
dbms.security.auth_enabled=true
dbms.security.log.level=INFO
# Security log settings
dbms.logs.security.level=INFO
dbms.logs.security.rotation.delay=300s
dbms.logs.security.rotation.keep_number=7
dbms.logs.security.rotation.size=20m
Enable Query Logging
Configure Neo4j to log all Cypher queries with parameters.
# neo4j.conf - Query logging configuration
# Enable query logging
db.logs.query.enabled=true
db.logs.query.threshold=0
db.logs.query.parameter_logging_enabled=true
db.logs.query.time_logging_enabled=true
db.logs.query.allocation_logging_enabled=true
db.logs.query.page_logging_enabled=true
# Query log rotation
db.logs.query.rotation.keep_number=7
db.logs.query.rotation.size=20m
Tip: Set db.logs.query.threshold=0 to log all queries, or increase the value to only log slow queries.
Test Connection
Verify connectivity and permissions using cypher-shell.
# Test connection using cypher-shell
cypher-shell -a bolt://localhost:7687 \
-u dbaudit_reader -p 'secure_password' \
"RETURN 1 AS test"
# Test with encryption
cypher-shell -a bolt+s://localhost:7687 \
-u dbaudit_reader -p 'secure_password' \
"CALL dbms.components() YIELD name, versions RETURN name, versions"
# Verify audit user permissions
cypher-shell -u dbaudit_reader \
"CALL dbms.listQueries() YIELD queryId RETURN count(queryId)"
Configure in DB Audit
Add the Neo4j connection in the DB Audit dashboard.
- Navigate to Connections in DB Audit
- Click Add Connection
- Select Neo4j as the database type
- Enter your connection details and credentials
- Enable SSL if using encrypted Bolt connections
- Test the connection and save
Data Collected
All MATCH, CREATE, MERGE, DELETE queries
Login attempts, successes, and failures
User creation, role assignments, privilege changes
Execution time, page hits, memory allocation
Index creation, constraint modifications
Access denied events, privilege violations
Client connections, protocols, addresses
Transaction lifecycle, commit/rollback events
Troubleshooting
Connection failed: SSL handshake error
Ensure you're using the correct protocol (bolt+s:// for encrypted connections) and the server certificate is valid.
# Test with encryption
cypher-shell -a bolt+s://localhost:7687 -u neo4j -p password "RETURN 1"
Cannot create roles - Community Edition
Role-based access control requires Neo4j Enterprise Edition. For Community Edition, use the default neo4j user or create users with specific database access.
Query log not generating entries
Verify query logging is enabled and the threshold is set appropriately.
# Check current settings
CALL dbms.listConfig() YIELD name, value
WHERE name CONTAINS 'query.log'
RETURN name, value;
Permission denied for dbms procedures
Grant EXECUTE privileges on dbms procedures to the audit user.
GRANT EXECUTE PROCEDURE dbms.* ON DBMS TO audit_reader;
Compliance Support
Access logging and change tracking
PHI access auditing
Cardholder data monitoring
Personal data access trails
Ready to Audit Your Neo4j Databases?
Start monitoring your graph databases in minutes with comprehensive Cypher query auditing.