Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL flexible server

Overview

Enable audit_log_enabled on MySQL flexible servers.

Rationale

Enabling audit_log_enabled helps MySQL Database to log items such as connection attempts to the server, DDL/DML access, and more. Log data can be used to identify, troubleshoot, and repair configuration errors and suboptimal performance.

Impact

Further costs are incurred for storing logs, which will be significant for high-traffic databases. Determine your organization's needs before enabling.

Default Value

By default, audit_log_enabled is set to OFF.

Remediation guidance

Remediate from Azure Portal

Turn on audit logs

Login to Azure Portal using https://portal.azure.com.
Go to Azure Database for MySQL flexible servers.
For each database, under Settings, click Server parameters.
Set audit_log_enabled to ON.
Click Save.

Remediate from Azure CLI

Use the below command to enable audit_log_enabled :

az mysql flexible-server parameter set --resource-group <resourceGroup> --server-name <serverName> --name audit_log_enabled --value on

Remediate from PowerShell

Use the below command to enable audit_log_enabled :

Update-AzMySqlFlexibleServerConfiguration -ResourceGroupName <resourceGroup> -ServerName <serverName> -Name audit_log_enabled -Value on

Capture the Audit Logs

Once you have audit_log_enabled enabled, you can capture the logs.

Under Monitoring, select Diagnostic settings.
Select + Add diagnostic setting.
Provide a diagnostic setting name.
Under Categories, select MySQL Audit Logs.
Specify destination details.
Click Save.

It may take up to 10 minutes for the logs to appear in the configured destination.

Multiple Remediation Paths

Azure

SERVICE-WIDE (RECOMMENDED when many resources are affected): Assign Azure Policy initiatives at management group/subscription scope and trigger remediation tasks.

az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>

ASSET-LEVEL: Apply the resource-specific remediation steps above to the listed non-compliant resources.

PREVENTIVE: Embed Azure Policy checks into landing zones and IaC workflows to block or auto-remediate drift.

References for Service-Wide Patterns

Azure Policy overview: https://learn.microsoft.com/en-us/azure/governance/policy/overview
Azure Policy remediation: https://learn.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources
Azure Policy initiative structure: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/initiative-definition-structure

Operational Rollout Workflow

Use this sequence to reduce risk and avoid repeated drift.

1. Contain at Service-Wide Scope First (Recommended)

Azure: assign policy initiatives at management group/subscription scope and run remediation tasks.

az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>

2. Remediate Existing Affected Assets

Execute the control-specific Console/CLI steps documented above for each flagged resource.
Prioritize internet-exposed and production assets first.

3. Validate and Prevent Recurrence

Re-scan after each remediation batch.
Track exceptions with owner and expiry date.
Add preventive checks in IaC/CI pipelines.

Query logic

These are the stored checks tied to this control.

Azure MySQL Flex Servers without audit log

Connectors

Microsoft Azure

Covered asset types

MySQLFlexibleServer

Expected check: eq []

{
  mySqlFlexibleServers(
    where: {
      configurations_SOME: {
        name: "audit_log_enabled"
        value_MATCHES: "(?i)off"
      }
    }
  ) {
    ...AssetFragment
  }
}