Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL flexible server

Overview

Set audit_log_events to include CONNECTION on MySQL flexible servers.

Rationale

Enabling CONNECTION helps MySQL Database to log items such as successful and failed connection attempts to the server. Log data can be used to identify, troubleshoot, and repair configuration errors and suboptimal performance.

Impact

Further costs are incurred for storing logs, which will be significant for high-traffic databases. Determine your organization's needs before enabling.

Default Value

By default, audit_log_events is set to CONNECTION.

Remediation guidance

Remediate from Azure Portal

Login to Azure Portal using https://portal.azure.com.
Go to Azure Database for MySQL flexible servers.
For each database, under Settings, click Server parameters.
In the filter bar, type audit_log.
Set audit_log_enabled to ON.
In the drop-down next to audit_log_events, check CONNECTION.
Click Save.
Under Monitoring, select Diagnostic settings.
Select + Add diagnostic setting.
Provide a diagnostic setting name.
Under Categories, select MySQL Audit Logs.
Specify destination details.
Click Save.

It may take up to 10 minutes for the logs to appear in the configured destination.

Remediate from Azure CLI

Use the below command to set audit_log_events to CONNECTION:

az mysql flexible-server parameter set --resource-group <resourceGroup> --server-name <serverName> --name audit_log_events --value CONNECTION

Remediate from PowerShell

Use the below command to set audit_log_events to CONNECTION:

Update-AzMySqlFlexibleServerConfiguration -ResourceGroupName <resourceGroup> -ServerName <serverName> -Name audit_log_events -Value CONNECTION

Multiple Remediation Paths

Azure

SERVICE-WIDE (RECOMMENDED when many resources are affected): Assign Azure Policy initiatives at management group/subscription scope and trigger remediation tasks.

az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>

ASSET-LEVEL: Apply the resource-specific remediation steps above to the listed non-compliant resources.

PREVENTIVE: Embed Azure Policy checks into landing zones and IaC workflows to block or auto-remediate drift.

References for Service-Wide Patterns

Azure Policy overview: https://learn.microsoft.com/en-us/azure/governance/policy/overview
Azure Policy remediation: https://learn.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources
Azure Policy initiative structure: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/initiative-definition-structure

Operational Rollout Workflow

Use this sequence to reduce risk and avoid repeated drift.

1. Contain at Service-Wide Scope First (Recommended)

Azure: assign policy initiatives at management group/subscription scope and run remediation tasks.

az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>

2. Remediate Existing Affected Assets

Execute the control-specific Console/CLI steps documented above for each flagged resource.
Prioritize internet-exposed and production assets first.

3. Validate and Prevent Recurrence

Re-scan after each remediation batch.
Track exceptions with owner and expiry date.
Add preventive checks in IaC/CI pipelines.

Query logic

These are the stored checks tied to this control.

Azure MySQL Flex Servers not logging connections

Connectors

Microsoft Azure

Covered asset types

MySQLFlexibleServer

Expected check: eq []

{
  mySqlFlexibleServers(
    where: {
      configurations_SOME: {
        name: "audit_log_events"
        NOT: { value_CONTAINS: "CONNECTION" }
      }
    }
  ) {
    ...AssetFragment
  }
}