> ## Documentation Index
> Fetch the complete documentation index at: https://private-7c7dfe99-fix-nav-issues.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Database audit log

> This page describes how you can review the database audit log

ClickHouse provides database audit logs by default. This page focuses on security relevant logs. For more information on data recorded by the system, refer to the docs for [system tables](/reference/system-tables/overview).

<Tip>
  **Log retention**

  Information is logged directly to the system tables and are retained for up to 30 days by default. This period can be longer or shorter and is affected by the frequency of merges in the system. Customers may take additional measures to store logs for longer or export logs to a security information and event management (SIEM) system for long term storage. Details below.
</Tip>

<h2 id="security-relevant-logs">
  Security relevant logs
</h2>

ClickHouse logs security relevant database events primarily to session and query logs.

The [system.session\_log](/reference/system-tables/session_log) records successful and failed login attempts, as well as the location of the authentication attempt. This information can be used to identify credential stuffing or brute force attacks against a ClickHouse instance.

Sample query showing login failures

```sql theme={null}
select event_time
    ,type
    ,user
    ,auth_type
    ,client_address 
FROM clusterAllReplicas('default',system.session_log) 
WHERE type='LoginFailure' 
LIMIT 100
```

The [system.query\_log](/reference/system-tables/query_log) captures query activity executed in a ClickHouse instance. This information can be useful to determine what queries a threat actor executed.

Sample query to search for activities of a "compromised\_account" user

```sql theme={null}
SELECT event_time
    ,address
    ,initial_user
    ,initial_address
    ,forwarded_for
    ,query 
FROM clusterAllReplicas('default', system.query_log) 
WHERE user=’compromised_account’
```

<h2 id="reatining-log-data-within-services">
  Retaining log data within services
</h2>

Customers needing longer retention or log durability can use materialized views to achieve these objectives. For more information on materialized views, what they are, benefits and how to implement review our [materialized views](/concepts/features/materialized-views/index) videos and documentation.

<h2 id="exporting-logs">
  Exporting logs
</h2>

System logs may be written or exported to a storage location using various formats that are compatible with SIEM systems. For more information, review our [table functions](/reference/functions/table-functions/index) docs. The most common methods are:

* [Write to S3](/reference/functions/table-functions/s3)
* [Write to GCS](/reference/functions/table-functions/gcs)
* [Write to Azure Blob Storage](/reference/functions/table-functions/azureBlobStorage)
