I've located my audit logs in /audit/audit.log. I can also see older logs there (they are gziped). Here is what my log file looks like:
1551376833.225395,127.0.0.1,admin,"MATCH (n) DETACH DELETE n","{}"
1551376833.257825,127.0.0.1,admin,"CREATE (n {name: $name})","{\"name\":\"alice\"}"
1551376833.273546,127.0.0.1,admin,"MATCH (n), (m) CREATE (n)-[:e {when: $when}]->(m)","{\"when\":42}"
1551376833.300955,127.0.0.1,admin,"MATCH (n), (m) SET n.value = m.value","{}"
How can I parse it? What would be the header for this records?
The audit log contains the following information formatted into a CSV file:
<timestamp>,<address>,<username>,<query>,<params>
For each query, the supplied query parameters are also logged. The query is escaped and quoted so that commas in queries don't affect the correctness of the CSV. The parameters are encoded as JSON objects and are then escaped and quoted.
You can use the following PYthon script to get the data out:
import csv
import json
with open("audit.log") as f:
reader = csv.reader(f, delimiter=',', doublequote=False,
escapechar='\\', lineterminator='\n',
quotechar='"', quoting=csv.QUOTE_MINIMAL,
skipinitialspace=False, strict=True)
for line in reader:
timestamp, address, username, query, params = line
params = json.loads(params)
# Rest of your code that processes the logs.