So are you using "open source databases" as a synonym for MySQL? I've constantly been shocked that MySQL has become the de facto industry standard for open source databases when PostgreSQL has trumped it for enterprise features for the 21st century thus far.

Anyway, I'm curious to know exactly what your auditability requirements are and which logs (transaction, query, error) you're looking to parse. Have you ever taken PostgreSQL for a test drive?

MySQL? Humbug!
Take a look at Ingres' security auditing capability:
http://downloads.ingres.com/media/PDFs/2006-05_GIUA_02_English.pdf

I think you'll find that Ingres is both "enterprise-level" with respect to the core features needed to support the requirements of auditors I've dealt with and the core features that DBAs need to protect and provide performant access to data.

Please don't take "MySQL as an example" and use your experience to tar all open-source databases.

PostgreSQL, for example, has a feature set that includes rules, triggers, transactions, constraints, access-controls, and foreign-keys. This should allow you to design a backend that will enforce your data-consistency requirements and track when and by whom any data was changed.

And if you archive your WAL files, you add the ability to restore your data to its state at any point in time should that be necessary for recovery or investigative reasons.

If you wanted to, you could also have PostgreSQL to log every request sent to the server.

MySQL is popular. And it may even be ok "for what it is" - I'll have to take your word for that. But it certainly isn't the only open-source database. Take a look at PostgreSQL. You may be pleasantly surprised.

yes please.. if we are going to talk enterprise-grade, let's not jump on mysql. As per prior commentors, the *gres space is where you find the enterprise database alternatives. mysql largely exists to fill a different purpose - mainly lightweight content systems. it would be great if mysql joined the enterprise ranks with the features you speak of - and became another serious enterprise player, but it shouldn't be a shocker to most seasoned dba's that if you are going to consider swapping out the oracles and sql servers of the world, you should be looking to somthing like postgres, probably not mysql.

As a "MySQL Guru" (doing a podcast on it I guess I get the title), you are absolutely correct. Auditability is a growing concern, and the fact that MySQL has none is a problem.

However, most auditors won't (or shouldn't) pass the auditing capabilities of Ingres OR Oracle. Storing audit data in a database defeats the independence requirements for an audit. After all, if the DBA can change what's in the audit trail, the audit shouldn't pass SOX and HIPAA. Yes, a 75% solution is better than a 0% solution.

However, for true independence and REAL auditing, one must turn to companies like Guardium (www.guardium.com), who make an appliance that sits on the network and sniffs traffic, thus having truly independent auditing and monitoring of logs.