Implement audit logging for security and compliance

documents/README.md

@@ -43,6 +43,15 @@ Located in [multinode/](multinode/):
 Located in [configuration/](configuration/):
 - [OJP JDBC Configuration](configuration/ojp-jdbc-configuration.md) - JDBC driver configuration
 - [OJP Server Configuration](configuration/ojp-server-configuration.md) - Server configuration
+- [Session Cleanup](configuration/SESSION_CLEANUP.md) - Automatic session cleanup configuration
+- [mTLS Configuration Guide](configuration/mtls-configuration-guide.md) - Mutual TLS setup
+
+## Features
+
+Located in [features/](features/):
+- [Audit Logging Guide](features/AUDIT_LOGGING_GUIDE.md) - **NEW** Comprehensive audit logging for security and compliance
+- [SQL Enhancer Configuration](features/SQL_ENHANCER_CONFIGURATION_EXAMPLES.md) - SQL enhancement and optimization examples
+- [SQL Enhancer Quick Start](features/SQL_ENHANCER_ENGINE_QUICKSTART.md) - Quick start guide for SQL enhancement
 
 ### Connection Pool
 

documents/configuration/ojp-server-configuration.md

@@ -62,6 +62,53 @@ java -Dojp.server.logLevel=INFO \
 | `ojp.server.allowedIps`       | `OJP_SERVER_ALLOWEDIPS`       | string  | 0.0.0.0/0 | IP whitelist for gRPC server (comma-separated)          |
 | `ojp.prometheus.allowedIps`   | `OJP_PROMETHEUS_ALLOWEDIPS`   | string  | 0.0.0.0/0 | IP whitelist for Prometheus endpoint (comma-separated)  |
 
+### Audit Logging Settings
+
+OJP Server provides comprehensive audit logging for security monitoring and compliance. Audit logs are written to a separate file with structured format including JSON metadata.
+
+| Property                          | Environment Variable              | Type    | Default              | Description                                           |
+|-----------------------------------|-----------------------------------|---------|----------------------|-------------------------------------------------------|
+| `ojp.server.audit.enabled`        | `OJP_SERVER_AUDIT_ENABLED`        | boolean | false                | Enable/disable audit logging globally (opt-in)       |
+| `ojp.server.audit.log.path`       | `OJP_SERVER_AUDIT_LOG_PATH`       | string  | logs/ojp-audit.log   | Path to audit log file (absolute or relative)        |
+| `ojp.server.audit.log.connections`| `OJP_SERVER_AUDIT_LOG_CONNECTIONS`| boolean | true                 | Log connection events (establish, close, errors)     |
+| `ojp.server.audit.log.queries`    | `OJP_SERVER_AUDIT_LOG_QUERIES`    | boolean | false                | Log query execution (⚠️ High performance impact!)     |
+| `ojp.server.audit.log.auth`       | `OJP_SERVER_AUDIT_LOG_AUTH`       | boolean | true                 | Log authentication events (success, failures)        |
+
+#### Audit Logging Examples
+
+**Enable audit logging with default settings:**
+```bash
+java -jar ojp-server.jar -Dojp.server.audit.enabled=true
+```
+
+**Production configuration (connections and auth only):**
+```bash
+java -jar ojp-server.jar \
+  -Dojp.server.audit.enabled=true \
+  -Dojp.server.audit.log.path=/var/log/ojp/audit.log \
+  -Dojp.server.audit.log.connections=true \
+  -Dojp.server.audit.log.queries=false \
+  -Dojp.server.audit.log.auth=true
+```
+
+**Development configuration (all events):**
+```bash
+java -jar ojp-server.jar \
+  -Dojp.server.audit.enabled=true \
+  -Dojp.server.audit.log.queries=true
+```
+
+**⚠️ Performance Warning**: Query logging has significant performance impact. Only enable for debugging or non-production environments.
+
+**Example audit log output:**
+```
+[2026-01-24T21:25:22.587Z] [INFO] [CONNECTION] [sess-12345] [192.168.1.100] [app-user-1] - Connection established - {"database":"postgresql","port":5432}
+[2026-01-24T21:25:24.567Z] [INFO] [QUERY] [sess-12345] [192.168.1.100] [app-user-1] - Query executed - {"sql":"SELECT * FROM users WHERE id = ?","executionTimeMs":45,"rowCount":1}
+[2026-01-24T21:25:30.890Z] [WARN] [AUTH] [sess-67890] [10.0.0.50] [unknown] - Authentication failed - {"reason":"ip_not_whitelisted"}
+```
+
+For detailed audit logging configuration and compliance mapping, see [Audit Logging Guide](../features/AUDIT_LOGGING_GUIDE.md).
+
 #### SSL/TLS Certificate Path Placeholders
 
 OJP Server supports property placeholders in JDBC URLs to enable server-side SSL/TLS certificate configuration. This allows certificate paths to be configured on the server rather than hardcoded in client connection URLs.

documents/configuration/ojp-server-example.properties

@@ -128,3 +128,87 @@ ojp.server.slowQuerySegregation.updateGlobalAvgInterval=300
 # ojp.server.tls.truststore.password=${TRUSTSTORE_PASSWORD}
 # ojp.server.tls.clientAuthRequired=true
 
+
+# ============================================================================
+# Audit Logging Configuration
+# ============================================================================
+# OJP provides comprehensive audit logging for security monitoring and compliance
+# with PCI-DSS, HIPAA, and GDPR requirements. Audit logs are written to a 
+# separate file with structured format including JSON metadata.
+#
+# For detailed guide, see: documents/features/AUDIT_LOGGING_GUIDE.md
+# ============================================================================
+
+# Enable audit logging globally (default: false)
+# When true, audit events will be logged based on individual event type settings below
+# When false, no audit events will be logged regardless of individual settings
+#ojp.server.audit.enabled=false
+
+# Path to audit log file (default: logs/ojp-audit.log)
+# Supports both absolute and relative paths
+# Logs are automatically rotated daily with 90-day retention
+#ojp.server.audit.log.path=logs/ojp-audit.log
+
+# Log connection events (default: true)
+# Logs: connection establishment, connection closure, connection errors
+# Performance impact: Minimal
+# Example: [INFO] [CONNECTION] [sess-123] [192.168.1.100] [user] - Connection established
+#ojp.server.audit.log.connections=true
+
+# Log query execution events (default: false)
+# Logs: SQL statements, execution time, row counts
+# ⚠️ WARNING: SIGNIFICANT PERFORMANCE IMPACT - only use for debugging!
+# Performance impact: 5-10% throughput reduction, 2-5ms additional latency per query
+# Example: [INFO] [QUERY] [sess-123] [192.168.1.100] [user] - Query executed - {"sql":"SELECT...","executionTimeMs":45}
+#ojp.server.audit.log.queries=false
+
+# Log authentication events (default: true)
+# Logs: authentication success, authentication failures, IP whitelist validation
+# Performance impact: Minimal
+# Example: [WARN] [AUTH] [sess-123] [10.0.0.50] [unknown] - Authentication failed - {"reason":"ip_not_whitelisted"}
+#ojp.server.audit.log.auth=true
+
+# ============================================================================
+# Audit Logging Example Configurations
+# ============================================================================
+
+# Production Configuration (Recommended):
+# Enable audit logging for connections and authentication only
+# Minimal performance impact while maintaining security audit trail
+#
+# ojp.server.audit.enabled=true
+# ojp.server.audit.log.path=/var/log/ojp/audit.log
+# ojp.server.audit.log.connections=true
+# ojp.server.audit.log.queries=false
+# ojp.server.audit.log.auth=true
+
+# Development/Debugging Configuration:
+# Enable all audit logging including queries for troubleshooting
+# ⚠️ Not recommended for production due to performance impact
+#
+# ojp.server.audit.enabled=true
+# ojp.server.audit.log.path=logs/ojp-audit.log
+# ojp.server.audit.log.connections=true
+# ojp.server.audit.log.queries=true
+# ojp.server.audit.log.auth=true
+
+# Compliance Configuration Examples:
+#
+# PCI-DSS Requirement 10.2 (Audit all access to cardholder data):
+# ojp.server.audit.enabled=true
+# ojp.server.audit.log.connections=true
+# ojp.server.audit.log.queries=true  # If database contains cardholder data
+# ojp.server.audit.log.auth=true
+#
+# HIPAA §164.312(b) (Audit controls for PHI):
+# ojp.server.audit.enabled=true
+# ojp.server.audit.log.connections=true
+# ojp.server.audit.log.queries=false  # Consider enabled if needed for PHI tracking
+# ojp.server.audit.log.auth=true
+#
+# GDPR Article 32 (Security of processing):
+# ojp.server.audit.enabled=true
+# ojp.server.audit.log.connections=true
+# ojp.server.audit.log.queries=false
+# ojp.server.audit.log.auth=true
+