MySQL cannot write an audit log entry in JSON format because the user name field is empty, triggering error 3221.
ER_AUDIT_LOG_JSON_USER_NAME_CANNOT_BE_EMPTY (MySQL 3221) appears when the Enterprise Audit plugin tries to write a JSON log entry with a blank user name. Validate the CURRENT_USER value, audit log filters, and connector settings, then supply or substitute a non-empty user name to resolve the issue.
ER_AUDIT_LOG_JSON_USER_NAME_CANNOT_BE_EMPTY
Error 3221 occurs when the MySQL Enterprise Audit plugin attempts to write a JSON audit log record whose user_name field is blank. Because the JSON schema requires a non-empty value, the write fails and the server returns SQLSTATE HY000 with the message "User cannot be empty."
The condition was introduced in MySQL 5.7.22 and exists in all later 5.7, 8.0 and 8.1 releases. It can appear during connection, statement execution, or administrative events if the audit filter or connector leaves the user name unset.
Misconfigured audit filters that match an empty string, proxy user setups that strip CURRENT_USER, and failed LDAP or PAM authentications commonly leave the user field blank. When the audit plugin serializes the event in JSON format, the validation layer refuses the record and raises error 3221.
The error may also surface when external connection pools reuse sessions after a failed login, or when accounts are created with the deprecated anonymous syntax and then audited.
First verify that CURRENT_USER returns a value for the session that triggered the error. If it returns an empty string, reset authentication plugins or recreate the account with a valid user name.
Next inspect audit filters created with mysql.audit_json_filter_set() and remove any rules that output an empty user. Finally, test the fix by reconnecting and confirming that the audit log writes without errors.
Anonymous connections: revoke USAGE on ''@'host' and require a named account. Proxy users: set PROXY privilege correctly so proxied sessions have a definite user identity. Programmatic connections: ensure the connector passes a user value in the connection string.
Server migrations: after upgrades, review audit_log_format settings and confirm audit_log_user is populated. Galaxy users can enable connection diagnostics in the editor to surface empty-user sessions before they hit production.
Create all accounts with explicit user names, disable anonymous users, and enforce strong authentication plugins. Always test audit filters in a staging instance before applying them in production. Monitor the MySQL error log for 3221 entries and set up alerts.
Using Galaxy, engineers can version control their CREATE USER and audit filter scripts, making regressions easier to spot and roll back.
ER_AUDIT_LOG_FILE_FULL raises when the audit log volume fills up. Increase disk capacity or rotate logs. ER_AUDIT_LOG_INSUFFICIENT_PRIVILEGE appears when a non-privileged user tries to change audit settings. Grant AUDIT_ADMIN or perform the action as root@localhost.
Sessions created by misconfigured connectors or proxy accounts may lack a valid CURRENT_USER, leaving the audit log user field blank.
Legacy ''@'%' accounts allow connections without an explicit user name, producing empty values during audit serialization.
Filters that manually set user_name to '' when suppressing data can accidentally trigger the error.
LDAP or PAM plugins that return NULL on partial failures leave the session authenticated but without a user identifier.
Raised when the audit log partition runs out of space. Rotate or purge old logs.
Appears when a user without AUDIT_ADMIN attempts to modify audit configurations.
Occurs when the JSON audit entry violates schema rules other than user_name, such as missing command class.
No. Error 3221 is specific to the MySQL Enterprise Audit plugin when audit_log_format is set to JSON.
In most cases, yes. Removing '' accounts ensures every connection supplies a user name.
No. The JSON schema is hard-coded. You must supply a non-empty user value or disable JSON auditing.
Galaxy surfaces connection metadata in its editor, flags sessions with blank users, and lets teams version-control audit scripts to avoid misconfigurations.
.avif)
.avif){kind=logo}
