MySQL 5.7 Release Notes
        
        By default, contents of audit log files produced by the audit
        log plugin are not encrypted and may contain sensitive
        information, such as the text of SQL statements. For security
        reasons, audit log files should be written to a directory
        accessible only to the MySQL server and to users with a
        legitimate reason to view the log. The default file name is
        audit.log in the data directory. This can
        be changed by setting the
        audit_log_file system variable
        at server startup. Other audit log files may exist due to log
        rotation.
      
For additional security, enable audit log file encryption. See Encrypting Audit Log Files.