一、环境说明:
本文以mariadb-10.2.17二进制安装包的审计插件安装到MySQL5.7.32版本为例
cp mariadb-10.2.17的插件server_audit.so 到MySQL服务得插件目录/usr/local/mysql/lib/plugin下:
[root@db-read1 mariadb-10.2.17-linux-x86_64]# find ./ -name 'server_audit.so'
./lib/plugin/server_audit.so
[root@db-read1 mariadb-10.2.17-linux-x86_64]# pwd
/usr/local/mariadb-10.2.17-linux-x86_64
cp server_audit.so /usr/local/mysql/lib/plugin/
[root@db-stage1 plugin]# chmod +x server_audit.so二、MySQL开启 MariaDB审计插件
动态开启:
install plugin server_audit soname 'server_audit.so';
set global server_audit_file_path='/data/mysql/logs';
set global server_audit_events='connect,QUERY_DML_NO_SELECT,QUERY_DDL,QUERY_DCL,table';
set global server_audit_file_rotate_size=104857600;
set global server_audit_file_rotations=100;
set global server_audit_excl_users='root';
set global server_audit_logging=on;永久生效写入配置文件:
[root@db-stage1 ~]# grep server_audit /etc/my.cnf
##server_audit_incl_users=user01
##server_audit_events=connect,query
##server_audit_events=query
##server_audit_events=QUERY_DML
server_audit_events=connect,QUERY_DML_NO_SELECT,QUERY_DDL,QUERY_DCL,table
server_audit_logging=on
server_audit_file_path=/data/mysql/logs/server_audit.log
server_audit_file_rotate_size=100M
server_audit_file_rotations=100三、Mariadb审计插件具体参数说明
server_audit_output_type:指定日志输出类型,可为SYSLOG或FILE
server_audit_logging:启动或关闭审计
server_audit_events:指定记录事件的类型,可以用逗号分隔的多个值(connect,query,table),如果开启了查询缓存(query cache),查询直接从查询缓存返回数据,将没有table记录
server_audit_file_path:如server_audit_output_type为FILE,使用该变量设置存储日志的文件,可以指定目录,默认存放在数据目录的server_audit.log文件中
server_audit_file_rotate_size:限制日志文件的大小
server_audit_file_rotations:指定日志文件的数量,如果为0日志将从不轮转
server_audit_file_rotate_now:强制日志文件轮转
server_audit_incl_users:指定哪些用户的活动将记录,connect将不受此变量影响,该变量比server_audit_excl_users 优先级高
server_audit_syslog_facility:默认为LOG_USER,指定facility
server_audit_syslog_ident:设置ident,作为每个syslog记录的一部分
server_audit_syslog_info:指定的info字符串将添加到syslog记录
server_audit_syslog_priority:定义记录日志的syslogd priority
server_audit_excl_users:该列表的用户行为将不记录,connect将不受该设置影响
server_audit_mode:标识版本,用于开发测试四、审计日志记录操作MySQL DDL,DML,DCL 语句参数说明
QUERY_DML_NO_SELECT参数:
Similar to QUERY_DML, but doesn't log SELECT queries. (since version 1.4.4) (DO, CALL, LOAD DATA/XML, DELETE, INSERT, UPDATE, HANDLER and REPLACE statements)
测试,只支持DML得审计:
只能审计insert,update,delete,不记录create drop alter语句
QUERY_DDL参数:
Similar to QUERY, but filters only DDL-type queries (CREATE, ALTER, DROP, RENAME and TRUNCATE statements—except CREATE/DROP [PROCEDURE / FUNCTION / USER] and RENAME USER (they're not DDL)
QUERY_DCL参数:
Similar to QUERY, but filters only DCL-type queries (CREATE USER, DROP USER, RENAME USER, GRANT, REVOKE and SET PASSWORD statements)
以上参数说明来自官方文档
https://mariadb.com/kb/en/mariadb-audit-plugin-log-settings/
五、审计日志具体记录内容格式演示
[root@db-stage1 ~]# tail -20f /data/mysql/logs/server_audit.log
20210305 12:46:57,db-stage1.jiaody.cn,root,localhost,3,7,QUERY,,'GRANT ALL PRIVILEGES ON *.* TO \'codeuser\'@\'172.%\' IDENTIFIED WITH \'mysql_native_password\' AS \'*9FAACACAD04A362EF0AF7AD66A5289A6FE21DA74\'',0
20210305 12:46:57,db-stage1.jiaody.cn,root,localhost,3,0,DISCONNECT,,,0
20210305 12:47:24,db-stage1.jiaody.cn,codeuser,172.17.0.206,4,0,CONNECT,,,0
20210305 12:47:27,db-stage1.jiaody.cn,root,localhost,2,0,DISCONNECT,,,0
20210305 12:47:50,db-stage1.jiaody.cn,codeuser,172.17.0.206,4,13,QUERY,,'create database test0001',0
20210305 12:52:49,db-stage1.jiaody.cn,codeuser,172.17.0.206,4,16,QUERY,test0001,'CREATE TABLE `test_event` (\n`id` int(8) NOT NULL AUTO_INCREMENT, \n`username` varchar(20) COLLATE utf8_unicode_ci NOT NULL,\n`password` varchar(20) COLLATE utf8_unicode_ci NOT NULL, \n`create_time` varchar(20) COLLATE utf8_unicode_ci NOT NULL,\nPRIMARY KEY (`id`) \n) ENGINE=innodb AUTO_INCREMENT=0 DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci',0
20210305 12:55:14,db-stage1.jiaody.cn,codeuser,172.17.0.206,4,17,QUERY,test0001,'insert into test_event(username,password,create_time) values("李四","tomcat",now())',0
20210305 12:55:52,db-stage1.jiaody.cn,codeuser,172.17.0.206,4,19,QUERY,test0001,'delete from test_event where id=1',0
20210305 12:56:03,db-stage1.jiaody.cn,codeuser,172.17.0.206,4,20,QUERY,test0001,'insert into test_event(username,password,create_time) values("李四","tomcat",now())',0
20210305 12:56:30,db-stage1.jiaody.cn,codeuser,172.17.0.206,4,21,QUERY,test0001,'update test_event set password=\'fox\' where id=1',0
20210305 12:57:51,db-stage1.jiaody.cn,codeuser,172.17.0.206,4,24,QUERY,test0001,'GRANT SELECT, INSERT, UPDATE ON `test`.`event` TO \'testuser\'@\'127.0.0.1\' IDENTIFIED WITH \'mysql_native_password\' AS \'<secret>\'',1142
20210305 12:58:55,db-stage1.jiaody.cn,codeuser,172.17.0.206,4,26,QUERY,test0001,'truncate table test_event',0
20210305 12:59:17,db-stage1.jiaody.cn,codeuser,172.17.0.206,4,27,QUERY,test0001,'insert into test_event(username,password,create_time) values("李四","tomcat",now())',0
20210305 12:59:30,db-stage1.jiaody.cn,codeuser,172.17.0.206,4,28,QUERY,test0001,'drop table test_event',0
20210305 12:59:50,db-stage1.jiaody.cn,codeuser,172.17.0.206,4,0,DISCONNECT,test0001,,0六、日志内容和对应参数格式说明
审计记录文件的格式如下:
[timestamp],[serverhost],[username],[host],[connectionid],[queryid],[operation],[database],[object],[retcode]
一个对应的例子如下:
20210305 12:59:30,db-stage1.jiaody.cn,codeuser,172.17.0.206,4,28,QUERY,test0001,'drop table test_event',0
参考文档如下:
https://www.cnblogs.com/1584779745qq/p/6479522.html
https://mp.weixin.qq.com/s/vNcTb7IR_LpYlcZf_Y-aAA
https://mariadb.com/kb/en/mariadb-audit-plugin-log-settings/
