Article directory
-
- Preface
- 1. Download the audit plug-in
- 2. Audit plug-in parameters
-
- 2.1 server_audit_events
- 2.2 server_audit_excl_users
- 2.3 server_audit_output_type
- 2.4 server_audit_file_path
- 2.5 server_audit_file_rotate_now
- 2.6 server_audit_file_rotate_size
- 2.7 server_audit_file_rotations
- 2.8 server_audit_incl_users
- 2.9 server_audit_loc_info
- 2.10 server_audit_logging
- 2.11 server_audit_mode
- 2.12 server_audit_query_log_limit
- 2.13 server_audit_syslog_facility
- 2.14 server_audit_syslog_ident
- 2.15 server_audit_syslog_info
- 2.16 server_audit_syslog_priority
- 3. Use of audit plug-in
- 5. Summary
Preface
Only the enterprise version of MySQL has an audit plug-in, and the open source community version does not have an audit plug-in. Enterprises need to activate the audit function if they want to pass the MLPS. It is recorded here that the MariaDB open source audit plug-in is used to enable the MySQL Community Edition to have the audit function.
1. Download the audit plug-in
The audit plug-in is included in MariaDB, so you need to download MariaDB first and then server_audit.socopy the audit plug-in.
MariaDB version 10.1 corresponds to Oracle's MySQL 5.7 version. Here is the official download address of MariaDB. You can download MariaDB from the link.
tar -zxvf mariadb-10.1.48-linux-systemd-x86_64.tar.gz
Enter /lib/plugin/the directory to find server_audit.sothe audit plug-in:
ll ./mariadb-10.1.48-linux-systemd-x86_64/lib/plugin/server_audit.so
-rw-r--r-- 1 esadmin mysql 245036 Oct 30 2020 ./mariadb-10.1.48-linux-systemd-x86_64/lib/plugin/server_audit.so
Next, you need to copy the plug-in to the MySQL plug-in directory. You can execute the following SQL to query the MySQL base directory:
select @@basedir;
+-------------------+
| @@basedir |
+-------------------+
| /usr/local/mysql/ |
+-------------------+
The MySQL plug-in directory is basedir/lib/plugin/below, copy the plug-in to this directory:
cp /pg_data/mariadb-10.1.48-linux-systemd-x86_64/lib/plugin/server_audit.so /usr/local/mysql/lib/plugin/
Modify the file's group, then connect to MySQL to install the plug-in:
install plugin server_audit SONAME 'server_audit.so';
Use the following command to confirm whether the plug-in is started successfully. Status = ACTIVE:
show plugins;
......
+----------------------------+----------+--------------------+-----------------+---------+
| Name | Status | Type | Library | License |
+----------------------------+----------+--------------------+-----------------+---------+
| SERVER_AUDIT | ACTIVE | AUDIT | server_audit.so | GPL |
+----------------------------+----------+--------------------+-----------------+---------+
2. Audit plug-in parameters
You can view the parameters involved in the audit plug-in through the following parameters:
root@mysql 14:33: [(none)]>show variables like '%audit%';
+-------------------------------+-----------------------+
| Variable_name | Value |
+-------------------------------+-----------------------+
| server_audit_events | |
| server_audit_excl_users | |
| server_audit_file_path | server_audit.log |
| server_audit_file_rotate_now | OFF |
| server_audit_file_rotate_size | 1000000 |
| server_audit_file_rotations | 9 |
| server_audit_incl_users | |
| server_audit_loc_info | |
| server_audit_logging | OFF |
| server_audit_mode | 1 |
| server_audit_output_type | file |
| server_audit_query_log_limit | 1024 |
| server_audit_syslog_facility | LOG_USER |
| server_audit_syslog_ident | mysql-server_auditing |
| server_audit_syslog_info | |
| server_audit_syslog_priority | LOG_INFO |
+-------------------------------+-----------------------+
2.1 server_audit_events
This parameter sets what types of SQL statements need to be saved. The types that can be saved are:
CONNECT, QUERY, TABLE, QUERY_DDL, QUERY_DML, QUERY_DCL, QUERY_DML_NO_SELECT
If this parameter is not set, all types of SQL statements will be logged.
2.2 server_audit_excl_users
User list. After setting, it means that the user behaviors in this list will not be recorded, which is equivalent to a blacklist.
2.3 server_audit_output_type
Specify the log output type, which can be SYSLOG or FILE. The default and recommended modes are FILE mode.
2.4 server_audit_file_path
When server_audit_output_type=file, this parameter can be used to set the log storage directory, which defaults to server_audit.logthe data directory.
2.5 server_audit_file_rotate_now
Force log file rotation.
2.6 server_audit_file_rotate_size
Limit the size of the log file, default is 1000000
2.7 server_audit_file_rotations
The number of log rotations. The default value is 0, which means no rotation.
2.8 server_audit_incl_users
User list. After setting, it indicates which users' operations need to be recorded. The priority is higher than the server_audit_excl_users parameter list.
2.9 server_audit_loc_info
Internal information is logged and can be ignored by the user.
2.10 server_audit_logging
The default is OFF, and setting it to ON means turning on audit logging.
2.11 server_audit_mode
Parameters used by kernel personnel for development and debugging, which can be ignored by users.
2.12 server_audit_query_log_limit
Limit the length of strings in audit log records, the default is 1024.
2.13 server_audit_syslog_facility
SYSLOG-mode variable, set some "facility".
2.14 server_audit_syslog_ident
Set ident as part of the audit log.
2.15 server_audit_syslog_info
Adds the specified string to the audit log.
2.16 server_audit_syslog_priority
SYSLOG-mode variable defines the logging priority for syslog.
3. Use of audit plug-in
Turn on the audit log. Each log size is 5G and can have 10 files for rotation.
server_audit_logging = ON
server_audit_file_path = /pg_data/mysql_audit_log
server_audit_file_rotate_size = 5G
server_audit_file_rotations = 10
server_audit_file_rotate_now = ON
The directory of the server_audit_file_path parameter needs to be created in advance, and the mysql attribute group must be configured, and then the MySQL service must be restarted.
The recording format of the audit log is:
[timestamp],[serverhost],[username],[host],[connectionid],[queryid],[operation],[database],[object],[retcode]
20230830 15:55:51,db4,root,localhost,2,0,CONNECT,,,0
20230830 15:55:51,db4,root,localhost,2,1,QUERY,,'select @@version_comment limit 1',0
20230830 15:55:51,db4,root,localhost,2,2,QUERY,,'select USER()',0
20230830 15:55:56,db4,root,localhost,2,3,QUERY,,'show databases',0
20230830 15:56:16,db4,root,localhost,2,4,QUERY,,'SELECT DATABASE()',0
20230830 15:56:16,db4,root,localhost,2,6,QUERY,op_service_db,'show databases',0
20230830 15:56:16,db4,root,localhost,2,7,QUERY,op_service_db,'show tables',0
20230830 15:56:19,db4,root,localhost,2,19,QUERY,op_service_db,'show tables',0
20230830 15:59:25,db4,root,localhost,2,20,QUERY,op_service_db,'set global server_audit_syslog_ident = \'test01\'',0
4. Uninstall the audit plug-in
Execute the following SQL to uninstall the plug-in:
UNINSTALL PLUGIN 'server_audit';
5. Summary
The above are the configuration and usage instructions of the audit log. It is worth noting that activating audit will increase the database performance overhead, so you need to pay attention to the disk space usage.