MariaDB Audit Plugin - Location and Rotation of Logs
Logs can be written to a separate file or to the system logs. If you prefer to have the logging separated from other system information, the value of the variable, server_audit_output_type should be set to file
. Incidentally, file
is the only option on Windows systems.
You can force a rotation by enabling the server_audit_file_rotate_now variable like so:
SET GLOBAL server_audit_file_rotate_now = YES;
Separate Log Files
In addition to setting server_audit_output_type
, you will have to provide the file path and name of the audit file. This is set in the variable, server_audit_file_path
. You can set the file size limit of the log file with the variable, server_audit_file_rotate_size
.
So, if rotation is on and the log file has reached the size limit you set, a new file is created with a new file extention, leaving the old file with its current name and extension. To limit the number of log files created, set the variable, server_audit_file_rotations. You can force log file rotation by setting the variable, server_audit_file_rotate_nowto a value of YES. When the number of files permitted is reached, the oldest file will be overwritten. Below is an example of how the variables described above might be set in a server's configuration files:
[mysqld] ... server_audit_file_rotate_now=ON server_audit_file_rotate_size=1000000 server_audit_file_rotations=5 ...
System Logs
For security reasons, it's better sometimes to use the system logs instead of a local file owned by the mysql
user. To do this, the value of server_audit_output_type
needs to be set to syslog
. Advanced configurations, such as using a remote syslogd
service, is part of the syslogd
configuration.
The variables, server_audit_syslog_ident
and server_audit_syslog_info
can be used to identify a system log entry made by the audit plugin. If a remote syslogd
service is used for several MariaDB Servers, these same variables are used also to identify the MariaDB Server.
Below is an example of a system log entry taken from a server which had server_audit_syslog_ident
set to the default value of mysqlserver_auditing
, and the server_audit_syslog_info
set to <prod1>
.
Aug 717:19:58localhostmysqlserver_auditing: <prod1> localhost.localdomain,root,localhost,1,7, QUERY, mysql, 'SELECT * FROM user',0
Although the default values for server_audit_syslog_facility
and server_audit_syslog_priority
should be sufficient in most cases, they can be changed based on the definition in syslog.h
for the functions openlog()
and syslog()
.