SERVER_AUDIT plugin
You are viewing an old version of this article. View
the current version here.
The purpose of the SERVER_AUDIT plugin is to log the server's activity. Records about who connected to the server, what queries ran and what tables touched can be stored to the rotating log file or sent to the local syslogd.
Installation
server_audit.so
should be copied to the proper directory, after which the plugin is installed:
INSTALL PLUGIN server_audit SONAME 'server_audit';
Log content
There are 3 types of log records.
CONNECTION | informs about connected/disconnected users |
QUERY | queries issued and their results |
TABLE | which tables were affected by query execution |
Variables
The plugin defines a number of variables shaping the way it works.
Variable | Description |
---|---|
server_audit_output_type | Specifies the desired output type. Can be SYSLOG or FILE . For example: SET GLOBAL server_audit_output_type=file file: log records will be saved into the rotating log file. The name of the file set by 'server_audit_file_path' variable. syslog: log records will be sent to the local syslogd daemon with the standard <syslog.h> API. |
server_audit_logging | Enables/disables the logging. Expected values are ON/OFF. For example: SET GLOBAL server_audit_logging=on If the server_audit_output_type is FILE, this will acually create/open the logfile so the 'server_audit_file_path' should be properly specified beforehand. Same about the SYSLOG-related parameters. |
server_audit_events | If set it specifies the set of types of events to log. Can be CONNECT, QUERY and TABLE. For example: SET GLOBAL server_audit_events='connect, query' |
server_audit_file_path | When 'server_audit_output_type=file', it sets the path and the filename to the log file. |
server_audit_file_rotate_size | When 'server_audit_output_type=file', it limits the size of the log file. Reaching that limit turns on the rotation - the current log file is renamed as 'file_path.1'. The empty log file is created as 'file_path' to log into it. |
server_audit_file_rotations | When 'server_audit_output_type=file', it specifies the number of rotations to save. |
server_audit_file_rotate_now | When 'server_audit_output_type=file', the user can force the log file rotation by SET-ting any value to this variable. |
server_audit_incl_users | If not empty, it contains the list of users whose activity will be logged. For example: SET GLOBAL server_audit_incl_users='user_foo, user_bar' CONNECT records aren't affected by this variable - they are logged always. |
server_audit_syslog_facility | SYSLOG-mode variable. It defines the 'facility' of the records that will be sent to the syslog. Later the log can be filtered by this parameter. Possible values are: LOG_USER, LOG_MAIL, LOG_DAEMON, LOG_AUTH, LOG_SYSLOG, LOG_LPR, LOG_NEWS, LOG_UUCP, LOG_CRON, LOG_AUTHPRIV, LOG_FTP, LOG_LOCAL0, LOG_LOCAL1, LOG_LOCAL2, LOG_LOCAL3, LOG_LOCAL4, LOG_LOCAL5, LOG_LOCAL6, LOG_LOCAL7 . The default value is LOG_USER. |
server_audit_syslog_ident | SYSLOG-mode variable. String value for the 'ident' part of each syslog record. Default value is 'mysql-server_auditing'. New value becomes effective only after restarting the logging. |
server_audit_syslog_info | SYSLOG-mode variable. The 'info' string to be added to the syslog records. Can be changed any time. |
server_audit_syslog_priority | SYSLOG-mode variable. Defines for the syslogd the priority of the log records. Possible values: LOG_EMERG, LOG_ALERT, LOG_CRIT, LOG_ERR, LOG_WARNING, LOG_NOTICE, LOG_INFO, LOG_DEBUG . It's set to LOG_INFO by default. |
server_audit_excl_users | If not empty, it contains the list of users whose activity will NOT be logged. For example: SET GLOBAL server_audit_excl_users='user_foo, user_bar' CONNECT records aren't affected by this variable - they are logged always. |
Status variables
The activity of the plugin can be monitored with the status variables.
Status variable | Description |
---|---|
server_audit_active | If the auditing is actually working. It gets the ON value when the logging is successfully started. Then it can get the OFF value if the logging was stopped or log records can't be properly stored due to file or syslog errors. |
server_audit_current_log | The name of the logfile or the SYSLOG parameters that are in current use. |
server_audit_last_error | If something went wrong with the logging here you can see the message. |
server_audit_writes_failed | The number of log records since last logging-start that weren't properly stored because of errors of any kind. |
Comments
Comments loading...
Content reproduced on this site is the property of its respective owners,
and this content is not reviewed in advance by MariaDB. The views, information and opinions
expressed by this content do not necessarily represent those of MariaDB or any other party.