About the MariaDB Audit Plugin
The purpose of the MariaDB Audit Plugin is to log the server's activity. Records about who connected to the server, what queries ran and what tables touched can be stored to the rotating log file or sent to the local syslogd.
Installation
server_audit.so
should be copied to the proper directory, after which the plugin is installed:
INSTALL PLUGIN server_audit SONAME 'server_audit';
Log content
There are 3 types of log records.
CONNECTION | informs about connected/disconnected users |
QUERY | queries issued and their results |
TABLE | which tables were affected by query execution |
Variables
The plugin defines a number of variables shaping the way it works.
Variable | Description |
---|---|
server_audit_output_type | Specifies the desired output type. Can be SYSLOG or FILE . For example: SET GLOBAL server_audit_output_type=file file: log records will be saved into the rotating log file. The name of the file set by 'server_audit_file_path' variable. syslog: log records will be sent to the local syslogd daemon with the standard <syslog.h> API. The default value is 'file'. |
server_audit_logging | Enables/disables the logging. Expected values are ON/OFF. For example: SET GLOBAL server_audit_logging=on If the server_audit_output_type is FILE, this will acually create/open the logfile so the 'server_audit_file_path' should be properly specified beforehand. Same about the SYSLOG-related parameters. The logging is turned off by default. |
server_audit_events | If set it specifies the set of types of events to log. Can be CONNECT, QUERY and TABLE. For example: SET GLOBAL server_audit_events='connect, query' |
server_audit_file_path | When 'server_audit_output_type=file', it sets the path and the filename to the log file. If the specified path exists as a directory, then the log will be created inside that directory with the name 'server_audit.log'. Otherwise the value is treated as a filename. The default value is 'server_audit.log', which means this file will be created in the database directory. |
server_audit_file_rotate_size | When 'server_audit_output_type=file', it limits the size of the log file. Reaching that limit turns on the rotation - the current log file is renamed as 'file_path.1'. The empty log file is created as 'file_path' to log into it. The default value is 100000. |
server_audit_file_rotations | When 'server_audit_output_type=file', it specifies the number of rotations to save. If it's 0 then the log never rotates. The default value is 9. |
server_audit_file_rotate_now | When 'server_audit_output_type=file', the user can force the log file rotation by SET-ting ON or 1 value to this variable. |
server_audit_incl_users | If not empty, it contains the list of users whose activity will be logged. For example: SET GLOBAL server_audit_incl_users='user_foo, user_bar' CONNECT records aren't affected by this variable - they are logged always. This setting has higher priority than server_audit_excl_users. So if same user specified both in incl_ and excl_ lists, it still will be logged. |
server_audit_syslog_facility | SYSLOG-mode variable. It defines the 'facility' of the records that will be sent to the syslog. Later the log can be filtered by this parameter. Possible values are: LOG_USER, LOG_MAIL, LOG_DAEMON, LOG_AUTH, LOG_SYSLOG, LOG_LPR, LOG_NEWS, LOG_UUCP, LOG_CRON, LOG_AUTHPRIV, LOG_FTP, LOG_LOCAL0, LOG_LOCAL1, LOG_LOCAL2, LOG_LOCAL3, LOG_LOCAL4, LOG_LOCAL5, LOG_LOCAL6, LOG_LOCAL7 . The default value is LOG_USER. |
server_audit_syslog_ident | SYSLOG-mode variable. String value for the 'ident' part of each syslog record. Default value is 'mysql-server_auditing'. New value becomes effective only after restarting the logging. |
server_audit_syslog_info | SYSLOG-mode variable. The 'info' string to be added to the syslog records. Can be changed any time. |
server_audit_syslog_priority | SYSLOG-mode variable. Defines for the syslogd the priority of the log records. Possible values: LOG_EMERG, LOG_ALERT, LOG_CRIT, LOG_ERR, LOG_WARNING, LOG_NOTICE, LOG_INFO, LOG_DEBUG . It's set to LOG_INFO by default. |
server_audit_excl_users | If not empty, it contains the list of users whose activity will NOT be logged. For example: SET GLOBAL server_audit_excl_users='user_foo, user_bar' CONNECT records aren't affected by this variable - they are logged always. The user is still logged if it's specified in server_audit_incl_users. |
server_audit_mode | That variable doesn't have any distinctive meaning for an user. It's value mostly reflects the server version with witch the plugin was started and intended to only be used by developers for testing. |
Status variables
The activity of the plugin can be monitored with the status variables.
Status variable | Description |
---|---|
server_audit_active | If the auditing is actually working. It gets the ON value when the logging is successfully started. Then it can get the OFF value if the logging was stopped or log records can't be properly stored due to file or syslog errors. |
server_audit_current_log | The name of the logfile or the SYSLOG parameters that are in current use. |
server_audit_last_error | If something went wrong with the logging here you can see the message. |
server_audit_writes_failed | The number of log records since last logging-start that weren't properly stored because of errors of any kind. |
Notes
The QUERY CACHE when enabled changes the way TABLE class records appear in the log. Specifically if the result of a query was returned from the QUERY CACHE, no TABLE records appear in the log at all, as the server didn't open or log any tables.