About the MariaDB Audit Plugin

You are viewing an old version of this article. View the current version here.

The purpose of the MariaDB Audit Plugin is to log the server's activity. Records about who connected to the server, what queries ran and what tables touched can be stored to the rotating log file or sent to the local syslogd.

Installation

server_audit.so should be copied to the proper directory, after which the plugin is installed:

INSTALL PLUGIN server_audit SONAME 'server_audit';

The location of the plugin directory can be found by running this query:

SHOW VARIABLES LIKE 'plugin_dir';

https://mariadb.com/kb/en/install-plugin/

Log content

There are 3 types of log records.

CONNECTIONinforms about connected/disconnected users
QUERYqueries issued and their results
TABLEwhich tables were affected by query execution

Variables

The plugin defines a number of variables shaping the way it works.

VariableDescription
server_audit_output_typeSpecifies the desired output type. Can be SYSLOG or FILE. For example: SET GLOBAL server_audit_output_type=file file: log records will be saved into the rotating log file. The name of the file set by 'server_audit_file_path' variable. syslog: log records will be sent to the local syslogd daemon with the standard <syslog.h> API. The default value is 'file'.
server_audit_loggingEnables/disables the logging. Expected values are ON/OFF. For example: SET GLOBAL server_audit_logging=on If the server_audit_output_type is FILE, this will actually create/open the logfile so the 'server_audit_file_path' should be properly specified beforehand. Same about the SYSLOG-related parameters. The logging is turned off by default.
server_audit_eventsIf set it specifies the set of types of events to log. Can be CONNECT, QUERY and TABLE. For example: SET GLOBAL server_audit_events='connect, query'
server_audit_file_pathWhen 'server_audit_output_type=file', it sets the path and the filename to the log file. If the specified path exists as a directory, then the log will be created inside that directory with the name 'server_audit.log'. Otherwise the value is treated as a filename. The default value is 'server_audit.log', which means this file will be created in the database directory.
server_audit_file_rotate_sizeWhen 'server_audit_output_type=file', it limits the size of the log file. Reaching that limit turns on the rotation - the current log file is renamed as 'file_path.1'. The empty log file is created as 'file_path' to log into it. The default value is 100000.
server_audit_file_rotationsWhen 'server_audit_output_type=file', it specifies the number of rotations to save. If it's 0 then the log never rotates. The default value is 9.
server_audit_file_rotate_nowWhen 'server_audit_output_type=file', the user can force the log file rotation by SET-ting ON or 1 value to this variable.
server_audit_incl_usersIf not empty, it contains the list of users whose activity will be logged. For example: SET GLOBAL server_audit_incl_users='user_foo, user_bar' CONNECT records aren't affected by this variable - they are logged always. This setting has higher priority than server_audit_excl_users. So if same user specified both in incl_ and excl_ lists, it still will be logged.
server_audit_syslog_facilitySYSLOG-mode variable. It defines the 'facility' of the records that will be sent to the syslog. Later the log can be filtered by this parameter. Possible values are: LOG_USER, LOG_MAIL, LOG_DAEMON, LOG_AUTH, LOG_SYSLOG, LOG_LPR, LOG_NEWS, LOG_UUCP, LOG_CRON, LOG_AUTHPRIV, LOG_FTP, LOG_LOCAL0, LOG_LOCAL1, LOG_LOCAL2, LOG_LOCAL3, LOG_LOCAL4, LOG_LOCAL5, LOG_LOCAL6, LOG_LOCAL7 . The default value is LOG_USER.
server_audit_syslog_identSYSLOG-mode variable. String value for the 'ident' part of each syslog record. Default value is 'mysql-server_auditing'. New value becomes effective only after restarting the logging.
server_audit_syslog_infoSYSLOG-mode variable. The 'info' string to be added to the syslog records. Can be changed any time.
server_audit_syslog_prioritySYSLOG-mode variable. Defines for the syslogd the priority of the log records. Possible values: LOG_EMERG, LOG_ALERT, LOG_CRIT, LOG_ERR, LOG_WARNING, LOG_NOTICE, LOG_INFO, LOG_DEBUG . It's set to LOG_INFO by default.
server_audit_excl_usersIf not empty, it contains the list of users whose activity will NOT be logged. For example: SET GLOBAL server_audit_excl_users='user_foo, user_bar' CONNECT records aren't affected by this variable - they are logged always. The user is still logged if it's specified in server_audit_incl_users.
server_audit_modeThis variable doesn't have any distinctive meaning for a user. Its value mostly reflects the server version with which the plugin was started and is intended to be used by developers for testing.

Status variables

The activity of the plugin can be monitored with the status variables.

Status variableDescription
server_audit_activeIf the auditing is actually working. It gets the ON value when the logging is successfully started. Then it can get the OFF value if the logging was stopped or log records can't be properly stored due to file or syslog errors.
server_audit_current_logThe name of the logfile or the SYSLOG parameters that are in current use.
server_audit_last_errorIf something went wrong with the logging here you can see the message.
server_audit_writes_failedThe number of log records since last logging-start that weren't properly stored because of errors of any kind.

Notes

If the query cache is enabled, and a query is returned from the query cache, no TABLE records appear in the log, as the server didn't open or log any tables.

Comments

Comments loading...
Content reproduced on this site is the property of its respective owners, and this content is not reviewed in advance by MariaDB. The views, information and opinions expressed by this content do not necessarily represent those of MariaDB or any other party.