MySQL审计插件- Audit Log

最新推荐文章于 2024-05-17 10:22:08 发布

小金豆的互联网

最新推荐文章于 2024-05-17 10:22:08 发布

阅读量2.5k

点赞数

分类专栏： mysql 文章标签： mysql 数据库

本文链接：https://blog.csdn.net/jinyoufu12345/article/details/108383170

版权

mysql 专栏收录该内容

2 篇文章 0 订阅

订阅专栏

一、插件介绍
二、插件安装
1.安装插件
2.查看插件
3.日志格式
三、插件的使用
1.开始审计
2.查看审计日志
四、审计种类
1.基于用户审计
2.基于命令审计
3.基于DB审计
一、插件介绍

Percona公司的官方介绍：

Percona Audit Log Plugin provides monitoring and logging of connection and query activity that were performed on specific server. Information about the activity will be stored in the XML log file where each event will have its NAME field, its own unique RECORD_ID field and a TIMESTAMP field. This implementation is alternative to the MySQL Enterprise Audit Log Plugin

支持审计的事件：

Audit - Audit event indicates that audit logging started or finished. NAME field will be Audit when logging started and NoAudit when logging finished. Audit record also includes server version and command-line arguments.
Example of the Audit event:

<AUDIT_RECORD
“NAME”=“Audit”
“RECORD”=“1_2014-04-29T09:29:40”
“TIMESTAMP”=“2014-04-29T09:29:40 UTC”
“MYSQL_VERSION”=“5.6.17-65.0-655.trusty”
“STARTUP_OPTIONS”="–basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib/mysql/plugin --user=mysql --log-error=/var/log/mysql/error.log --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/run/mysqld/mysqld.sock --port=3306"
“OS_VERSION”=“x86_64-debian-linux-gnu”,
/>
Connect/Disconnect - Connect record event will have NAME field Connect when user logged in or login failed, or Quit when connection is closed. Additional fields for this event are CONNECTION_ID, STATUS, USER, PRIV_USER, OS_LOGIN, PROXY_USER, HOST, and IP. STATUS will be 0 for successful logins and non-zero for failed logins.
Example of the Disconnect event:

<AUDIT_RECORD
“NAME”=“Quit”
“RECORD”=“24_2014-04-29T09:29:40”
“TIMESTAMP”=“2014-04-29T10:20:13 UTC”
“CONNECTION_ID”=“49”
“STATUS”=“0”
“USER”=""
“PRIV_USER”=""
“OS_LOGIN”=""
“PROXY_USER”=""
“HOST”=""
“IP”=""
“DB”=""
/>
Query - Additional fields for this event are: COMMAND_CLASS (values come from the com_status_vars array in the sql/mysqld.cc` file in a MySQL source distribution. Examples are select, alter_table, create_table, etc.), CONNECTION_ID, STATUS (indicates error when non-zero), SQLTEXT (text of SQL-statement), USER, HOST, OS_USER, IP. Possible values for the NAME name field for this event are Query, Prepare, Execute, Change user, etc.
Example of the Query event:

<AUDIT_RECORD
“NAME”=“Query”
“RECORD”=“23_2014-04-29T09:29:40”
“TIMESTAMP”=“2014-04-29T10:20:10 UTC”
“COMMAND_CLASS”=“select”
“CONNECTION_ID”=“49”
“STATUS”=“0”
“SQLTEXT”=“SELECT * from mysql.user”
“USER”=“root[root] @ localhost []”
“HOST”=“localhost”
“OS_USER”=""
“IP”=""
/>

二、插件安装

1.安装插件
mysql> INSTALL PLUGIN audit_log SONAME ‘audit_log.so’;
Query OK, 0 rows affected (0.44 sec)

3.日志格式

The audit log plugin supports four log formats: OLD, NEW, JSON, and CSV. OLD and NEW formats are based on XML, where the former outputs log record properties as XML attributes and the latter as XML tags. Information logged is the same in all four formats. The log format choice is controlled by audit_log_format variable.

Example of the OLD format:

<AUDIT_RECORD
“NAME”=“Query”
“RECORD”=“2_2014-04-28T09:29:40”
“TIMESTAMP”=“2014-04-28T09:29:40 UTC”
“COMMAND_CLASS”=“install_plugin”
“CONNECTION_ID”=“47”
“STATUS”=“0”
“SQLTEXT”=“INSTALL PLUGIN audit_log SONAME ‘audit_log.so’”
“USER”=“root[root] @ localhost []”
“HOST”=“localhost”
“OS_USER”=""
“IP”=""
/>
Example of the NEW format:

<AUDIT_RECORD>
Quit
10902_2014-04-28T11:02:54
2014-04-28T11:02:59 UTC
<CONNECTION_ID>36</CONNECTION_ID>
0

<PRIV_USER></PRIV_USER>
<OS_LOGIN></OS_LOGIN>
<PROXY_USER></PROXY_USER>

</AUDIT_RECORD>
Example of the JSON format:

{“audit_record”:{“name”:“Query”,“record”:“4707_2014-08-27T10:43:52”,“timestamp”:“2014-08-27T10:44:19 UTC”,“command_class”:“show_databases”,“connection_id”:“37”,“status”:0,“sqltext”:“show databases”,“user”:“root[root] @ localhost []”,“host”:“localhost”,“os_user”:"",“ip”:""}}

Example of the CSV format:

“Query”,“49284_2014-08-27T10:47:11”,“2014-08-27T10:47:23 UTC”,“show_databases”,“37”,0,“show databases”,“root[root] @ localhost []”,“localhost”,"",""

三、插件的使用

1.开始审计
mysql> SET GLOBAL audit_log_include_accounts = ‘user1@localhost,root@localhost’;

Query OK, 0 rows affected (0.00 sec)

mysql> select @@audit_log_include_accounts;
±-------------------------------+
| @@audit_log_include_accounts |
±-------------------------------+
| user1@localhost,root@localhost |
±-------------------------------+
1 row in set (0.00 sec)

下面会介绍，具体的审计范围。参考第四节。

[root@szgl-mysql-jinyftest01-1154 data]# tail -f audit.log
COMMAND_CLASS=“show_variables”
CONNECTION_ID=“124”
STATUS=“0”
SQLTEXT=“show variables like ‘%audit%’”
USER=“root[root] @ localhost []”
HOST=“localhost”
OS_USER=""
IP=""
DB=""
/>

四、审计种类

1.基于用户审计
需要审计的用户：

mysql> SET GLOBAL audit_log_include_accounts = ‘user1@localhost,root@localhost’; Query OK, 0 rows affected (0.00 sec)
Query OK, 0 rows affected (0.00 sec)

不需要审计的用户

mysql> SET GLOBAL audit_log_exclude_accounts = ‘user1@localhost,root@localhost’;
Query OK, 0 rows affected (0.00 sec)

2.基于命令审计
mysql> SET GLOBAL audit_log_include_commands= ‘set_option,create_db’;

Query OK, 0 rows affected (0.00 sec)

3.基于DB审计
mysql> SET GLOBAL audit_log_include_databases = ‘test,mysql,db1’;
Query OK, 0 rows affected (0.00 sec)

mysql> SET GLOBAL audit_log_include_databases= ‘db1,```db3"`’;
Query OK, 0 rows affected (0.00 sec)

参考文献：https://www.percona.com/doc/percona-server/5.7/management/audit_log_plugin.html

小金豆的互联网

关注

0
点赞
踩
3

收藏

觉得还不错? 一键收藏
0
评论
MySQL审计插件- Audit Log

一、插件介绍二、插件安装1.安装插件2.查看插件3.日志格式三、插件的使用1.开始审计2.查看审计日志四、审计种类1.基于用户审计2.基于命令审计3.基于DB审计一、插件介绍Percona公司的官方介绍：Percona Audit Log Plugin provides monitoring and logging of connection and query activity that were performed on specific server. Informatio
复制链接

扫一扫