Base Enviroment:CentOS release 6.5 +10.1.40-MariaDB MariaDB Server
安装完后,经过Navicat客户端工具,java web项目,linux操作系统myql客户端,三个维度(客户端)的实测。
实测结果是:此工程只能做到,命令行发起的对数据库的操作。
1.安装mysql-sniffer:
#yum install glib2-devel libpcap-devel libnet-devel
# cd /usr/local/src/
#git clone https://github.com/Qihoo360/mysql-sniffer #此步较慢,耐心等待……
#cd mysql-sniffer
#mkdir proj
#cd proj
#cmake ../
#make
#cd bin/
2.参数查看
./mysql-sniffer -h
Usage ./bin/mysql-sniffer [-d] -i eth0 -p 3306,3307,3308 -l /var/log/mysql-sniffer/ -e stderr
[-d] -i eth0 -r 3000-4000
-d daemon mode.
-s how often to split the log file(minute, eg. 1440). if less than 0, split log everyday
-i interface. Default to eth0
-p port, default to 3306. Multiple ports should be splited by ','. eg. 3306,3307
this option has no effect when -f is set.
-r port range, Don't use -r and -p at the same time
-l query log DIRECTORY. Make sure that the directory is accessible. Default to stdout.
-e error log FILENAME or 'stderr'. if set to /dev/null, runtime error will not be recorded
-f filename. use pcap file instead capturing the network interface
-w white list. dont capture the port. Multiple ports should be splited by ','.
-t truncation length. truncate long query if it's longer than specified length. Less than 0 means no truncation
-n keeping tcp stream count, if not set, default is 65536. if active tcp count is larger than the specified count, mysql-sniffer will remove the oldest one
3.执行命令,将mysql3306端口流量打到某网卡上(如eth0)
实时查看>>>>>
# ./bin/mysql-sniffer -i eth0 -p 3306
打到某日志文件>>
# ./bin/mysql-sniffer -i eth0 -p 3306 -l /tmp/mysql-sniffer/
查看网卡
4.查看效果:
mysql服务器启动mysql-sniffer开启实时监控
【方式一:windows电脑使用mysql客户端navicat访问mysql服务器的审计情况】
执行sql语句。
审计控制台并没有回显具体的执行语句,再次更改sql语句,控制台不会在有任何信息显示。
【方式二:java web项目访问数据库,控制台同样没有任何涉及信息】
【方式三:命令行终端】
可以看到完整的审计信息,从登陆数据库到登录后执行的具体sql(查询表,更新表等)审计控制台可以做到完全回显
【审计控制台终端情况如下:】
【源码地址:】
https://github.com/Qihoo360/mysql-sniffer/blob/master/README_CN.md