Preface :
The database audit function mainly records the user's various operations on the database in the audit log , For future tracking 、 Inquire about 、 analysis , To monitor and audit user operations . Auditing is a very important work , It is also an important part of the enterprise data security system , The audit log is also required in the ISO evaluation . about DBA for , Database audit is also extremely important , Especially after a man-made accident , The audit log is convenient for us to trace responsibilities , Problem finding .
1. MySQL Status of community audit log
If you're using a MySQL In the community version , You'll find that MySQL The official did not provide the audit log in the strict sense . although MySQL There are binlog And general log , Although these two have some audit functions , However, it is generally inappropriate to treat it as an audit log .
binlog Binary log file , It records all the execution of the database DDL and DML sentence ( In addition to data query statements select、show etc. ), Recorded as an event and stored in a binary file . Although we can find the details SQL The execution record of , But its function is mainly master-slave replication , It cannot be regarded as an audit log .
general log Is a full log , After opening, all arrivals will be recorded MySQL Server Of SQL sentence . Generally, this log will not be opened , because log It's going to be huge , Impact on database performance , also general log Will record a lot of useless information , As an audit log , Late screening is difficult .
that MySQL How should the community version be audited ? We found that by installing the audit plug-in MySQL Audit function of , Common audit plug-ins are MariaDB Audit Plugin、Percona Audit Log Plugin、McAfee MySQL Audit Plugin Three ,MariaDB The built-in audit plug-in is more suitable for MySQL Community Edition , Now let's learn how to use the audit plug-in to realize the audit function .
2. Audit plug-in tutorial
The first thing we need to do is start from MariaDB Copy the audit plug-in from the installation package , It should be noted that the operating system should be consistent , Like your MySQL Installed in the CentOS In the system , Then download it CentOS Systematic MariaDB Install the package and copy from it ,Windows The system needs to download the audit plug-in of the corresponding system .
MariaDB The name of the audit plug-in is server_audit.so(Windows Under the system is server_audit.dll ), It should be noted that , The audit plug-in has been updated , Different versions of audit plug-ins have different functions , Recommended >= 1.4.4 Version of plug-in , The new version of plug-ins can be excluded select sentence . The audit events supported by different versions of the audit plug-in are shown in the following figure :
Audit plug-in version and MariaDB The corresponding figure of version is as follows :
MySQL 5.7 Generally, it can correspond to MariaDB 10.2 edition , We use CentOS System MySQL 5.7 Take version as an example to install the audit plug-in . What I choose to download here is MariaDB 10.2.38 Version of the installation package ( Audit plug-in version 1.4.13), Download address :https://downloads.mariadb.com/MariaDB/mariadb-10.2.38/bintar-linux-x86_64/mariadb-10.2.38-linux-x86_64.tar.gz
Once the download is complete , Unzip the installation package , And then to mariadb-10.2.38-linux-x86_64/lib/plugin/ Copy it under the path server_audit.so file , Copy it to MySQL Server , The specific steps are as follows :
# see MySQL Plug in storage path
mysql> show variables like 'plugin_dir';
+---------------+------------------------------+
| Variable_name | Value |
+---------------+------------------------------+
| plugin_dir | /usr/local/mysql/lib/plugin/ |
+---------------+------------------------------+
# Add the audit plug-in server_audit.so Store in this path
[[email protected] plugin]# ls -lh server_audit.so
-rw-r--r--. 1 root root 191K May 4 2021 server_audit.so
# Change the owner and permission of the plug-in
[[email protected] plugin]# chown mysql:mysql server_audit.so
[[email protected] plugin]# chmod 755 server_audit.so
[[email protected] plugin]# ls -lh server_audit.so
-rwxr-xr-x. 1 mysql mysql 191K May 4 2021 server_audit.so
The above are all preparation contents , For your convenience , Click the link below to download it separately Linux 64 Bit system 1.4.13 Version of the audit plug-in :
Cloud link : https://pan.baidu.com/s/1HO5sjKb5zpj3CiyRulV5bw?pwd=r85k Extraction code : r85k . Now let's start the formal installation .
# Enter the database and install the audit plug-in
mysql> INSTALL PLUGIN server_audit SONAME 'server_audit.so';
Query OK, 0 rows affected (0.07 sec)
mysql> show plugins;
+----------------------------+--------+--------------------+-----------------+---------+
| Name | Status | Type | Library | License |
+----------------------------+--------+--------------------+-----------------+---------+
...
| SERVER_AUDIT | ACTIVE | AUDIT | server_audit.so | GPL |
+----------------------------+--------+--------------------+-----------------+---------+
# see audit Initial parameter configuration
mysql> show variables like '%audit%';
+-------------------------------+-----------------------+
| Variable_name | Value |
+-------------------------------+-----------------------+
| server_audit_events | |
| server_audit_excl_users | |
| server_audit_file_path | server_audit.log |
| server_audit_file_rotate_now | OFF |
| server_audit_file_rotate_size | 1000000 |
| server_audit_file_rotations | 9 |
| server_audit_incl_users | |
| server_audit_loc_info | |
| server_audit_logging | OFF |
| server_audit_mode | 1 |
| server_audit_output_type | file |
| server_audit_query_log_limit | 1024 |
| server_audit_syslog_facility | LOG_USER |
| server_audit_syslog_ident | mysql-server_auditing |
| server_audit_syslog_info | |
| server_audit_syslog_priority | LOG_INFO |
+-------------------------------+-----------------------+
# Open audit online
mysql> set global server_audit_logging=on;
Query OK, 0 rows affected (0.00 sec)
mysql> set global server_audit_events='connect,table,query_ddl,query_dcl,query_dml_no_select';
Query OK, 0 rows affected (0.00 sec)
mysql> set global server_audit_file_path ='/data/mysql/logs/server_audit.log';
Query OK, 0 rows affected (0.00 sec)
mysql> set global server_audit_file_rotate_size=104857600;
Query OK, 0 rows affected (0.01 sec)
# [mysqld] Add the following configuration Make it permanent
server_audit=FORCE_PLUS_PERMANENT
server_audit_logging=ON
server_audit_file_path=/data/mysql/logs/server_audit.log
server_audit_events=connect,table,query_ddl,query_dcl,query_dml_no_select
server_audit_file_rotate_size=104857600
Go through the above steps , We have completed the installation and configuration of the audit plug-in , Refer to official documents , Let's understand the role of the main configuration parameters :
The above parameters are easy to understand , Now let's add, delete, modify and check , Look at the contents recorded in the audit log :
# After the operation Check the contents of the audit log
20220512 15:17:17,mysqlhost2,test_user,10.30.21.95,118,0,FAILED_CONNECT,,,1045
20220512 15:17:30,mysqlhost2,test_user,10.30.21.95,119,0,FAILED_CONNECT,,,1045
20220512 15:20:26,mysqlhost2,test_user,10.30.21.95,124,0,CONNECT,,,0
20220512 15:20:49,mysqlhost2,test_user,10.30.21.95,124,395,QUERY,,'create database testdb',0
20220512 15:22:06,mysqlhost2,test_user,10.30.21.95,129,419,QUERY,testdb,'CREATE TABLE if not exists `test_tb0` (\r\n `increment_id` int(11) NOT NULL AUTO_INCREMENT COMMENT \' Since the primary key \',\r\n `test_id` int(11) NOT
NULL ,\r\n `test_name` varchar(20) DEFAULT NULL,\r\n `create_time` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP COMMENT \' Creation time \',\r\n `update_time` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE C
URRENT_TIMESTAMP COMMENT \' Modification time \',\r\n PRIMARY KEY (`increment_id`)\r\n) ENGINE=InnoDB DEFAULT CHARSET=utf8 COMMENT=\' test table\'',0
20220512 15:23:09,mysqlhost2,test_user,10.30.21.95,129,426,QUERY,testdb,'insert into test_tb0 (test_id,test_name) values (1001,\'4343df\'),(1002,\'dfd\')',0
20220512 15:23:22,mysqlhost2,test_user,10.30.21.95,129,433,QUERY,testdb,'delete from test_tb0',0
20220512 15:24:14,mysqlhost2,test_user,10.30.21.95,129,448,QUERY,testdb,'create table test_tb0 (id int)',1050
20220512 15:24:25,mysqlhost2,test_user,10.30.21.95,129,452,QUERY,testdb,'drop table test_tb0',0
20220512 15:25:13,mysqlhost2,test_user,10.30.21.95,126,0,DISCONNECT,testdb,,0
# Connection audit mainly audits the connection database 、 disconnect 、 Connection failure and other operations , The log format is as follows :
[timestamp],[serverhost],[username],[host],[connectionid],0,CONNECT,[database],,0
[timestamp],[serverhost],[username],[host],[connectionid],0,DISCONNECT,,,0
[timestamp],[serverhost],[username],[host],[connectionid],0,FAILED_CONNECT,,,[retcode]
# QUERY Audit various database change events , Execution failure will also be recorded , The log record format is as follows :
[timestamp],[serverhost],[username],[host],[connectionid],[queryid],QUERY,[database],[object], [retcode]
thus , We have basically completed the initial use of the audit plug-in , We can see from the contents of the audit log , The format of the record is still very clear and detailed , Each column is required , It is easy to find the corresponding operation according to the log . Use it , I feel server_audit The audit plug-in can basically meet the audit needs , However, the audit plug-in also has advantages and disadvantages , The advantages and disadvantages are summarized as follows :
server_audit Audit plug-in advantages :
- Rich audit content : Including user connections , close ,DML operation , stored procedure , trigger , Events, etc. .
- Flexible audit strategy : You can customize audit events , For example, filter out select Inquire about , Or exclude auditing a user, etc .
- Flexible and convenient : It is free to use and easy to install , The audit function can be enabled and disabled online .
server_audit Audit plug-in disadvantages :
- Opening the audit will increase the performance cost of the database , And take up disk space .
- The log format is not rich enough , You cannot customize the output format .
Reference resources :
