由於MySQL的社區版是不支持審計系統的,因此通過第三方的插件實現審計功能。此次采用MariaDB的server_audit插件來實現MySQL的審計功能。
安裝server_audit插件
1、下載server_audit插件
下載地址:http://mirrors.neusoft.edu.cn/mariadb//mariadb-5.5.62/bintar-linux-systemd-x86_64/mariadb-5.5.62-linux-systemd-x86_64.tar.gz
由於MariaDB的插件集成在自己的包中, 因此下載一個二進制包的MariaDB來獲取插件。
[root@bogon software]# wget http://mirrors.neusoft.edu.cn/mariadb//mariadb-5.5.62/bintar-linux-systemd-x86_64/mariadb-5.5.62-linux-systemd-x86_64.tar.gz [root@bogon software]# tar xf mariadb-5.5.62-linux-systemd-x86_64.tar.gz [root@bogon software]# cd mariadb-5.5.62-linux-systemd-x86_64 [root@bogon mariadb-5.5.62-linux-systemd-x86_64]# cd lib/plugin/ [root@bogon plugin]# ls server_audit.so server_audit.so
2、拷貝、安裝server_audit插件
查看mysql插件目錄
MySQL [(none)]> show variables like 'plugin_dir'; +---------------+-------------------------------+ | Variable_name | Value | +---------------+-------------------------------+ | plugin_dir | /data/tools/mysql/lib/plugin/ | +---------------+-------------------------------+ 1 row in set (0.00 sec)
復制插件到plugin目錄
[root@bogon plugin]# cp /data/source/server_audit.so ./
[root@bogon plugin]# ll server_audit.so
-rw-r--r-- 1 root root 226589 Nov 30 17:02 server_audit.so
查看當前MySQL插件情況
MySQL [(none)]> show plugins; +----------------------------+----------+--------------------+---------+---------+ | Name | Status | Type | Library | License | +----------------------------+----------+--------------------+---------+---------+ | binlog | ACTIVE | STORAGE ENGINE | NULL | GPL | | mysql_native_password | ACTIVE | AUTHENTICATION | NULL | GPL | | mysql_old_password | ACTIVE | AUTHENTICATION | NULL | GPL | ..... | PERFORMANCE_SCHEMA | ACTIVE | STORAGE ENGINE | NULL | GPL | | BLACKHOLE | ACTIVE | STORAGE ENGINE | NULL | GPL | | partition | ACTIVE | STORAGE ENGINE | NULL | GPL | +----------------------------+----------+--------------------+---------+---------+ 42 rows in set (0.01 sec)
安裝server_audit插件
MySQL [(none)]> install plugin server_audit soname 'server_audit.so'; Query OK, 0 rows affected (0.00 sec) MySQL [(none)]> show plugins; +----------------------------+----------+--------------------+-----------------+---------+ | Name | Status | Type | Library | License | +----------------------------+----------+--------------------+-----------------+---------+ | binlog | ACTIVE | STORAGE ENGINE | NULL | GPL | | mysql_native_password | ACTIVE | AUTHENTICATION | NULL | GPL | | mysql_old_password | ACTIVE | AUTHENTICATION | NULL | GPL | | sha256_password | ACTIVE | AUTHENTICATION | NULL | GPL | ... | PERFORMANCE_SCHEMA | ACTIVE | STORAGE ENGINE | NULL | GPL | | BLACKHOLE | ACTIVE | STORAGE ENGINE | NULL | GPL | | partition | ACTIVE | STORAGE ENGINE | NULL | GPL | | SERVER_AUDIT | ACTIVE | AUDIT | server_audit.so | GPL | +----------------------------+----------+--------------------+-----------------+---------+ 43 rows in set (0.00 sec)
查看server_audit插件參數
MySQL [(none)]> show variables like '%server_audit%'; +-------------------------------+---------------------------------------------------+ | Variable_name | Value | +-------------------------------+---------------------------------------------------+ | server_audit_events | CONNECT,QUERY,TABLE,QUERY_DDL,QUERY_DML,QUERY_DCL | | server_audit_excl_users | | | server_audit_file_path | server_audit.log | | server_audit_file_rotate_now | OFF | | server_audit_file_rotate_size | 200000000 | | server_audit_file_rotations | 200 | | server_audit_incl_users | | | server_audit_loc_info | | | server_audit_logging | OFF | | server_audit_mode | 1 | | server_audit_output_type | file | | server_audit_query_log_limit | 1024 | | server_audit_syslog_facility | LOG_USER | | server_audit_syslog_ident | mysql-server_auditing | | server_audit_syslog_info | | | server_audit_syslog_priority | LOG_INFO | +-------------------------------+---------------------------------------------------+ 16 rows in set (0.00 sec)
啟用server_audit插件
MySQL [(none)]> set global server_audit_logging=on; Query OK, 0 rows affected (0.00 sec) MySQL [(none)]> show variables like '%server_audit%'; +-------------------------------+---------------------------------------------------+ | Variable_name | Value | +-------------------------------+---------------------------------------------------+ | server_audit_events | | | server_audit_excl_users | | | server_audit_file_path | server_audit.log | | server_audit_file_rotate_now | ON | | server_audit_file_rotate_size | 200000000 | | server_audit_file_rotations | 200 | | server_audit_incl_users | | | server_audit_loc_info | | | server_audit_logging | ON | | server_audit_mode | 1 | | server_audit_output_type | file | | server_audit_query_log_limit | 1024 | | server_audit_syslog_facility | LOG_USER | | server_audit_syslog_ident | mysql-server_auditing | | server_audit_syslog_info | | | server_audit_syslog_priority | LOG_INFO | +-------------------------------+---------------------------------------------------+ 16 rows in set (0.00 sec)
查看日志信息
[root@fsl_mysql_114 auditlogs]# tail -20 server_audit.log 20181130 17:21:18,fsl_mysql_114,zabbixmnt,localhost,19947,0,CONNECT,,,0 20181130 17:21:18,fsl_mysql_114,zabbixmnt,localhost,19947,743,QUERY,,'SET NAMES utf8mb4',0 20181130 17:21:18,fsl_mysql_114,zabbixmnt,localhost,19947,744,QUERY,,'select @@version_comment limit 1',0 20181130 17:21:18,fsl_mysql_114,zabbixmnt,localhost,19947,745,QUERY,,'show global status where Variable_name=\'Com_update\'',0 20181130 17:21:18,fsl_mysql_114,zabbixmnt,localhost,19947,0,DISCONNECT,,,0 20181130 17:21:19,fsl_mysql_114,zabbixmnt,localhost,19948,0,CONNECT,,,0 20181130 17:21:19,fsl_mysql_114,zabbixmnt,localhost,19948,747,QUERY,,'SET NAMES utf8mb4',0 20181130 17:21:19,fsl_mysql_114,zabbixmnt,localhost,19948,748,QUERY,,'select @@version_comment limit 1',0 20181130 17:21:19,fsl_mysql_114,zabbixmnt,localhost,19948,749,QUERY,,'show global status where Variable_name=\'Questions\'',0 20181130 17:21:19,fsl_mysql_114,zabbixmnt,localhost,19948,0,DISCONNECT,,,0 20181130 17:21:21,fsl_mysql_114,zabbixmnt,localhost,19949,0,CONNECT,,,0 20181130 17:21:21,fsl_mysql_114,zabbixmnt,localhost,19949,751,QUERY,,'SET NAMES utf8mb4',0 20181130 17:21:21,fsl_mysql_114,zabbixmnt,localhost,19949,752,QUERY,,'select @@version_comment limit 1',0 20181130 17:21:21,fsl_mysql_114,zabbixmnt,localhost,19949,753,QUERY,,'show global status where Variable_name=\'Slow_queries\'',0 20181130 17:21:21,fsl_mysql_114,zabbixmnt,localhost,19949,0,DISCONNECT,,,0 20181130 17:21:21,fsl_mysql_114,zabbixmnt,localhost,19950,0,CONNECT,,,0 20181130 17:21:21,fsl_mysql_114,zabbixmnt,localhost,19950,755,QUERY,,'SET NAMES utf8mb4',0 20181130 17:21:21,fsl_mysql_114,zabbixmnt,localhost,19950,756,QUERY,,'select @@version_comment limit 1',0 20181130 17:21:21,fsl_mysql_114,zabbixmnt,localhost,19950,757,QUERY,,'show global status where Variable_name=\'Uptime\'',0 20181130 17:21:21,fsl_mysql_114,zabbixmnt,localhost,19950,0,DISCONNECT,,,0
3、server_audit參數說明
server_audit_events :指定記錄事件的類型,可以用逗號分隔的多個值(connect,query,table),如果開啟了查詢緩存(query cache),查詢直接從查詢緩存返回數據,將沒有table記錄
(Valid Values: CONNECT, QUERY and TABLE (QUERY_DDL, QUERY_DML added in 1.2.0 and QUERY_DCL added in 1.3.0, QUERY_DML_NO_SELECT added in 1.4))
server_audit_excl_users : 該列表的用戶行為將不記錄,connect將不受該設置影響
server_audit_file_path :使用該變量設置存儲日志的文件,可以指定目錄,默認存放在數據目錄的server_audit.log文件中
server_audit_file_rotate_now :知否立即切割日志
server_audit_file_rotate_size :限制日志文件的大小
server_audit_file_rotations :指定日志文件的數量,如果為0日志將從不輪轉
server_audit_incl_users : 指定哪些用戶的活動將記錄,connect將不受此變量影響,該變量比server_audit_excl_users優先級高
server_audit_loc_info :
server_audit_logging :啟動或關閉審計ON/OFF
server_audit_mode :標識版本,用於開發測試
server_audit_output_type :指定日志輸出類型,可為SYSLOG或FILE
server_audit_query_log_limit :1024
server_audit_syslog_facility :LOG_USER
server_audit_syslog_ident :mysql-server_auditing
server_audit_syslog_info :
server_audit_syslog_priority :LOG_INFO