轉載於互聯網
2017年06月02日MySQL社區版本最新版為MySQL_5.7.18,但是該版本不帶AUDIT功能(MySQL Enterprise Edition自帶AUDIT功能),
因此需要加載plugin(第三方插件),當前插件有以下幾種:
1、MySQL Enterprise Audit Plugin – This plugin is not open source and is only available with MySQL Enterprise, which has a significant cost attached to it. It is the most stable and robust.
備注:MySQL企業版本才能使用這個audit插件哦,MySQL社區版慢慢等着吧
2、Percona Audit Log Plugin – Percona provides an open source auditing solution that installs with Percona Server 5.5.37+ and 5.6.17+. This plugin has quite a few output features as it outputs XML, JSON and to syslog. Percona’s implementation is the first to be a drop-in replacement for MySQL Enterprise Audit Plugin. As it has some internal hooks to the server to be feature-compatible with Oracle’s plugin, it is not available as a standalone for other versions of MySQL. This plugin is actively maintained by Percona.
備注:人家說了,我這個插件只能給Percona_sever使用,我Percona來維護
3、McAfee MySQL Audit Plugin – Around the longest and has been used widely. It is open source and robust, while not using the official auditing API. It isn’t updated as often as one may like. There hasn’t been any new features in some time. It was recently updated to support MySQL 5.7
下載地址:http://dl.bintray.com/mcafee/mysql-audit-plugin/
部署可參考:http://blog.csdn.net/bzfys/article/details/53695855
個人發現該插件貌似不支持審計日志自動切割,而且日志格式為JSON格式,個人感覺不易查看,以及時間格式需要轉換
eg:"msg-type":"header","date":"1494935783266","audit-version":"1.1.4-707","audit-protocol-version":"1.0","hostname":"salt-master","mysql-version":"5.7.18-log","mysql-program":"/usr/sbin/mysqld","mysql-socket":"/data/mysql/mysql.sock","mysql-port":"3306","server_pid":"43480"}
4、MariaDB Audit Plugin – The only plugin that claims to support MySQL, Percona Server and MariaDB. It is open source and constantly upgraded with new versions of MariaDB. Versions starting at 1.2 are most stable, and it may be risky to use versions below that in your production environment. Versions below 1.2 may be unstable and I have seen it crash production servers. Older versions also log clear text passwords.
下載地址:https://mariadb.com/kb/en/mariadb/about-the-mariadb-audit-plugin/ (可以直接下載MariaDB對應的版本后,解壓后在plugin目錄下有server_audit.so插件)
MariaDB_5.5.37版本和MariaDB_10.0.10以后版本的audit插件支持MariaDB, MySQL、Percona Server使用
備注:MariaDB_5.x.x和MariaDB_10.x.x區別
MariaDB_5.x.x:兼容MySQL5.x.x的,接口幾乎一致,只限於社區版
MariaDB_10.x.x:10.x.x使用新技術,接口會與mysql逐漸區別開來。目標就是以后想MariaDB新接口過渡
因此綜合以上,我個人選擇了MariaDB Audit Plugin按安裝到我的MySQL_5.7.18上,以下為具體部署操作:
1、下載mariadb-5.5.56-linux-x86_64.tar.gz解壓獲取server_audit.so插件
2、登錄MySQL,執行命令獲取MySQL的plugin目錄
mysql> SHOW GLOBAL VARIABLES LIKE 'plugin_dir';
+---------------+--------------------------+
| Variable_name | Value |
+---------------+--------------------------+
| plugin_dir | /usr/lib64/mysql/plugin/ |
+---------------+--------------------------+
1 row in set (0.02 sec)
3、將server_audit.so上傳到 /usr/lib64/mysql/plugin/下
4、在命令下安裝server_audit.so
mysql> INSTALL PLUGIN server_audit SONAME 'server_audit.so';
5、查看變量開啟設置情況,默認貌似都是關閉的
mysql> show variables like '%audit%';
6、編輯my.cnf,添加配置
server_audit_events='CONNECT,QUERY,TABLE,QUERY_DDL,QUERY_DML,QUERY_DCL'
備注:指定哪些操作被記錄到日志文件中
server_audit_logging=on
server_audit_file_path =/data/mysql/auditlogs/
備注:審計日志存放路徑,該路徑下會生成一個server_audit.log文件,就會記錄相關操作記錄了
server_audit_file_rotate_size=200000000
server_audit_file_rotations=200
server_audit_file_rotate_now=ON
7、重啟服務,service mysqld restart
登錄MySQL后發現,在MySQL環境下執行的任何命令都被記錄到/data/mysql/auditlogs/server_audit.log,如果日志文件達到指定的大小,會自動切割
mysql> show variables like '%audit%';
+-------------------------------+---------------------------------------------------+
| Variable_name | Value |
+-------------------------------+---------------------------------------------------+
| server_audit_events | CONNECT,QUERY,TABLE,QUERY_DDL,QUERY_DML,QUERY_DCL |
| server_audit_excl_users | |
| server_audit_file_path | /data/mysql/auditlogs/ |
| server_audit_file_rotate_now | ON |
| server_audit_file_rotate_size | 200000000 |
| server_audit_file_rotations | 200 |
| server_audit_incl_users | |
| server_audit_loc_info | |
| server_audit_logging | ON |
| server_audit_mode | 1 |
| server_audit_output_type | file |
| server_audit_query_log_limit | 1024 |
| server_audit_syslog_facility | LOG_USER |
| server_audit_syslog_ident | mysql-server_auditing |
| server_audit_syslog_info | |
| server_audit_syslog_priority | LOG_INFO |
+-------------------------------+---------------------------------------------------+
日志為:
20170516 23:21:23,salt-master,audit_log_user,localhost,4,19,QUERY,,'show variables like \'%audit%\'',0
8、參數說明:
詳細請參考:https://mariadb.com/kb/en/mariadb/server_audit-system-variables/
server_audit_output_type:指定日志輸出類型,可為SYSLOG或FILE
server_audit_logging:啟動或關閉審計
server_audit_events:指定記錄事件的類型,可以用逗號分隔的多個值(connect,query,table),如果開啟了查詢緩存(query cache),查詢直接從查詢緩存返回數據,將沒有table記錄
server_audit_file_path:如server_audit_output_type為FILE,使用該變量設置存儲日志的文件,可以指定目錄,默認存放在數據目錄的server_audit.log文件中
server_audit_file_rotate_size:限制日志文件的大小
server_audit_file_rotations:指定日志文件的數量,如果為0日志將從不輪轉
server_audit_file_rotate_now:強制日志文件輪轉
server_audit_incl_users:指定哪些用戶的活動將記錄,connect將不受此變量影響,該變量比server_audit_excl_users優先級高
server_audit_syslog_facility:默認為LOG_USER,指定facility
server_audit_syslog_ident:設置ident,作為每個syslog記錄的一部分
server_audit_syslog_info:指定的info字符串將添加到syslog記錄
server_audit_syslog_priority:定義記錄日志的syslogd priority
server_audit_excl_users:該列表的用戶行為將不記錄,connect將不受該設置影響
server_audit_mode:標識版本,用於開發測試
9、卸載server_audit
mysql> UNINSTALL PLUGIN server_audit;
mysql> show variables like '%audit%';
Empty set (0.00 sec)
防止server_audit 插件被卸載,需要在配置文件中添加:
[mysqld]
server_audit=FORCE_PLUS_PERMANENT
重啟MySQL生效
值得注意的是,應該在server_audit插件被安裝好,並且已經運行之后添加這些配置,否則過早在配置文件添加這個選項,會導致MySQL發生啟動錯誤!
mysql> UNINSTALL PLUGIN server_audit;
ERROR 1702 (HY000): Plugin 'server_audit' is force_plus_permanent and can not be unloade