MySQL開啓Mariadb審計插件

1、環境說明：

本文以mariadb-10.2.17二進制安裝包的審計插件安裝到MySQL5.7.32版本爲例

cp mariadb-10.2.17的插件server_audit.so 到MySQL服務得插件目錄/usr/local/mysql/lib/plugin下：

[root@db-read1 mariadb-10.2.17-linux-x86_64]# find ./ -name 'server_audit.so'
./lib/plugin/server_audit.so
[root@db-read1 mariadb-10.2.17-linux-x86_64]# pwd
/usr/local/mariadb-10.2.17-linux-x86_64
cp server_audit.so  /usr/local/mysql/lib/plugin/
[root@db-stage1 plugin]# chmod +x server_audit.so

2、MySQL開啓 MariaDB審計插件

動態開啓：

install plugin server_audit soname 'server_audit.so';
set global server_audit_file_path='/data/mysql/logs';
set global server_audit_events='connect,QUERY_DML_NO_SELECT,QUERY_DDL,QUERY_DCL,table';
set global server_audit_file_rotate_size=104857600;
set global server_audit_file_rotations=100;
set global server_audit_excl_users='root';
set global server_audit_logging=on;

永久生效寫入配置文件：

[root@db-stage1 ~]# grep server_audit /etc/my.cnf
##server_audit_incl_users=user01
##server_audit_events=connect,query
##server_audit_events=query
##server_audit_events=QUERY_DML
server_audit_events=connect,QUERY_DML_NO_SELECT,QUERY_DDL,QUERY_DCL,table
server_audit_logging=on
server_audit_file_path=/data/mysql/logs/server_audit.log
server_audit_file_rotate_size=100M
server_audit_file_rotations=100

3、Mariadb審計插件具體參數說明

server_audit_output_type：指定日誌輸出類型，可爲SYSLOG或FILE
server_audit_logging：啓動或關閉審計
server_audit_events：指定記錄事件的類型，能夠用逗號分隔的多個值(connect,query,table)，若是開啓了查詢緩存(query cache)，查詢直接從查詢緩存返回數據，將沒有table記錄
server_audit_file_path：如server_audit_output_type爲FILE，使用該變量設置存儲日誌的文件，能夠指定目錄，默認存放在數據目錄的server_audit.log文件中
server_audit_file_rotate_size：限制日誌文件的大小
server_audit_file_rotations：指定日誌文件的數量，若是爲0日誌將從不輪轉
server_audit_file_rotate_now：強制日誌文件輪轉
server_audit_incl_users：指定哪些用戶的活動將記錄，connect將不受此變量影響，該變量比server_audit_excl_users 優先級高
server_audit_syslog_facility：默認爲LOG_USER，指定facility
server_audit_syslog_ident：設置ident，做爲每一個syslog記錄的一部分
server_audit_syslog_info：指定的info字符串將添加到syslog記錄
server_audit_syslog_priority：定義記錄日誌的syslogd priority
server_audit_excl_users：該列表的用戶行爲將不記錄，connect將不受該設置影響
server_audit_mode：標識版本，用於開發測試

4、審計日誌記錄操做MySQL DDL,DML,DCL 語句參數說明

QUERY_DML_NO_SELECT參數:
Similar to QUERY_DML, but doesn't log SELECT queries. (since version 1.4.4) (DO, CALL, LOAD DATA/XML, DELETE, INSERT, UPDATE, HANDLER and REPLACE statements)

測試，只支持DML得審計：
只能審計insert,update,delete,不記錄create drop alter語句

QUERY_DDL參數：
Similar to QUERY, but filters only DDL-type queries (CREATE, ALTER, DROP, RENAME and TRUNCATE statements—except CREATE/DROP [PROCEDURE / FUNCTION / USER] and RENAME USER (they're not DDL)

QUERY_DCL參數：
Similar to QUERY, but filters only DCL-type queries (CREATE USER, DROP USER, RENAME USER, GRANT, REVOKE and SET PASSWORD statements)

以上參數說明來自官方文檔
https://mariadb.com/kb/en/mariadb-audit-plugin-log-settings/

5、審計日誌具體記錄內容格式演示

[root@db-stage1 ~]# tail -20f /data/mysql/logs/server_audit.log 
20210305 12:46:57,db-stage1.jiaody.cn,root,localhost,3,7,QUERY,,'GRANT ALL PRIVILEGES ON *.* TO \'codeuser\'@\'172.%\' IDENTIFIED WITH \'mysql_native_password\' AS \'*9FAACACAD04A362EF0AF7AD66A5289A6FE21DA74\'',0
20210305 12:46:57,db-stage1.jiaody.cn,root,localhost,3,0,DISCONNECT,,,0
20210305 12:47:24,db-stage1.jiaody.cn,codeuser,172.17.0.206,4,0,CONNECT,,,0
20210305 12:47:27,db-stage1.jiaody.cn,root,localhost,2,0,DISCONNECT,,,0
20210305 12:47:50,db-stage1.jiaody.cn,codeuser,172.17.0.206,4,13,QUERY,,'create database test0001',0
20210305 12:52:49,db-stage1.jiaody.cn,codeuser,172.17.0.206,4,16,QUERY,test0001,'CREATE TABLE `test_event` (\n`id` int(8) NOT NULL AUTO_INCREMENT, \n`username` varchar(20) COLLATE utf8_unicode_ci NOT NULL,\n`password` varchar(20) COLLATE utf8_unicode_ci NOT NULL, \n`create_time` varchar(20) COLLATE utf8_unicode_ci NOT NULL,\nPRIMARY KEY (`id`) \n) ENGINE=innodb AUTO_INCREMENT=0 DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci',0
20210305 12:55:14,db-stage1.jiaody.cn,codeuser,172.17.0.206,4,17,QUERY,test0001,'insert into test_event(username,password,create_time) values("李四","tomcat",now())',0
20210305 12:55:52,db-stage1.jiaody.cn,codeuser,172.17.0.206,4,19,QUERY,test0001,'delete  from test_event where id=1',0
20210305 12:56:03,db-stage1.jiaody.cn,codeuser,172.17.0.206,4,20,QUERY,test0001,'insert into test_event(username,password,create_time) values("李四","tomcat",now())',0
20210305 12:56:30,db-stage1.jiaody.cn,codeuser,172.17.0.206,4,21,QUERY,test0001,'update test_event set password=\'fox\' where id=1',0
20210305 12:57:51,db-stage1.jiaody.cn,codeuser,172.17.0.206,4,24,QUERY,test0001,'GRANT SELECT, INSERT, UPDATE ON `test`.`event` TO \'testuser\'@\'127.0.0.1\' IDENTIFIED WITH \'mysql_native_password\' AS \'<secret>\'',1142
20210305 12:58:55,db-stage1.jiaody.cn,codeuser,172.17.0.206,4,26,QUERY,test0001,'truncate table test_event',0
20210305 12:59:17,db-stage1.jiaody.cn,codeuser,172.17.0.206,4,27,QUERY,test0001,'insert into test_event(username,password,create_time) values("李四","tomcat",now())',0
20210305 12:59:30,db-stage1.jiaody.cn,codeuser,172.17.0.206,4,28,QUERY,test0001,'drop table test_event',0
20210305 12:59:50,db-stage1.jiaody.cn,codeuser,172.17.0.206,4,0,DISCONNECT,test0001,,0

6、日誌內容和對應參數格式說明

審計記錄文件的格式以下：
[timestamp],[serverhost],[username],[host],[connectionid],[queryid],[operation],[database],[object],[retcode]
一個對應的例子以下：
20210305 12:59:30,db-stage1.jiaody.cn,codeuser,172.17.0.206,4,28,QUERY,test0001,'drop table test_event',0

參考文檔以下：
https://www.cnblogs.com/1584779745qq/p/6479522.html
https://mp.weixin.qq.com/s/vNcTb7IR_LpYlcZf_Y-aAA
https://mariadb.com/kb/en/mariadb-audit-plugin-log-settings/