MySQL 5.7 Reference Manual
MySQL 5.7 Release Notes
This section describes how to install or uninstall MySQL Enterprise Audit, which is implemented using the audit log plugin and related elements described in Section 6.5.1, “Elements of MySQL Enterprise Audit”. For general information about installing plugins, see Installing and Uninstalling Plugins.
Important
Read this entire section before following its instructions. Parts of the procedure differ depending on your environment.
Note
If installed, the audit_log plugin involves
some minimal overhead even when disabled. To avoid this
overhead, do not install MySQL Enterprise Audit unless you plan to use it.
To be usable by the server, the plugin library file must be
located in the MySQL plugin directory (the directory named by
the plugin_dir system
variable). If necessary, configure the plugin directory location
by setting the value of
plugin_dir at server startup.
Note
The instructions here apply to MySQL 5.7.13 and later.
Also, prior to MySQL 5.7.13, MySQL Enterprise Audit consists only of the
audit_log plugin and includes none of the
other elements described in
Section 6.5.1, “Elements of MySQL Enterprise Audit”. As of MySQL 5.7.13, if
the audit_log plugin is already installed
from a version of MySQL prior to 5.7.13, uninstall it using
the following statement and restart the server before
installing the current version:
UNINSTALL PLUGIN audit_log;
To install MySQL Enterprise Audit, look in the share
directory of your MySQL installation and choose the script that
is appropriate for your platform. The available scripts differ
in the suffix used to refer to the plugin library file:
audit_log_filter_win_install.sql: Choose this script for Windows systems that use.dllas the file name suffix.audit_log_filter_linux_install.sql: Choose this script for Linux and similar systems that use.soas the file name suffix.
Run the script as follows. The example here uses the Linux installation script. Make the appropriate substitution for your system.
$> mysql -u root -p < audit_log_filter_linux_install.sql
Enter password: (enter root password here)
Note
Some MySQL versions have introduced changes to the structure of the MySQL Enterprise Audit tables. To ensure that your tables are up to date for upgrades from earlier versions of MySQL 5.7, run mysql_upgrade --force (which also performs any other needed updates). If you prefer to run the update statements only for the MySQL Enterprise Audit tables, see the following discussion.
As of MySQL 5.7.23, for new MySQL installations, the
USER and HOST columns in
the audit_log_user table used by MySQL Enterprise Audit
have definitions that better correspond to the definitions of
the User and Host
columns in the mysql.user system table. For
upgrades to 5.7.23 or higher of an installation for which
MySQL Enterprise Audit is already installed, it is recommended that you
alter the table definitions as follows:
ALTER TABLE mysql.audit_log_user
DROP FOREIGN KEY audit_log_user_ibfk_1;
ALTER TABLE mysql.audit_log_filter
ENGINE=InnoDB;
ALTER TABLE mysql.audit_log_filter
CONVERT TO CHARACTER SET utf8 COLLATE utf8_bin;
ALTER TABLE mysql.audit_log_user
ENGINE=InnoDB;
ALTER TABLE mysql.audit_log_user
CONVERT TO CHARACTER SET utf8 COLLATE utf8_bin;
ALTER TABLE mysql.audit_log_user
MODIFY COLUMN USER VARCHAR(32);
ALTER TABLE mysql.audit_log_user
ADD FOREIGN KEY (FILTERNAME) REFERENCES mysql.audit_log_filter(NAME);
As of MySQL 5.7.21, for a new installation of MySQL Enterprise Audit,
InnoDB is used instead of
MyISAM for the audit log tables. For
upgrades to 5.7.21 or higher of an installation for which
MySQL Enterprise Audit is already installed, it is recommended that you
alter the audit log tables to use InnoDB:
ALTER TABLE mysql.audit_log_user ENGINE=InnoDB;
ALTER TABLE mysql.audit_log_filter ENGINE=InnoDB;
Note
To use MySQL Enterprise Audit in the context of source/replica replication,
Group Replication, or InnoDB Cluster, you must use MySQL
5.7.21 or higher, and ensure that the audit log tables use
InnoDB as just described. Then you must
prepare the replica nodes prior to running the installation
script on the source node. This is necessary because the
INSTALL PLUGIN statement in the
script is not replicated.
On each replica node, extract the
INSTALL PLUGINstatement from the installation script and execute it manually.On the source node, run the installation script as described previously.
To verify plugin installation, examine the Information Schema
PLUGINS table or use the
SHOW PLUGINS statement (see
Obtaining Server Plugin Information). For example:
mysql> SELECT PLUGIN_NAME, PLUGIN_STATUS
FROM INFORMATION_SCHEMA.PLUGINS
WHERE PLUGIN_NAME LIKE 'audit%';
+-------------+---------------+
| PLUGIN_NAME | PLUGIN_STATUS |
+-------------+---------------+
| audit_log | ACTIVE |
+-------------+---------------+If the plugin fails to initialize, check the server error log for diagnostic messages.
After MySQL Enterprise Audit is installed, you can use the
--audit-log option for subsequent
server startups to control audit_log plugin
activation. For example, to prevent the plugin from being
removed at runtime, use this option:
[mysqld]
audit-log=FORCE_PLUS_PERMANENT
If it is desired to prevent the server from running without the
audit plugin, use --audit-log
with a value of FORCE or
FORCE_PLUS_PERMANENT to force server startup
to fail if the plugin does not initialize successfully.
Important
By default, rule-based audit log filtering logs no auditable events for any users. This differs from legacy audit log behavior (prior to MySQL 5.7.13), which logs all auditable events for all users (see Section 6.5.10, “Legacy Mode Audit Log Filtering”). Should you wish to produce log-everything behavior with rule-based filtering, create a simple filter to enable logging and assign it to the default account:
SELECT audit_log_filter_set_filter('log_all', '{ "filter": { "log": true } }');
SELECT audit_log_filter_set_user('%', 'log_all');
The filter assigned to % is used for
connections from any account that has no explicitly assigned
filter (which initially is true for all accounts).
Once installed as just described, MySQL Enterprise Audit remains installed until uninstalled. To remove it, execute the following statements:
DROP TABLE IF EXISTS mysql.audit_log_user;
DROP TABLE IF EXISTS mysql.audit_log_filter;
UNINSTALL PLUGIN audit_log;
DROP FUNCTION audit_log_filter_set_filter;
DROP FUNCTION audit_log_filter_remove_filter;
DROP FUNCTION audit_log_filter_set_user;
DROP FUNCTION audit_log_filter_remove_user;
DROP FUNCTION audit_log_filter_flush;
DROP FUNCTION audit_log_encryption_password_get;
DROP FUNCTION audit_log_encryption_password_set;
DROP FUNCTION audit_log_read;
DROP FUNCTION audit_log_read_bookmark;