[+/-]
- 6.5.2.1 Installing MySQL Enterprise Audit
- 6.5.2.2 MySQL Enterprise Audit Security Considerations
- 6.5.2.3 Audit Log File Formats
- 6.5.2.4 Audit Log Logging Control
- 6.5.2.5 Audit Log Filtering
- 6.5.2.6 Audit Log Option and Variable Reference
- 6.5.2.7 Audit Log Options and System Variables
- 6.5.2.8 Audit Log Restrictions
MySQL Enterprise Audit is an extension included in MySQL Enterprise Edition, a commercial product. To learn more about commercial products, see https://www.mysql.com/products/.
As of MySQL 5.5.28, MySQL Enterprise Edition includes MySQL Enterprise Audit, implemented using a
server plugin named audit_log
. MySQL Enterprise Audit uses
the open MySQL Audit API to enable standard, policy-based
monitoring and logging of connection and query activity executed
on specific MySQL servers. Designed to meet the Oracle audit
specification, MySQL Enterprise Audit provides an out of box, easy to use
auditing and compliance solution for applications that are
governed by both internal and external regulatory guidelines.
When installed, the audit plugin enables MySQL Server to produce a log file containing an audit record of server activity. The log contents include when clients connect and disconnect, and what actions they perform while connected, such as which databases and tables they access.
After you install the plugin (see
Section 6.5.2.1, “Installing MySQL Enterprise Audit”), it writes an audit log
file. By default, the file is named audit.log
in the server data directory. To change the name of the file, set
the audit_log_file
system
variable at server startup.
Audit log file contents are not encrypted. See Section 6.5.2.2, “MySQL Enterprise Audit Security Considerations”.
The audit log file is written in XML, with auditable events
encoded as <AUDIT_RECORD>
elements. To
select the file format, set the
audit_log_format
system variable
at server startup. For details on file format and contents, see
Section 6.5.2.3, “Audit Log File Formats”.
To control what information the audit log plugin writes to its log
file, set the audit_log_policy
system variable. By default, this variable is set to
ALL
(write all auditable events), but also
permits values of LOGINS
or
QUERIES
to log only login or query events, or
NONE
to disable logging.
For more information about controlling how logging occurs, see Section 6.5.2.4, “Audit Log Logging Control”. For descriptions of the parameters used to configure the audit log plugin, see Section 6.5.2.7, “Audit Log Options and System Variables”.
If the audit log plugin is enabled, the Performance Schema (see Chapter 22, MySQL Performance Schema) has instrumentation for it. To identify the relevant instruments, use this query:
SELECT NAME FROM performance_schema.setup_instruments
WHERE NAME LIKE '%/alog/%';
Changes from Older MySQL Enterprise Audit Versions
Several changes were made to the audit log plugin in MySQL 5.5.34 for better compatibility with Oracle Audit Vault.
MySQL 5.7 changed audit log file output to a new format. This
format has been backported to MySQL 5.5 and it is
possible to select either the old or new format using the
audit_log_format
system variable,
which has permitted values of OLD
and
NEW
(default OLD
). The two
formats differ as follows:
Information within
<AUDIT_RECORD>
elements written in the old format using attributes is written in the new format using subelements.The new format includes more information in
<AUDIT_RECORD>
elements. Every element includes aRECORD_ID
value providing a unique identifier. TheTIMESTAMP
value includes time zone information. Query records includeHOST
,IP
,OS_LOGIN
, andUSER
information, as well asCOMMAND_CLASS
andSTATUS_CODE
values.
Example of old <AUDIT_RECORD>
format:
<AUDIT_RECORD
TIMESTAMP="2013-09-15T15:27:27"
NAME="Query"
CONNECTION_ID="3"
STATUS="0"
SQLTEXT="SELECT 1"
/>
Example of new <AUDIT_RECORD>
format:
<AUDIT_RECORD>
<TIMESTAMP>2013-09-15T15:27:27 UTC</TIMESTAMP>
<RECORD_ID>3998_2013-09-15T15:27:27</RECORD_ID>
<NAME>Query</NAME>
<CONNECTION_ID>3</CONNECTION_ID>
<STATUS>0</STATUS>
<STATUS_CODE>0</STATUS_CODE>
<USER>root[root] @ localhost [127.0.0.1]</USER>
<OS_LOGIN></OS_LOGIN>
<HOST>localhost</HOST>
<IP>127.0.0.1</IP>
<COMMAND_CLASS>select</COMMAND_CLASS>
<SQLTEXT>SELECT 1</SQLTEXT>
</AUDIT_RECORD>
When the audit log plugin rotates the audit log file, it uses a
different file name format. For a log file named
audit.log
, the plugin previously renamed the
file to
audit.log.
.
The plugin now renames the file to
TIMESTAMP
audit.log.
to indicate that it is an XML file.
TIMESTAMP
.xml
If you change the value of
audit_log_format
, use this
procedure to avoid writing log entries in one format to an
existing log file that contains entries in a different format:
Stop the server.
Rename the current audit log file manually.
Restart the server with the new value of
audit_log_format
. The audit log plugin will create a new log file, which will contain log entries in the selected format.
The API for writing audit plugins has also changed. The
mysql_event_general
structure has new members
to represent client host name and IP address, command class, and
external user. For more information, see
Section 24.2.4.8, “Writing Audit Plugins”.