- 220.127.116.11 Installing the Audit Log Plugin
- 18.104.22.168 Audit Log Plugin Security Considerations
- 22.214.171.124 The Audit Log File
- 126.96.36.199 Audit Log Plugin Logging Control
- 188.8.131.52 Audit Log Plugin Option and Variable Reference
- 184.108.40.206 Audit Log Plugin Options and System Variables
- 220.127.116.11 Audit Log Plugin Status Variables
- 18.104.22.168 Audit Log Plugin Restrictions
MySQL Enterprise Audit is an extension included in MySQL Enterprise Edition, a commercial product. To learn more about commercial products, see http://www.mysql.com/products/.
As of MySQL 5.6.10, MySQL Enterprise Edition includes MySQL
Enterprise Audit, implemented using a server plugin named
audit_log. MySQL Enterprise Audit uses the open
MySQL Audit API to enable standard, policy-based monitoring and
logging of connection and query activity executed on specific
MySQL servers. Designed to meet the Oracle audit specification,
MySQL Enterprise Audit provides an out of box, easy to use
auditing and compliance solution for applications that are
governed by both internal and external regulatory guidelines.
When installed, the audit plugin enables MySQL Server to produce a log file containing an audit record of server activity. The log contents include when clients connect and disconnect, and what actions they perform while connected, such as which databases and tables they access.
After you install the plugin (see
Section 22.214.171.124, “Installing the Audit Log Plugin”), it writes an
audit log file. By default, the file is named
audit.log in the server data directory. To
change the name of the file, set the
audit_log_file system variable at
Audit log file contents are not encrypted. See Section 126.96.36.199, “Audit Log Plugin Security Considerations”.
The audit log file is written in XML, with auditable events
<AUDIT_RECORD> elements. To
select the file format, set the
audit_log_format system variable
at server startup. For details on file format and contents, see
Section 188.8.131.52, “The Audit Log File”.
To control what information
audit_log writes to
its log file, set the
audit_log_policy system variable.
By default, this variable is set to
all auditable events), but also permits values of
QUERIES to log
only login or query events, or
NONE to disable
For more information about controlling how logging occurs, see Section 184.108.40.206, “Audit Log Plugin Logging Control”. For descriptions of the parameters used to configure the audit log plugin, see Section 220.127.116.11, “Audit Log Plugin Options and System Variables”.
audit_log plugin is enabled, the
Performance Schema (see Chapter 22, MySQL Performance Schema) has
instrumentation for the audit log plugin. To identify the relevant
instruments, use this query:
SELECT NAME FROM performance_schema.setup_instruments WHERE NAME LIKE '%/alog/%';
Several changes were made to the audit log plugin in MySQL 5.6.14 for better compatibility with Oracle Audit Vault.
A new audit log file format was implemented. It is possible to
select either the old or new format using the
audit_log_format system variable,
which has permitted values of
OLD). The two
formats differ as follows:
<AUDIT_RECORD>elements written in the old format using attributes is written in the new format using subelements.
The new format includes more information in
<AUDIT_RECORD>elements. Every element includes a
RECORD_IDvalue providing a unique identifier. The
TIMESTAMPvalue includes time zone information. Query records include
USERinformation, as well as
Example of old
<AUDIT_RECORD TIMESTAMP="2013-09-15T15:27:27" NAME="Query" CONNECTION_ID="3" STATUS="0" SQLTEXT="SELECT 1" />
Example of new
<AUDIT_RECORD> <TIMESTAMP>2013-09-15T15:27:27 UTC</TIMESTAMP> <RECORD_ID>3998_2013-09-15T15:27:27</RECORD_ID> <NAME>Query</NAME> <CONNECTION_ID>3</CONNECTION_ID> <STATUS>0</STATUS> <STATUS_CODE>0</STATUS_CODE> <USER>root[root] @ localhost [127.0.0.1]</USER> <OS_LOGIN></OS_LOGIN> <HOST>localhost</HOST> <IP>127.0.0.1</IP> <COMMAND_CLASS>select</COMMAND_CLASS> <SQLTEXT>SELECT 1</SQLTEXT> </AUDIT_RECORD>
When the audit log plugin rotates the audit log file, it uses a
different file name format. For a log file named
audit.log, the plugin previously renamed the
The plugin now renames the file to
to indicate that it is an XML file.
If you change the value of
audit_log_format, use this
procedure to avoid writing log entries in one format to an
existing log file that contains entries in a different format:
Stop the server.
Rename the current audit log file manually.
Restart the server with the new value of
audit_log_format. The audit log plugin creates a new log file, which will contain log entries in the selected format.
The API for writing audit plugins has also changed. The
mysql_event_general structure has new members
to represent client host name and IP address, command class, and
external user. For more information, see
Section 18.104.22.168, “Writing Audit Plugins”.