NAME

The filter name.

FILTER

The filter definition associated with the filter name. Definitions are stored as JSON values.

USER

The user name part of an account. For an account user1@localhost, the USER part is user1.

HOST

The host name part of an account. For an account user1@localhost, the HOST part is localhost.

FILTERNAME

The name of the filter assigned to the account. The filter name associates the account with a filter defined in the audit_log_filter table.

audit_log_encryption_password_get([keyring_id])

This function fetches an audit log encryption password from the MySQL keyring, which must be enabled or an error occurs. Any keyring component or plugin can be used; for instructions, see Section 8.4.5, “The MySQL Keyring”.

With no argument, the function retrieves the current encryption password as a binary string. An argument may be given to specify which audit log encryption password to retrieve. The argument must be the keyring ID of the current password or an archived password.

For additional information about audit log encryption, see Encrypting Audit Log Files.

Arguments:

keyring_id: This optional argument indicates the keyring ID of the password to retrieve. The maximum permitted length is 766 bytes. If omitted, the function retrieves the current password.

Return value:

The password string for success (up to 766 bytes), or NULL and an error for failure.

Example:

Retrieve the current password:

mysql> SELECT audit_log_encryption_password_get();
+-------------------------------------+
| audit_log_encryption_password_get() |
+-------------------------------------+
| secret                              |
+-------------------------------------+

To retrieve a password by ID, you can determine which audit log keyring IDs exist by querying the Performance Schema keyring_keys table:

mysql> SELECT KEY_ID FROM performance_schema.keyring_keys
       WHERE KEY_ID LIKE 'audit_log%'
       ORDER BY KEY_ID;
+-----------------------------+
| KEY_ID                      |
+-----------------------------+
| audit_log-20190415T152248-1 |
| audit_log-20190415T153507-1 |
| audit_log-20190416T125122-1 |
| audit_log-20190416T141608-1 |
+-----------------------------+
mysql> SELECT audit_log_encryption_password_get('audit_log-20190416T125122-1');
+------------------------------------------------------------------+
| audit_log_encryption_password_get('audit_log-20190416T125122-1') |
+------------------------------------------------------------------+
| segreto                                                          |
+------------------------------------------------------------------+

audit_log_encryption_password_set(password)

Sets the current audit log encryption password to the argument and stores the password in the MySQL keyring. The password is stored as a utf8mb4 string. Previously, the password was stored in binary form.

If encryption is enabled, this function performs a log file rotation operation that renames the current log file, and begins a new log file encrypted with the password. The keyring must be enabled or an error occurs. Any keyring component or plugin can be used; for instructions, see Section 8.4.5, “The MySQL Keyring”.

For additional information about audit log encryption, see Encrypting Audit Log Files.

Arguments:

password: The password string. The maximum permitted length is 766 bytes.

Return value:

1 for success, 0 for failure.

Example:

mysql> SELECT audit_log_encryption_password_set(password);
+---------------------------------------------+
| audit_log_encryption_password_set(password) |
+---------------------------------------------+
| 1                                           |
+---------------------------------------------+

audit_log_filter_flush()

Calling any of the other filtering functions affects operational audit log filtering immediately and updates the audit log tables. If instead you modify the contents of those tables directly using statements such as INSERT, UPDATE, and DELETE, the changes do not affect filtering immediately. To flush your changes and make them operational, call audit_log_filter_flush().

If this function fails, an error message is returned and the audit log is disabled until the next successful call to audit_log_filter_flush().

Arguments:

None.

Return value:

A string that indicates whether the operation succeeded. OK indicates success. ERROR: message indicates failure.

Example:

mysql> SELECT audit_log_filter_flush();
+--------------------------+
| audit_log_filter_flush() |
+--------------------------+
| OK                       |
+--------------------------+

audit_log_filter_remove_filter(filter_name)

Given a filter name, removes the filter from the current set of filters. It is not an error for the filter not to exist.

If a removed filter is assigned to any user accounts, those users stop being filtered (they are removed from the audit_log_user table). Termination of filtering includes any current sessions for those users: They are detached from the filter and no longer logged.

Arguments:

Return value:

A string that indicates whether the operation succeeded. OK indicates success. ERROR: message indicates failure.

Example:

mysql> SELECT audit_log_filter_remove_filter('SomeFilter');
+----------------------------------------------+
| audit_log_filter_remove_filter('SomeFilter') |
+----------------------------------------------+
| OK                                           |
+----------------------------------------------+

audit_log_filter_remove_user(user_name)

Given a user account name, cause the user to be no longer assigned to a filter. It is not an error if the user has no filter assigned. Filtering of current sessions for the user remains unaffected. New connections for the user are filtered using the default account filter if there is one, and are not logged otherwise.

If the name is %, the function removes the default account filter that is used for any user account that has no explicitly assigned filter.

Arguments:

Return value:

A string that indicates whether the operation succeeded. OK indicates success. ERROR: message indicates failure.

Example:

mysql> SELECT audit_log_filter_remove_user('user1@localhost');
+-------------------------------------------------+
| audit_log_filter_remove_user('user1@localhost') |
+-------------------------------------------------+
| OK                                              |
+-------------------------------------------------+

audit_log_filter_set_filter(filter_name, definition)

Given a filter name and definition, adds the filter to the current set of filters. If the filter already exists and is used by any current sessions, those sessions are detached from the filter and are no longer logged. This occurs because the new filter definition has a new filter ID that differs from its previous ID.

Arguments:

Return value:

A string that indicates whether the operation succeeded. OK indicates success. ERROR: message indicates failure.

Example:

mysql> SET @f = '{ "filter": { "log": false } }';
mysql> SELECT audit_log_filter_set_filter('SomeFilter', @f);
+-----------------------------------------------+
| audit_log_filter_set_filter('SomeFilter', @f) |
+-----------------------------------------------+
| OK                                            |
+-----------------------------------------------+

audit_log_filter_set_user(user_name, filter_name)

Given a user account name and a filter name, assigns the filter to the user. A user can be assigned only one filter, so if the user was already assigned a filter, the assignment is replaced. Filtering of current sessions for the user remains unaffected. New connections are filtered using the new filter.

As a special case, the name % represents the default account. The filter is used for connections from any user account that has no explicitly assigned filter.

Arguments:

Return value:

A string that indicates whether the operation succeeded. OK indicates success. ERROR: message indicates failure.

Example:

mysql> SELECT audit_log_filter_set_user('user1@localhost', 'SomeFilter');
+------------------------------------------------------------+
| audit_log_filter_set_user('user1@localhost', 'SomeFilter') |
+------------------------------------------------------------+
| OK                                                         |
+------------------------------------------------------------+

audit_log_read([arg])

Reads the audit log and returns a JSON string result. If the audit log format is not JSON, an error occurs.

With no argument or a JSON hash argument, audit_log_read() reads events from the audit log and returns a JSON string containing an array of audit events. Items in the hash argument influence how reading occurs, as described later. Each element in the returned array is an event represented as a JSON hash, with the exception that the last element may be a JSON null value to indicate no following events are available to read.

With an argument consisting of a JSON null value, audit_log_read() closes the current read sequence.

For additional details about the audit log-reading process, see Section 8.4.7.6, “Reading Audit Log Component Files”.

Arguments:

To obtain a bookmark for the most recently written event, call audit_log_read_bookmark().

arg: The argument is optional. If omitted, the function reads events from the current position. If present, the argument can be a JSON null value to close the read sequence, or a JSON hash. Within a hash argument, items are optional and control aspects of the read operation such as the position at which to begin reading or how many events to read. The following items are significant (other items are ignored):

To specify a starting position to audit_log_read(), pass a hash argument that includes either a start item or a bookmark consisting of timestamp and id items. If a hash argument includes both a start item and a bookmark, an error occurs.

If a hash argument specifies no starting position, reading continues from the current position.

If a timestamp value includes no time part, a time part of 00:00:00 is assumed.

Return value:

If the call succeeds, the return value is a JSON string containing an array of audit events, or a JSON null value if that was passed as the argument to close the read sequence. If the call fails, the return value is NULL and an error occurs.

Example:

mysql> SELECT audit_log_read(audit_log_read_bookmark());
+-----------------------------------------------------------------------+
| audit_log_read(audit_log_read_bookmark())                             |
+-----------------------------------------------------------------------+
| [ {"timestamp":"2020-05-18 22:41:24","id":0,"class":"connection", ... |
+-----------------------------------------------------------------------+
mysql> SELECT audit_log_read('null');
+------------------------+
| audit_log_read('null') |
+------------------------+
| null                   |
+------------------------+

audit_log_read_bookmark()

Returns a JSON string representing a bookmark for the most recently written audit log event. If the audit log format is not JSON, an error occurs.

The bookmark is a JSON hash with timestamp and id items that uniquely identify the position of an event within the audit log. It is suitable for passing to audit_log_read() to indicate to that function the position at which to begin reading.

For additional details about the audit log-reading process, see Section 8.4.7.6, “Reading Audit Log Component Files”.

Arguments:

None.

Return value:

A JSON string containing a bookmark for success, or NULL and an error for failure.

Example:

mysql> SELECT audit_log_read_bookmark();
+-------------------------------------------------+
| audit_log_read_bookmark()                       |
+-------------------------------------------------+
| { "timestamp": "2019-10-03 21:03:44", "id": 0 } |
+-------------------------------------------------+

audit_log_rotate()

Arguments:

None.

Return value:

The renamed file name.

Example:

mysql> SELECT audit_log_rotate();

Using audit_log_rotate() requires the AUDIT_ADMIN privilege.

--audit-log[=value]

This option controls how the server loads the audit_log component at startup. It is available only if the component has been previously registered with INSTALL COMPONENT. See Section 8.4.7.2, “Installing or Uninstalling MySQL Enterprise Audit with The Audit Log Component”.

The option value should be one of those available for component-loading options, as described in Section 7.5.1, “Installing and Uninstalling Components”. For example, --audit-log=FORCE_PLUS_PERMANENT tells the server to load the component and prevent it from being removed while the server is running.

audit_log.buffer_size

When the audit log component writes events to the log asynchronously, it uses a buffer to store event contents prior to writing them. This variable controls the size of that buffer, in bytes. The server adjusts the value to a multiple of 4096. The component uses a single buffer, which it allocates when it initializes and removes when it terminates. The component allocates this buffer only if logging is asynchronous.

audit_log.compression

The type of compression for the audit log file. Permitted values are NONE (no compression; the default) and GZIP (GNU Zip compression). For more information, see Compressing Audit Log Files.

audit_log.database

Specifies which database the audit_log component uses to find its tables. This variable is read only. For more information, see Section 8.4.7.2, “Installing or Uninstalling MySQL Enterprise Audit with The Audit Log Component”).

audit_log.disable

Permits disabling audit logging for all connecting and connected sessions. In addition to the SYSTEM_VARIABLES_ADMIN privilege, disabling audit logging requires the AUDIT_ADMIN privilege. See Section 8.4.7.9, “Disabling Audit Logging for Audit Log Component”.

audit_log.encryption

The type of encryption for the audit log file. Permitted values are NONE (no encryption; the default) and AES (AES-256-CBC cipher encryption). For more information, see Encrypting Audit Log Files.

audit_log.file

The base name and suffix of the file to which the audit log component writes events. The default value is audit.log, regardless of logging format.

If the value of audit_log.file is a relative path name, the component interprets it relative to the data directory. If the value is a full path name, the component uses the value as is. A full path name may be useful if it is desirable to locate audit files on a separate file system or directory. For security reasons, write the audit log file to a directory accessible only to the MySQL server and to users with a legitimate reason to view the log.

For details about how the audit log component interprets the audit_log.file value and the rules for file renaming that occurs at component or plugin initialization and termination, see Naming Conventions for Audit Log Files.

The audit log component uses the directory containing the audit log file (determined from the audit_log.file value) as the location to search for readable audit log files. From these log files and the current file, the component constructs a list of the ones that are subject to use with the audit log bookmarking and reading functions. See Section 8.4.7.6, “Reading Audit Log Component Files”.

audit_log.flush_interval_seconds

This system variable depends on the scheduler component, which must be installed and enabled (see Section 7.5.5, “Scheduler Component”). To check the status of the component:

SHOW VARIABLES LIKE 'component_scheduler%';
+-----------------------------+-------+
| Variable_name               | Value |
+-----------------------------+-------|
| component_scheduler.enabled | On    |
+-----------------------------+-------+

When audit_log.flush_interval_seconds has a value of zero (the default), no automatic refresh of the privileges occurs, even if the scheduler component is enabled (ON).

Values between 0 and 60 (1 to 59) are not acknowledged; instead, these values adjust to 60 automatically and the server emits a warning. Values greater than 60 define the number of seconds the scheduler component waits from startup, or from the beginning of the previous execution, until it attempts to schedule another execution.

To persist this global system variable to the mysqld-auto.cnf file without setting the global variable runtime value, precede the variable name by the PERSIST_ONLY keyword or the @@PERSIST_ONLY. qualifier.

audit_log.format_unix_timestamp

Enabling this variable causes each log file record to include a time field. The field value is an integer that represents the UNIX timestamp value indicating the date and time when the audit event was generated.

Changing the value of this variable at runtime causes log file rotation so that, for a given log file, all records in the file either do or do not include the time field.

Setting the runtime value of audit_log.format_unix_timestamp requires the AUDIT_ADMIN privilege, in addition to the SYSTEM_VARIABLES_ADMIN privilege (or the deprecated SUPER privilege) normally required to set a global system variable runtime value.

audit_log.max_size

audit_log.max_size pertains to audit log file pruning. It controls pruning based on combined log file size:

If you set audit_log.max_size to a value that is not a multiple of 4096, it is truncated to the nearest multiple. In particular, setting it to a value less than 4096 sets it to 0 and no size-based pruning occurs.

If both audit_log.max_size and audit_log.rotate_on_size are greater than 0, audit_log.max_size should be more than 7 times the value of audit_log.rotate_on_size. Otherwise, a warning is written to the server error log because in this case the “granularity” of size-based pruning may be insufficient to prevent removal of all or most rotated log files each time it occurs.

audit_log.password_history_keep_days

The audit log component implements log file encryption using encryption passwords stored in the MySQL keyring (see Encrypting Audit Log Files). The component also implements password history, which includes password archiving and expiration (removal).

When the audit log component creates a new encryption password, it archives the previous password, if one exists, for later use. The audit_log.password_history_keep_days variable controls automatic removal of expired archived passwords. Its value indicates the number of days after which archived audit log encryption passwords are removed. The default of 0 disables password expiration: the password retention period is forever.

New audit log encryption passwords are created under these circumstances:

In each case, the component stores the new password in the key ring and uses it to encrypt new log files.

Removal of expired audit log encryption passwords occurs under these circumstances:

When password removal occurs, the current value of audit_log.password_history_keep_days determines which passwords to remove:

If you normally leave password expiration disabled (that is, audit_log.password_history_keep_days has a value of 0), it is possible to perform an on-demand cleanup operation by temporarily assigning the variable a value greater than zero. For example, to expire passwords older than 365 days, do this:

SET GLOBAL audit_log_password_history_keep_days = 365;
SET GLOBAL audit_log_password_history_keep_days = 0;

Setting the runtime value of audit_log.password_history_keep_days requires the AUDIT_ADMIN privilege, in addition to the SYSTEM_VARIABLES_ADMIN privilege (or the deprecated SUPER privilege) normally required to set a global system variable runtime value.

audit_log.prune_seconds

audit_log.prune_seconds controls pruning based on log file age:

audit_log.read_buffer_size

The buffer size for reading from the audit log file, in bytes. The audit_log_read() function reads no more than this many bytes. For more information, see Section 8.4.7.6, “Reading Audit Log Component Files”.

This variable has a default of 32KB and can be set at runtime. Each client should set its session value of audit_log.read_buffer_size appropriately for its use of audit_log_read().

audit_log.rotate_on_size

If audit_log.rotate_on_size is 0, the audit log component does not perform automatic size-based log file rotation. If rotation is to occur, you must perform it manually; see Manual Audit Log File Rotation.

If audit_log.rotate_on_size is greater than 0, automatic size-based log file rotation occurs. Whenever a write to the log file causes its size to exceed the audit_log.rotate_on_size value, the audit log component renames the current log file and opens a new current log file using the original name.

If you set audit_log.rotate_on_size to a value that is not a multiple of 4096, it is truncated to the nearest multiple. In particular, setting it to a value less than 4096 sets it to 0 and no rotation occurs, except manually.

audit_log.strategy

The logging method used by the audit log component. These strategy values are permitted:

audit_log.current_size

The size of the current audit log file. The value increases when an event is written to the log and is reset to 0 when the log is rotated.

audit_log.event_max_drop_size

The size of the largest dropped event in performance logging mode. For a description of logging modes, see Section 8.4.7.5, “Configuring Audit Logging Characteristics for Audit Log Component”.

audit_log.events

The number of events handled by the audit log component, whether or not they were written to the log based on filtering policy (see Section 8.4.7.5, “Configuring Audit Logging Characteristics for Audit Log Component”).

audit_log.events_buffered

The number of buffered events the writing thread is waiting to write. This variable is only used for the ASYNCHRONOUS strategy.

audit_log.events_direct_writes

When the audit log component writes events to the audit log, it uses a buffer to store event contents prior to writing them. If the query length is greater than the size of the buffer, then the component writes the event directly to the log, bypassing the buffer. This variable shows the number of direct writes. The component determines the count based on the current write strategy in use (see audit_log.strategy).

audit_log.events_filtered

The number of events handled by the audit log component that were filtered (not written to the log) based on filtering policy (see Section 8.4.7.5, “Configuring Audit Logging Characteristics for Audit Log Component”).

audit_log.events_lost

The number of events lost in performance logging mode because an event was larger than the available audit log buffer space. This value may be useful for assessing how to set audit_log.buffer_size to size the buffer for performance mode. For a description of logging modes, see Section 8.4.7.5, “Configuring Audit Logging Characteristics for Audit Log Component”.

audit_log.events_written

The number of events written to the audit log.

audit_log.filter_id

The session value of this variable indicates the internally maintained ID of the audit filter for the current session. A value of 0 means that the session has no filter assigned.

audit_log.total_size

The total size of events written to all audit log files. Unlike audit_log.current_size, the value of audit_log.total_size increases even when the log is rotated.

audit_log.write_waits

The number of times an event had to wait for space in the audit log buffer in asynchronous logging mode. For a description of logging modes, see Section 8.4.7.5, “Configuring Audit Logging Characteristics for Audit Log Component”.