mariadb 的审计日志和mysql审计日志都是使用插件形式使用。
目前mysql企业版支持审计日志功能,percona公司的插件可替代该插件(网络了解mysql社区版可使用percona的审计插件,本人尚未实验测试。)
本次实验基于mariadb开启审计日志。
1.mariadb版本:mariadb10.1.19 在官方下载的二进制包中包含审计日志插件。
2.查看数据库是否安装插件:
SHOW VARIABLES LIKE '%plugin_dir%';
看到此数据库已安装审计插件,卸载插件重新安装。
3.卸载插件
MariaDB [(none)]> UNINSTALL PLUGIN server_audit;
ERROR 1702 (HY000): Plugin 'server_audit' is force_plus_permanent and can not be unloaded
卸载插件报错,需要修改参数。
server_audit=FORCE_PLUS_PERMANENT
参数防止删除该插件参数。实验中可重启DB,实际生产中需谨慎操作。
vi /etc/my.cnf
#+#audit
#plugin_load=server_audit
#server_audit_events=connect,query_dml,query_ddl
#server_audit=FORCE_PLUS_PERMANENT
#server_audit_file_rotate_size = 128M
#server_audit_logging = ON
#server_audit_file_path=/data01/mysql/log3306/server_audit.log
#sysdate_is_now = 1
重启mysql:
卸载成功。
MariaDB [(none)]> unINSTALL PLUGIN server_audit;
ERROR 1305 (42000): PLUGIN server_audit does not exist
MariaDB [(none)]> show variables like '%audit%';
Empty set (0.00 sec)
4.安装插件:
MariaDB [(none)]> INSTALL PLUGIN server_audit SONAME 'libaudit_plugin.so';
ERROR 1127 (HY000): Can't find symbol 'server_audit' in library
安装报错:
原因未找到,还原my.cnf的配置文件注释,并重启mysql。
plugin_load=server_audit
server_audit_events=connect,query_dml,query_ddl
server_audit=FORCE_PLUS_PERMANENT
server_audit_file_rotate_size = 128M
server_audit_logging = ON
server_audit_file_path=/data01/mysql/log3306/server_audit.log
sysdate_is_now = 1
发现再次安装:
MariaDB [(none)]> INSTALL PLUGIN server_audit SONAME 'libaudit_plugin.so';
ERROR 1968 (HY000): Plugin 'server_audit' already installed
MariaDB [(none)]> INSTALL PLUGIN server_audit SONAME 'libaudit_plugin.so';
ERROR 1968 (HY000): Plugin 'server_audit' already installed
Now,恐怖了。目前问题是,如果不注释配置文件,那么不能停止server_audit
+---------+------+----------------------------------------------------+
| Level | Code | Message |
+---------+------+----------------------------------------------------+
| Warning | 1620 | Plugin is busy and will be uninstalled on shutdown |
+---------+------+----------------------------------------------------+
注释掉安装找不到:Can't find symbol 'server_audit' in library
5.错误解决:
原因:安装的语法不正确。
注释掉审计日志的参数后,重启mysql
安装审计插件:
MariaDB [(none)]> show variables like '%audit%';
Empty set (0.00 sec)
MariaDB [(none)]> INSTALL PLUGIN server_audit SONAME 'server_audit.so';
Query OK, 0 rows affected (0.01 sec)
MariaDB [(none)]> show variables like '%audit%';
+-------------------------------+-----------------------+
| Variable_name | Value |
+-------------------------------+-----------------------+
| server_audit_events | |
| server_audit_excl_users | |
| server_audit_file_path | server_audit.log |
| server_audit_file_rotate_now | OFF |
| server_audit_file_rotate_size | 1000000 |
| server_audit_file_rotations | 9 |
| server_audit_incl_users | |
| server_audit_logging | OFF |
| server_audit_mode | 0 |
| server_audit_output_type | file |
| server_audit_query_log_limit | 1024 |
| server_audit_syslog_facility | LOG_USER |
| server_audit_syslog_ident | mysql-server_auditing |
| server_audit_syslog_info | |
| server_audit_syslog_priority | LOG_INFO |
+-------------------------------+-----------------------+
15 rows in set (0.01 sec)
此时审计日志参数均为空,可以通过设置全局动态参数生效,此处为了重启mysql后依然生效,笔者使用修改my.cnf参数进行配置审计日志参数,即取消注销参数。
plugin_load=server_audit
server_audit_events=connect,query_dml,query_ddl
server_audit=FORCE_PLUS_PERMANENT
server_audit_file_rotate_size = 128M
server_audit_logging = ON
server_audit_file_path=/data01/mysql/log3306/server_audit.log
sysdate_is_now = 1
重启mysql;安装完毕,大家千万不要像笔者这样粗心大意,文章较为混乱,望读者谨慎参考。
注:INSTALL PLUGIN audit_log SONAME 'audit_log.so'; 为mysql安装审计日志语句。