文章目錄
數據庫審計方案簡介和功能對比
通過數據庫審計的功能,用戶可以準實時的掌握當前服務器的運行狀況,包括:熱點表,熱點數據,用戶訪問情況,請求方式,數據庫響應時間,客戶端來源IP等。阿里雲在前段時間也上架了自己的SQL審計產品,供用戶選擇購買此項服務。實現數據庫審計的方式也是多種多樣,包括:MySQL普通/慢日誌,數據庫審計插件,網絡捕獲。本文將會對這些方式進行功能上的詳細對比。
1. MySQL自帶日誌功能
MySQL可以通過開啓普通日誌,或者將慢日誌開啓的方式進行審計。
1.1 普通日誌
開啓普通日誌來進行SQL審計的方式非常簡單,這是MySQL所有分支都支持的功能,如下:
set global general_log=1;
general log可以選擇保存在文件中,也可以選擇保存在表中,可以通過如下參數進行設置:
log_output = 'file' //報存在文件中
log_output = 'table' //保存到表中
在文件中的輸出格式爲
2019-06-12T14:25:54.306179+08:00 4620 Query SELECT c FROM sbtest1 WHERE id=8866695
2019-06-12T14:25:54.306223+08:00 4622 Query SELECT c FROM sbtest1 WHERE id=9972289
2019-06-12T14:25:54.306274+08:00 4667 Query DELETE FROM sbtest1 WHERE id=10090252
2019-06-12T14:25:54.304255+08:00 4644 Query SELECT c FROM sbtest1 WHERE id=9977380
2019-06-12T14:25:54.305245+08:00 4638 Query SELECT c FROM sbtest1 WHERE id=10008275
2019-06-12T14:25:54.306325+08:00 4630 Query SELECT c FROM sbtest1 WHERE id=10044671
2019-06-12T14:25:54.305315+08:00 4616 Query SELECT SUM(K) FROM sbtest1 WHERE id BETWEEN 10031041 AND 10031140
2019-06-12T14:25:54.306345+08:00 4615 Query SELECT c FROM sbtest1 WHERE id BETWEEN 14539431 AND 14539530 ORDER BY c
2019-06-12T14:25:54.306360+08:00 4614 Query SELECT c FROM sbtest1 WHERE id=9953983
2019-06-12T14:25:54.306373+08:00 4646 Query SELECT c FROM sbtest1 WHERE id=10098988
在表中的輸出格式爲
mysql> select * from general_log limit 100,10;
+----------------------------+-------------------------------------+-----------+-----------+--------------+-----------------------------------------+
| event_time | user_host | thread_id | server_id | command_type | argument |
+----------------------------+-------------------------------------+-----------+-----------+--------------+-----------------------------------------+
| 2019-05-22 11:28:23.640542 | [sysbench] @ [100.110.0.8] | 127625 | 11013308 | Connect | [email protected] on d1 using TCP/IP |
| 2019-05-22 11:28:23.640549 | [sysbench] @ [100.110.0.8] | 127623 | 11013308 | Connect | [email protected] on d1 using TCP/IP |
| 2019-05-22 11:28:23.640573 | sysbench[sysbench] @ [100.110.0.8] | 127569 | 11013308 | Query | BEGIN |
| 2019-05-22 11:28:23.640585 | sysbench[sysbench] @ [100.110.0.8] | 127571 | 11013308 | Query | BEGIN |
| 2019-05-22 11:28:23.640565 | [sysbench] @ [100.110.0.8] | 127626 | 11013308 | Connect | [email protected] on d1 using TCP/IP |
| 2019-05-22 11:28:23.640574 | [sysbench] @ [100.110.0.8] | 127627 | 11013308 | Connect | [email protected] on d1 using TCP/IP |
| 2019-05-22 11:28:23.640589 | [sysbench] @ [100.110.0.8] | 127629 | 11013308 | Connect | [email protected] on d1 using TCP/IP |
| 2019-05-22 11:28:23.640598 | [sysbench] @ [100.110.0.8] | 127628 | 11013308 | Connect | [email protected] on d1 using TCP/IP |
| 2019-05-22 11:28:23.640639 | sysbench[sysbench] @ [100.110.0.8] | 127554 | 11013308 | Query | SELECT c FROM sbtest1 WHERE id=10801288 |
| 2019-05-22 11:28:23.640639 | sysbench[sysbench] @ [100.110.0.8] | 127560 | 11013308 | Query | SELECT c FROM sbtest1 WHERE id=9712647 |
+----------------------------+-------------------------------------+-----------+-----------+--------------+-----------------------------------------+
1.2 通過慢日誌
慢日誌本身的目的是爲了記錄存在性能問題的SQL,但是通過參數設置也可以用來進行審計的功能,如下:
set global min_examined_row_limit = 0;
set global log_queries_not_using_indexes=on;
set global long_query_time=0;
set global log_slow_admin_statements = 0;
set global slow_query_log = on;
輸出日誌格式爲:
# Time: 2019-06-17T10:34:58.064103+08:00
# User@Host: root[root] @ localhost [] Id: 7
# Query_time: 0.000534 Lock_time: 0.000216 Rows_sent: 1 Rows_examined: 1
SET timestamp=1560738898;
select * from test_order_by_limit limit 1;
# Time: 2019-06-17T10:34:59.668562+08:00
# User@Host: root[root] @ localhost [] Id: 7
# Query_time: 0.000726 Lock_time: 0.000235 Rows_sent: 10 Rows_examined: 10
SET timestamp=1560738899;
select * from test_order_by_limit limit 10;
2. 數據庫插件形式
通過MySQL插件,進行用戶操作的審計,包括Oracle MySQL企業版,MariaDB/Percona分支中的審計插件。
2.1 Oracle MySQL 企業版審計插件
//安裝
install plugin audit_log soname 'audit_log.so';
提供的參數(最新版本可能添加了更多的參數)
mysql> show global variables like '%audit%';
+-----------------------------+--------------+
| Variable_name | Value |
+-----------------------------+--------------+
| audit_log_buffer_size | 1048576 |
| audit_log_connection_policy | ALL |
| audit_log_current_session | OFF |
| audit_log_exclude_accounts | |
| audit_log_file | audit.log |
| audit_log_flush | OFF |
| audit_log_format | NEW |
| audit_log_include_accounts | |
| audit_log_policy | ALL |
| audit_log_rotate_on_size | 0 |
| audit_log_statement_policy | ALL |
| audit_log_strategy | ASYNCHRONOUS |
+-----------------------------+--------------+
12 rows in set (0.00 sec)
目前下載到的版本的記錄的數據格式爲xml形式,如下:
<AUDIT_RECORD>
<TIMESTAMP>2019-06-13T01:47:55 UTC</TIMESTAMP>
<RECORD_ID>138_2019-06-13T01:23:29</RECORD_ID>
<NAME>Query</NAME>
<CONNECTION_ID>1912</CONNECTION_ID>
<STATUS>0</STATUS>
<STATUS_CODE>0</STATUS_CODE>
<USER>sysbench[sysbench] @ [100.110.0.8]</USER>
<OS_LOGIN/>
<HOST/>
<IP>100.110.0.8</IP>
<COMMAND_CLASS>select</COMMAND_CLASS>
<SQLTEXT>SELECT c FROM sbtest1 WHERE id=11469792</SQLTEXT>
</AUDIT_RECORD>
2.2 Percona插件
Percona的MySQL分支中自帶了審計插件,但是測試發現,其並不兼容Oracle MySQL,所以本文不在過多描述。
2.3 MariaDB插件
MariaDB的審計插件是完全兼容Oracle MySQL版本的。可以通過如下命令進行插件安裝:
mysql> install plugin server_audit soname 'server_audit.so';
Query OK, 0 rows affected (0.00 sec)
通過全局變量控制是否開啓審計日誌
set global server_audit_logging = ON;
日誌默認輸出到datadir下,格式爲
20190612 14:45:27,100-110-0-9,sysbench,100.110.0.8,4726,74697,QUERY,d1,'SELECT c FROM sbtest1 WHERE id BETWEEN 10094876 AND 10094975',0
20190612 14:45:27,100-110-0-9,sysbench,100.110.0.8,4751,74723,QUERY,d1,'SELECT c FROM sbtest1 WHERE id=10036027',0
20190612 14:45:27,100-110-0-9,sysbench,100.110.0.8,4768,74750,QUERY,d1,'SELECT c FROM sbtest1 WHERE id=10089548',0
20190612 14:45:27,100-110-0-9,sysbench,100.110.0.8,4718,74628,QUERY,d1,'SELECT DISTINCT c FROM sbtest1 WHERE id BETWEEN 9975155 AND 9975254 ORDER BY c',0
20190612 14:45:27,100-110-0-9,sysbench,100.110.0.8,4752,74680,QUERY,d1,'SELECT SUM(K) FROM sbtest1 WHERE id BETWEEN 10054577 AND 10054676',0
20190612 14:45:27,100-110-0-9,sysbench,100.110.0.8,4753,74728,QUERY,d1,'SELECT c FROM sbtest1 WHERE id=7355484',0
20190612 14:45:27,100-110-0-9,sysbench,100.110.0.8,4773,74755,QUERY,d1,'SELECT c FROM sbtest1 WHERE id=10081613',0
20190612 14:45:27,100-110-0-9,sysbench,100.110.0.8,4751,74757,QUERY,d1,'SELECT c FROM sbtest1 WHERE id=9982230',0
20190612 14:45:27,100-110-0-9,sysbench,100.110.0.8,4727,74734,QUERY,d1,'SELECT c FROM sbtest1 WHERE id=10077292',0
20190612 14:45:27,100-110-0-9,sysbench,100.110.0.8,4749,74691,QUERY,d1,'SELECT c FROM sbtest1 WHERE id=10059306',0
20190612 14:45:27,100-110-0-9,sysbench,100.110.0.8,4741,74711,QUERY,d1,'UPDATE sbtest1 SET k=k+1 WHERE id=10148860',0
3. 旁路機制
通過抓取網絡請求,再根據MySQL協議解析出想要的數據。
3.1 vc-mysql-sniffer
這是一家位於美國華盛頓的數據庫性能監控服務公司提供的產品,並不開源,但是二進制版本的程序可以在官網下載使用。
使用方式
./vc-mysql-sniffer -binding="[::]:13308" -show-database-changes="true" -output="/data/sniffer.log"
其功能是捕獲MySQL的網絡數據包,並解析成SQL語句,可以報存在文件中。
其輸出的日誌格式如下
# Time: 052319 10:32:53.354677
# User@Host: unknown_user[unknown_user] @ 100.110.0.8:63967 []
# Query_time: 0.000000
USE `unknown_database`
他們有配套的dashboard用來展示監控數據,但是官網沒有提供下載。
3.2 奇虎360開源產品mysql-sniffer
MySQL Sniffer 是一個基於 MySQL 協議的抓包工具,實時抓取 MySQLServer 端或 Client 端請求,並格式化輸出。輸出內容包括訪問時間、訪問用戶、來源 IP、訪問 Database、命令耗時、返回數據行數、執行語句等。有批量抓取多個端口,後臺運行,日誌分割等多種使用方式,操作便捷,輸出友好。
如下:
mysql-sniffer -i eth0 -p 3306
2017-02-23 14:47:45 testuser 10.xx.xx.xx NULL 0ms 1 select @@version_comment limit 1
2017-02-23 14:47:45 testuser 10.xx.xx.xx NULL 0ms 1 select USER()
2017-02-23 14:47:48 testuser 10.xx.xx.xx NULL 0ms 13 show databases
2017-02-23 14:47:51 testuser 10.xx.xx.xx NULL 0ms 1 SELECT DATABASE()
2017-02-23 14:47:51 testuser 10.xx.xx.xx mysql 0ms 0 use mysql
2017-02-23 14:47:53 testuser 10.xx.xx.xx mysql 0ms 29 show tables
2017-02-23 14:47:54 testuser 10.xx.xx.xx mysql 0ms 1 select 1
2017-02-23 14:48:01 testuser1 10.xx.xx.xx NULL 0ms 0 set autocommit=1
2017-02-23 14:48:01 testuser1 10.xx.xx.xx NULL 0ms 0 set autocommit=1
4. 功能對比
方式 | 數據格式 | 是否開源 | 是否記錄SQL時間消耗 | 是否記錄用戶 | 是否記錄來源IP | 是否記錄數據庫 | 是否記錄錯誤 |
---|---|---|---|---|---|---|---|
general log | 文本 | 是 | 否 | 是 | 是 | 否 | 否 |
slow log | 文本 | 是 | 是 | 是 | 是 | 否 | 否 |
Oracle企業版審計插件 | xml/json | 否 | 否 | 是 | 是 | 否 | 是 |
MariaDB審計插件 | 文本字符串 | 是 | 否 | 是 | 是 | 是 | 是 |
vc-mysql-sniffer | 文本 | 否 | 是 | 是* | 是 | 是 | 否 |
奇虎360 mysql-sniffer | 文本 | 是 | 是 | 是* | 是 | 是 | 否 |