Mariadb審計

與不同Mysql的是，Mariadb審計插件不用單獨下載，直接安裝即可。

MariaDB [(none)]> INSTALL PLUGIN server_audit SONAME 'server_audit';

查看安裝的插件

MariaDB [(none)]> show plugins;
+--------------------------------+--------+--------------------+-----------------+---------+
| Name                           | Status | Type               | Library         | License |
+--------------------------------+--------+--------------------+-----------------+---------+
...
| SERVER_AUDIT                   | ACTIVE | AUDIT              | server_audit.so | GPL     |
+--------------------------------+--------+--------------------+-----------------+---------+

安裝成功後生成的變量

MariaDB [(none)]> show variables like '%audit%';
+-------------------------------+-----------------------+
| Variable_name                 | Value                 |
+-------------------------------+-----------------------+
| server_audit_events           |                       |
| server_audit_excl_users       |                       |
| server_audit_file_path        | server_audit.log      |
| server_audit_file_rotate_now  | OFF                   |
| server_audit_file_rotate_size | 1000000               |
| server_audit_file_rotations   | 9                     |
| server_audit_incl_users       |                       |
| server_audit_logging          | OFF                   |
| server_audit_mode             | 0                     |
| server_audit_output_type      | file                  |
| server_audit_query_log_limit  | 1024                  |
| server_audit_syslog_facility  | LOG_USER              |
| server_audit_syslog_ident     | mysql-server_auditing |
| server_audit_syslog_info      |                       |
| server_audit_syslog_priority  | LOG_INFO              |
+-------------------------------+-----------------------+

狀態信息

MariaDB [(none)]> show status like '%audit%';
+----------------------------+-------+
| Variable_name              | Value |
+----------------------------+-------+
| server_audit_active        | OFF   |
| server_audit_current_log   |       |
| server_audit_last_error    |       |
| server_audit_writes_failed | 0     |
+----------------------------+-------+

同mysql，安裝完成後默認沒有開啓，需要進一步設置並開啓。

1:開啓審計2:審計爲file時指定的文件3:開啓日誌輪換4:不記錄zabbix_user用戶（connect操作不受影響）5:只記錄root和ogg用戶操作6:記錄的操作7:日誌文件大小

set global server_audit_logging=1;
set global server_audit_file_path='mariadb-audit.log';
set global server_audit_file_rotate_now=on;
set global server_audit_excl_users='zabbix_user';
set global server_audit_incl_users='root,ogg';
set global server_audit_events='query,table';
set global server_audit_file_rotate_size=10*1024;

設置my.cnf

server_audit_logging=1
server_audit_file_path='mariadb-audit.log'
server_audit_incl_users='root,ogg'
server_audit_events='query,table'
server_audit_file_rotate_size=1102400

說明

1、日誌格式，mysql日誌格式爲json；mariadb有file和syslog，syslog則是將日誌記錄到系統日誌/var/log/messages文件

2、卸載uninstall plugin server_audit;