mariadb 的审计日志和mysql审计日志都是使用插件形式使用。
目前mysql企业版支持审计日志功能,percona公司的插件可替代该插件(网络了解mysql社区版可使用percona的审计插件,本人尚未实验测试。)
本次实验基于mariadb开启审计日志。
1.mariadb版本:mariadb10.1.19 在官方下载的二进制包中包含审计日志插件。
2.查看数据库是否安装插件:
SHOW VARIABLES LIKE '%plugin_dir%';
看到此数据库已安装审计插件,卸载插件重新安装。
3.卸载插件
MariaDB [(none)]> UNINSTALL PLUGIN server_audit;
ERROR 1702 (HY000): Plugin 'server_audit' is force_plus_permanent and can not be unloaded
卸载插件报错,需要修改参数。
server_audit=FORCE_PLUS_PERMANENT
参数防止删除该插件参数。实验中可重启DB,实际生产中需谨慎操作。
vi /etc/my.cnf
#+#audit #plugin_load=server_audit #server_audit_events=connect,query_dml,query_ddl #server_audit=FORCE_PLUS_PERMANENT #server_audit_file_rotate_size = 128M #server_audit_logging = ON #server_audit_file_path=/data01/mysql/log3306/server_audit.log #sysdate_is_now = 1
重启mysql: 卸载成功。 MariaDB [(none)]> unINSTALL PLUGIN server_audit; ERROR 1305 (42000): PLUGIN server_audit does not exist MariaDB [(none)]> show variables like '%audit%'; Empty set (0.00 sec)
4.安装插件:
MariaDB [(none)]> INSTALL PLUGIN server_audit SONAME 'libaudit_plugin.so'; ERROR 1127 (HY000): Can't find symbol 'server_audit' in library
安装报错: 原因未找到,还原my.cnf的配置文件注释,并重启mysql。 plugin_load=server_audit server_audit_events=connect,query_dml,query_ddl server_audit=FORCE_PLUS_PERMANENT server_audit_file_rotate_size = 128M server_audit_logging = ON server_audit_file_path=/data01/mysql/log3306/server_audit.log sysdate_is_now = 1
发现再次安装: MariaDB [(none)]> INSTALL PLUGIN server_audit SONAME 'libaudit_plugin.so'; ERROR 1968 (HY000): Plugin 'server_audit' already installed MariaDB [(none)]> INSTALL PLUGIN server_audit SONAME 'libaudit_plugin.so'; ERROR 1968 (HY000): Plugin 'server_audit' already installed
Now,恐怖了。目前问题是,如果不注释配置文件,那么不能停止server_audit +---------+------+----------------------------------------------------+ | Level | Code | Message | +---------+------+----------------------------------------------------+ | Warning | 1620 | Plugin is busy and will be uninstalled on shutdown | +---------+------+----------------------------------------------------+
注释掉安装找不到:Can't find symbol 'server_audit' in library
5.错误解决: 原因:安装的语法不正确。 注释掉审计日志的参数后,重启mysql
安装审计插件:
MariaDB [(none)]> show variables like '%audit%'; Empty set (0.00 sec)
MariaDB [(none)]> INSTALL PLUGIN server_audit SONAME 'server_audit.so'; Query OK, 0 rows affected (0.01 sec)
MariaDB [(none)]> show variables like '%audit%'; +-------------------------------+-----------------------+ | Variable_name | Value | +-------------------------------+-----------------------+ | server_audit_events | | | server_audit_excl_users | | | server_audit_file_path | server_audit.log | | server_audit_file_rotate_now | OFF | | server_audit_file_rotate_size | 1000000 | | server_audit_file_rotations | 9 | | server_audit_incl_users | | | server_audit_logging | OFF | | server_audit_mode | 0 | | server_audit_output_type | file | | server_audit_query_log_limit | 1024 | | server_audit_syslog_facility | LOG_USER | | server_audit_syslog_ident | mysql-server_auditing | | server_audit_syslog_info | | | server_audit_syslog_priority | LOG_INFO | +-------------------------------+-----------------------+ 15 rows in set (0.01 sec)
此时审计日志参数均为空,可以通过设置全局动态参数生效,此处为了重启mysql后依然生效,笔者使用修改my.cnf参数进行配置审计日志参数,即取消注销参数。
plugin_load=server_audit server_audit_events=connect,query_dml,query_ddl server_audit=FORCE_PLUS_PERMANENT server_audit_file_rotate_size = 128M server_audit_logging = ON server_audit_file_path=/data01/mysql/log3306/server_audit.log sysdate_is_now = 1
重启mysql;安装完毕,大家千万不要像笔者这样粗心大意,文章较为混乱,望读者谨慎参考。
注:INSTALL PLUGIN audit_log SONAME 'audit_log.so'; 为mysql安装审计日志语句。
