Professional Documents
Culture Documents
Introduction
MySQL is used in a broad range of environments, but if you needed to record user access to be in compliance with auditing regulations for your organization, you would previously have had to use other database solutions. To meet this need, though, the developers of Monty Program AB and SkySQL Ab have developed the MariaDB Audit Plugin. Although the MariaDB Audit Plugin has some unique features available only for MariaDB, it can be used also with MySQL.
Installation
The MariaDB Audit Plugin is provided as a dynamic library: s e r v e r _ a u d i t . s o(s e r v e r _ a u d i t . d l l for Windows). The plugin must and should be located in the plugin library. The file path of the plugin library is recorded in the p l u g i n _ d i r system variable. To see the value of this variable and determine thereby the file path of the plugin library, execute the following SQL statement:
S H O W G L O B A L V A R I A B L E S L I K E ' p l u g i n _ d i r ' + + + | V a r i a b l e _ n a m e | V a l u e | + + + | p l u g i n _ d i r | / u s r / l o c a l / m y s q l / l i b / p l u g i n / | + + +
The plugin can be loaded from the commandline as a startup parameter, or it can be set in the configuration file (i.e., m y . c n for m y . i n i ). Below is an excerpt from a configuration file, showing the relavent line to load this plugin. To use this option from the commandline at startup, just add a doubledash (e.g., p l u g i n l o a d ).
[ m y s q l d ] . . . p l u g i n l o a d = s e r v e r _ a u d i t = s e r v e r _ a u d i t . s o . . .
Another way to install this plugin is to execute the I N S T A L L P L U G I Nstatement from within MySQL. You would need to use an administrative account which has I N S E R Tprivilege for the m y s q l . p l u g i ntable. To do this, you would execute the following within the m y s q lclient or an equivalent client:
I N S T A L L P L U G I N s e r v e r _ a u d i t S O N A M E ' s e r v e r _ a u d i t . s o '
Note The variables that will be used by the plugin (see the Configuration section) will be unknown to the server until the plugin has been loaded the first time. The database server will not start successfully if these variables are set in the configuration file before the audit plugin has been loaded at least once before.
The U N I N S T A L L P L U G I Nstatement may be used to uninstall a plugin. For the auditing plugin, you might want to disable this possibility. To do this, you could add the following line to the configuration file after the plugin is loaded once:
[ m y s q l d ] . . . p l u g i n l o a d = s e r v e r _ a u d i t = s e r v e r _ a u d i t . s o s e r v e r _ a u d i t = F O R C E _ P L U S _ P E R M A N E N T . . .
Once you've added the option above to the server's configuration file and restarted the server, if someone tries then to uninstall the audit plugin, an error message will be returned. Below is an example of this with the error message:
U N I N S T A L L P L U G I N s e r v e r _ a u d i t E R R O R 1 7 0 2 ( H Y 0 0 0 ) : P l u g i n ' s e r v e r _ a u d i t ' i s f o r c e _ p l u s _ p e r m a n e n t a n d c a n n o t b e u n l o a d e d
Configuration
After the audit plugin has been installed and loaded, new global variables will be registered within MariaDB or MySQL. These can be used to configure many factors, limits, and methods related to auditing the server. You may set variables for related logs: their location, size limits, rotation parameters, and method of logging information. You may also set what information should be logged: information related to connections (i.e., connects, disconnects, failed attempts to connect), queries, as well as read and write access to tables. You may also include or exclude user activity in the logs. To see a list of related variables on your server and their values, execute the follow from a MySQL client while connected to the server:
S H O W G L O B A L V A R I A B L E S l i k e ' s e r v e r _ a u d i t % ' + + + | V a r i a b l e _ n a m e | V a l u e | + + + | s e r v e r _ a u d i t _ e v e n t s | C O N N E C T , Q U E R Y , T A B L E | | s e r v e r _ a u d i t _ e x c l _ u s e r s | | | s e r v e r _ a u d i t _ f i l e _ p a t h | / u s r / l o c a l / m y s q l / d a t a / a u d i t t e s t | | s e r v e r _ a u d i t _ f i l e _ r o t a t e _ n o w | | | s e r v e r _ a u d i t _ f i l e _ r o t a t e _ s i z e | 1 0 0 0 0 0 0 | | s e r v e r _ a u d i t _ f i l e _ r o t a t i o n s | 1 | | s e r v e r _ a u d i t _ i n c l _ u s e r s | r o o t , J o h n | | s e r v e r _ a u d i t _ l o g g i n g | O N | | s e r v e r _ a u d i t _ m o d e | 1 | | s e r v e r _ a u d i t _ o u t p u t _ t y p e | f i l e | | s e r v e r _ a u d i t _ s y s l o g _ f a c i l i t y | L O G _ U S E R | | s e r v e r _ a u d i t _ s y s l o g _ i d e n t | m y s q l s e r v e r _ a u d i t i n g | | s e r v e r _ a u d i t _ s y s l o g _ i n f o | | | s e r v e r _ a u d i t _ s y s l o g _ p r i o r i t y | L O G _ I N F O | + + +
The value of these variables can be changed by an administrator with the S U P E R privilege, using the S E T statement. Below is an example of how to switch off audit logging:
S E T G L O B A L s e r v e r _ a u d i t _ l o g g i n g = O F F
Although it is possible to change all of the variables shown above, their values may be reset when the server restarts. You should therefore set them in the configuration file (e.g., m y . c n f ) to ensure the values are the same after a restart. You would not generally set variables related to the auditing plugin using the S E Tstatement. However, you might to test settings before making them more permanent. Since one cannot always restart the server, you would use the S E T statement to change immediately the variables and then include the same settings in the configuration file so that the variables are set again when the server is restarted.
Status Monitoring
You may want to monitor routinely the status of the auditing plugin. The S H O W G L O B A L S T A T U Sstatement can assist you in this. On the server, execute the following SQL statement:
S H O W G L O B A L S T A T U S L I K E " s e r v e r _ a u d i t % " + + + | V a r i a b l e _ n a m e | V a l u e | + + + | s e r v e r _ a u d i t _ a c t i v e | O N | | s e r v e r _ a u d i t _ c u r r e n t _ l o g | / u s r / l o c a l / m y s q l / d a t a / a u d i t t e s t | | s e r v e r _ a u d i t _ l a s t _ e r r o r | | | s e r v e r _ a u d i t _ w r i t e s _ f a i l e d | 0 | + + +
The results above show that the auditing plugin is running, as indicated by the variable, s e r v e r _ a u d i t _ a c t i v e . The variable, s e r v e r _ a u d i t _ c u r r e n t _ l o gprovides the path and name of the log file on the server that is currently in use.
System Logs
For security reasons, it can be better sometimes to use the system logs instead of a local file owned by the m y s q luser. To do this, the value of the variable, s e r v e r _ a u d i t _ o u t p u t _ t y p eneeds to be set to s y s l o g . Advanced configurations such as using a remote s y s l o g dservice is part of the s y s l o g dconfiguration. The variables, s e r v e r _ a u d i t _ s y s l o g _ i d e n t and s e r v e r _ a u d i t _ s y s l o g _ i n f o can be used to identify a system log entry from the audit plugin. If a remote s y s l o g dservice is used for several MariaDB Servers, these same variables are used also to identify the MariaDB Server. Below is an example of a system log entry taken from a server which had the variable, s e r v e r _ a u d i t _ s y s l o g _ i d e n tset to the default value of m y s q l s e r v e r _ a u d i t i n g , and the variable, s e r v e r _ a u d i t _ s y s l o g _ i n f oset to < p r o d 1 > .
A u g 7 1 7 : 1 9 : 5 8 l o c a l h o s t m y s q l s e r v e r _ a u d i t i n g : < p r o d 1 > l o c a l h o s t . l o c a l d o m a i n , r o o t , l o c a l h o s t , 1 , 7 , Q U E R Y , m y s q l , ' S E L E C T * F R O M u s e r ' , 0
Although the default values for s e r v e r _ a u d i t _ s y s l o g _ f a c i l i t y and s e r v e r _ a u d i t _ s y s l o g _ p r i o r i t y should be sufficient in most cases, they can be changed based on the definition in s y s l o g . h for the functions o p e n l o g ( )and s y s l o g ( ) . See Appendix B for more information on this.
Information to Log
The events that are logged can be grouped into the different types: connect, query, and table events. These are also the values which can be set for the variable, s e r v e r _ a u d i t _ e v e n t s , in a commaseparated list.
Without this new feature, a log entry for a query shows only the view used, or the stored procedure or function which was called, not the underlying tables. Of course, you could create a custom application to parse each query executed to find the SQL statements used and the tables accessed, but that would be a drain on system resources. Table event logging is much simpler: it adds a line to the log for each table accessed, without any parsing. It includes notes as to whether it was a read or a write. MariaDB version 5.5.31 or newer is required to be able to use this feature. If you want to monitor user access to specific databases or tables (e.g., m y s q l . u s e r ), you can search the log for them. Then if you want to see a query which accessed a certain table, the audit log entry will include the query identificaiton number. You can use it to search the same log for the query entry. This can be useful when searching a log containing tens of thousands of entries. Because of the option to log table events, you may disable query logging and still know who accessed which tables. You might want to disable query event logging to prevent sensitive data from being logged, to resolve the security vulnerability with query logging mentioned earlier. Since table event logging will log who accessed which table, you can still watch for malicious activities with the log. This is often enough to fulfill auditing requirements.
Although MariaDB and MySQL consider a user as the combination of the username and hostname, the audit plugin logs only based on the username. MySQL uses both the username and hostname so as to grant privileges relevant to the location of the user (e.g., r o o t access from a remote location is inadvisable). Privileges are not relevant though for tracing the access to database objects. The host name is still recorded in the log, but logging is not determined based on that information. The following example shows how to add a new username to the s e r v e r _ a u d i t _ i n c l _ u s e r svariable without removing previous usernames:
S E T G L O B A L s e r v e r _ a u d i t _ i n c l _ u s e r s = C O N C A T ( @ @ g l o b a l . s e r v e r _ a u d i t _ i n c l _ u s e r s , ' , M a r i a ' )
Remember to add also new users to be included in the logs to the same variable in MySQL's configuration file. Otherwise, when the server restarts it will discard the setting.
If the variable, s e r v e r _ a u d i t _ o u t p u t _ t y p eis set to s y s l o g , the general format looks like this:
[ t i m e s t a m p ] [ s y s l o g _ h o s t ] [ s y s l o g _ i d e n t ] : [ s y s l o g _ i n f o ] [ s e r v e r h o s t ] , [ u s e r n a m e ] , [ h o s t ] , [ c o n n e c t i o n i d ] , [ q u e r y i d ] , [ o p e r a t i o n ] , [ d a t a b a s e ] , [ o b j e c t ] , [ r e t c o d e ]
Below is a list of these items which are logged and what information is provided for each:
timestamp syslog_host syslog_info serverhost username host Data and time in which the event occurred. If syslog is used, the format is defined by s y s l o g d . The host from which the syslog entry is received. Used to provide information for identify a system log entry. Host name on which MariaDB is running. Username of the connected user. Host from which the user has connected. The query identification numbermultiple lines will be added to the log for table events. It can be used to find the relational table events and the related queries. The type of action recorded: CONNECT, QUERY, READ, WRITE, CREATE, ALTER, RENAME, DROP. The active database (e.g., as set usually by U S Ecommand). The executed query or table name for table events. The return code of the operation logged.
syslog_ident Used to identify a system log entry, including the MariaDB server.
connectionid Connection identification number to which the operation is related. queryid operation database object retcode
Various events will result in different audit records. Some events will not return a value for some fields (e.g., when the active database is not set when connecting to the server). Connect Events Below is a generic example of the output for connect events, with placeholders representing data. These are events in which a user connected, disconnected, or tried unsuccessfully to connect to the server.
[ t i m e s t a m p ] , [ s e r v e r h o s t ] , [ u s e r n a m e ] , [ h o s t ] , [ c o n n e c t i o n i d ] , 0 , C O N N E C T , [ d a t a b a s e ] , , 0 [ t i m e s t a m p ] , [ s e r v e r h o s t ] , [ u s e r n a m e ] , [ h o s t ] , [ c o n n e c t i o n i d ] , 0 , D I S C O N N E C T , , , 0 [ t i m e s t a m p ] , [ s e r v e r h o s t ] , [ u s e r n a m e ] , [ h o s t ] , [ c o n n e c t i o n i d ] , 0 , F A I L E D _ C O N N E C T , , , [ r e t c o d e ]
Query Events
Here is the one audit record generated for each query event:
[ t i m e s t a m p ] , [ s e r v e r h o s t ] , [ u s e r n a m e ] , [ h o s t ] , [ c o n n e c t i o n i d ] , [ q u e r y i d ] , Q U E R Y , [ d a t a b a s e ] , [ o b j e c t ] , [ r e t c o d e ]
Table Events
Below are generic examples of records that are entered in the audit log for each type of table event:
[ t i m e s t a m p ] , [ s e r v e r h o s t ] , [ u s e r n a m e ] , [ h o s t ] , [ c o n n e c t i o n i d ] , [ q u e r y i d ] , C R E A T E , [ d a t a b a s e ] , [ o b j e c t ] , [ t i m e s t a m p ] , [ s e r v e r h o s t ] , [ u s e r n a m e ] , [ h o s t ] , [ c o n n e c t i o n i d ] , [ q u e r y i d ] , R E A D , [ d a t a b a s e ] , [ o b j e c t ] , [ t i m e s t a m p ] , [ s e r v e r h o s t ] , [ u s e r n a m e ] , [ h o s t ] , [ c o n n e c t i o n i d ] , [ q u e r y i d ] , W R I T E , [ d a t a b a s e ] , [ o b j e c t ] , [ t i m e s t a m p ] , [ s e r v e r h o s t ] , [ u s e r n a m e ] , [ h o s t ] , [ c o n n e c t i o n i d ] , [ q u e r y i d ] , A L T E R , [ d a t a b a s e ] , [ o b j e c t ] , [ t i m e s t a m p ] , [ s e r v e r h o s t ] , [ u s e r n a m e ] , [ h o s t ] , [ c o n n e c t i o n i d ] , [ q u e r y i d ] , R E N A M E , [ d a t a b a s e ] , [ o b j e c t _ o l d ] | [ d a t a b a s e _ n e w ] . [ o b j e c t _ n e w ] , [ t i m e s t a m p ] , [ s e r v e r h o s t ] , [ u s e r n a m e ] , [ h o s t ] , [ c o n n e c t i o n i d ] , [ q u e r y i d ] , D R O P , [ d a t a b a s e ] , [ o b j e c t ] ,
Table Events Below is an excerpt from a log file showing table events. Table events do not return any error code, as they only exist when a query could be executed successfully.
2 0 1 3 0 8 1 0 0 2 : 2 1 : 0 6 , l o c a l h o s t . l o c a l d o m a i n , J o h n , l o c a l h o s t , 3 , 2 5 , C R E A T E , d b 1 , s e r v i c e s , 2 0 1 3 0 8 1 0 0 2 : 2 1 : 0 6 , l o c a l h o s t . l o c a l d o m a i n , J o h n , l o c a l h o s t , 3 , 2 7 , R E A D , d b 1 , s e r v i c e s , 2 0 1 3 0 8 1 0 0 2 : 2 1 : 0 7 , l o c a l h o s t . l o c a l d o m a i n , J o h n , l o c a l h o s t , 3 , 2 9 , W R I T E , d b 1 , s e r v i c e s , 2 0 1 3 0 8 1 0 0 2 : 2 1 : 2 7 , l o c a l h o s t . l o c a l d o m a i n , J o h n , l o c a l h o s t , 3 , 3 5 , A L T E R , d b 1 , s e r v i c e s , 2 0 1 3 0 8 1 0 0 2 : 2 1 : 2 7 , l o c a l h o s t . l o c a l d o m a i n , J o h n , l o c a l h o s t , 3 , 3 6 , R E N A M E , d b 1 , s e r v i c e s | d b 1 . s e r v i c e s _ n e w , 2 0 1 3 0 8 1 0 0 2 : 2 1 : 4 5 , l o c a l h o s t . l o c a l d o m a i n , J o h n , l o c a l h o s t , 3 , 3 8 , D R O P , d b 1 , s e r v i c e s _ n e w ,
Query and Table Events using Views A query which accesses a view does not include information about the underlying table. Table events, though, provide the name of the underlying database and table in the log.
2 0 1 3 0 8 1 0 0 2 : 2 1 : 0 7 , l o c a l h o s t . l o c a l d o m a i n , J o h n , l o c a l h o s t , 3 , 3 1 , R E A D , d b 1 , s e r v i c e s , 2 0 1 3 0 8 1 0 0 2 : 2 1 : 0 7 , l o c a l h o s t . l o c a l d o m a i n , J o h n , l o c a l h o s t , 3 , 3 1 , R E A D , d b 1 , s e r v i c e s _ t y p e s , 2 0 1 3 0 8 1 0 0 2 : 2 1 : 0 7 , l o c a l h o s t . l o c a l d o m a i n , J o h n , l o c a l h o s t , 3 , 3 1 , Q U E R Y , d b 1 , ' S E L E C T * f r o m m y v i e w ' , 0
Notice in this log excerpt that for the query identified as 31, the query event entry shows that a view was accessed (i.e., m y v i e w ), but it doesn't show the name of the underlying table. The table events which were logged, though, provide the name of the database and table (i.e., d b 1 ,s e r v i c e s , and s e r v i c e s _ t y p e s ). Query and Table Events using D R O P When a database is removed, that affects obviously the tables in the database. Table events logging will record that a database was deleted and the tables that were involved.
2 0 1 3 0 8 1 0 0 2 : 2 1 : 4 5 , l o c a l h o s t . l o c a l d o m a i n , J o h n , l o c a l h o s t , 3 , 3 8 , R E A D , m y s q l , p r o c , 2 0 1 3 0 8 1 0 0 2 : 2 1 : 4 5 , l o c a l h o s t . l o c a l d o m a i n , J o h n , l o c a l h o s t , 3 , 3 8 , D R O P , d b 1 , s e r v i c e s _ t y p e s , 2 0 1 3 0 8 1 0 0 2 : 2 1 : 4 5 , l o c a l h o s t . l o c a l d o m a i n , J o h n , l o c a l h o s t , 3 , 3 8 , D R O P , d b 1 , s e r v i c e s _ n e w , 2 0 1 3 0 8 1 0 0 2 : 2 1 : 4 5 , l o c a l h o s t . l o c a l d o m a i n , J o h n , l o c a l h o s t , 3 , 3 8 , D R O P , d b 1 , m y v i e w , 2 0 1 3 0 8 1 0 0 2 : 2 1 : 4 5 , l o c a l h o s t . l o c a l d o m a i n , J o h n , l o c a l h o s t , 3 , 3 8 , W R I T E , m y s q l , p r o c , 2 0 1 3 0 8 1 0 0 2 : 2 1 : 4 5 , l o c a l h o s t . l o c a l d o m a i n , J o h n , l o c a l h o s t , 3 , 3 8 , W R I T E , m y s q l , e v e n t , 2 0 1 3 0 8 1 0 0 2 : 2 1 : 4 5 , l o c a l h o s t . l o c a l d o m a i n , J o h n , l o c a l h o s t , 3 , 3 8 , Q U E R Y , d b 1 , ' d r o p d a t a b a s e d b 1 ' , 0
The second and third line from the log excerpt above shows that two tables were deleted from the database, d b 1 . The fourth entry above shows that a view for the same database was also dropped. The last line above notes that a query was run which dropped the database. Query and Table Events calling a Stored Procedure A query which calls a stored procedure does not give the details you need for auditing. Having table events enabled in the plugin will provide the names of the tables and the operations executed.
2 0 1 3 0 8 1 0 0 3 : 0 0 : 3 6 , l o c a l h o s t . l o c a l d o m a i n , J o h n , l o c a l h o s t , 3 , 5 8 , R E A D , d b 1 , s e r v i c e s , 2 0 1 3 0 8 1 0 0 3 : 0 0 : 3 6 , l o c a l h o s t . l o c a l d o m a i n , J o h n , l o c a l h o s t , 3 , 5 9 , Q U E R Y , d b 1 , ' c a l l r e a d _ s e r v i c e s ( ) ' , 0
Query and Table Events Longer Excerpt Here is a longer excerpt from the same audit plugin log file as shown above in smaller excerpts. It may be useful to see all of them together like this.
2 0 1 3 0 8 1 0 0 2 : 2 1 : 0 6 , l o c a l h o s t . l o c a l d o m a i n , J o h n , l o c a l h o s t , 3 , 2 5 , C R E A T E , d b 1 , s e r v i c e s , 2 0 1 3 0 8 1 0 0 2 : 2 1 : 0 6 , l o c a l h o s t . l o c a l d o m a i n , J o h n , l o c a l h o s t , 3 , 2 5 , Q U E R Y , d b 1 , ' C R E A T E T A B L E s e r v i c e s ( i d i n t ( 1 0 ) p r i m a r y k e y , t y p e i d i n t ( 1 0 ) , n a m e v a r c h a r ( 5 0 ) ) ' , 0 2 0 1 3 0 8 1 0 0 2 : 2 1 : 0 6 , l o c a l h o s t . l o c a l d o m a i n , J o h n , l o c a l h o s t , 3 , 2 6 , C R E A T E , d b 1 , s e r v i c e s _ t y p e s , 2 0 1 3 0 8 1 0 0 2 : 2 1 : 0 6 , l o c a l h o s t . l o c a l d o m a i n , J o h n , l o c a l h o s t , 3 , 2 6 , Q U E R Y , d b 1 , ' C R E A T E T A B L E s e r v i c e s _ t y p e s ( i d i n t ( 1 0 ) p r i m a r y k e y , n a m e v a r c h a r ( 5 0 ) ) ' , 0 2 0 1 3 0 8 1 0 0 2 : 2 1 : 0 6 , l o c a l h o s t . l o c a l d o m a i n , J o h n , l o c a l h o s t , 3 , 2 7 , R E A D , d b 1 , s e r v i c e s , 2 0 1 3 0 8 1 0 0 2 : 2 1 : 0 6 , l o c a l h o s t . l o c a l d o m a i n , J o h n , l o c a l h o s t , 3 , 2 7 , R E A D , d b 1 , s e r v i c e s _ t y p e s , 2 0 1 3 0 8 1 0 0 2 : 2 1 : 0 6 , l o c a l h o s t . l o c a l d o m a i n , J o h n , l o c a l h o s t , 3 , 2 7 , Q U E R Y , d b 1 , ' C R E A T E V I E W d b 1 . m y v i e w A S S E L E C T * F R O M s e r v i c e s W H E R E t y p e i d I N ( S E L E C T i d F R O M s e r v i c e s _ t y p e s W H E R E n a m e = " c o n s u l t i n g " ) ' , 0 2 0 1 3 0 8 1 0 0 2 : 2 1 : 0 7 , l o c a l h o s t . l o c a l d o m a i n , J o h n , l o c a l h o s t , 3 , 2 8 , W R I T E , d b 1 , s e r v i c e s _ t y p e s , 2 0 1 3 0 8 1 0 0 2 : 2 1 : 0 7 , l o c a l h o s t . l o c a l d o m a i n , J o h n , l o c a l h o s t , 3 , 2 8 , Q U E R Y , d b 1 , ' I N S E R T I N T O s e r v i c e s _ t y p e s V A L U E S ( 1 , " s u p p o r t " ) , ( 2 , " t r a i n i n g " ) , ( 3 , " c o n s u l t i n g " ) ' , 0 2 0 1 3 0 8 1 0 0 2 : 2 1 : 0 7 , l o c a l h o s t . l o c a l d o m a i n , J o h n , l o c a l h o s t , 3 , 2 9 , W R I T E , d b 1 , s e r v i c e s , 2 0 1 3 0 8 1 0 0 2 : 2 1 : 0 7 , l o c a l h o s t . l o c a l d o m a i n , J o h n , l o c a l h o s t , 3 , 2 9 , Q U E R Y , d b 1 , ' I N S E R T I N T O s e r v i c e s v a l u e s ( 1 , 1 , " R e m o t e D B A " ) , ( 2 , 3 , " H e a l t h C h e c k " ) ' , 0 2 0 1 3 0 8 1 0 0 2 : 2 1 : 0 7 , l o c a l h o s t . l o c a l d o m a i n , J o h n , l o c a l h o s t , 3 , 3 0 , R E A D , d b 1 , s e r v i c e s , 2 0 1 3 0 8 1 0 0 2 : 2 1 : 0 7 , l o c a l h o s t . l o c a l d o m a i n , J o h n , l o c a l h o s t , 3 , 3 0 , R E A D , d b 1 , s e r v i c e s _ t y p e s , 2 0 1 3 0 8 1 0 0 2 : 2 1 : 0 7 , l o c a l h o s t . l o c a l d o m a i n , J o h n , l o c a l h o s t , 3 , 3 0 , Q U E R Y , d b 1 , ' S E L E C T * F R O M s e r v i c e s W H E R E t y p e i d I N ( S E L E C T i d F R O M s e r v i c e s _ t y p e s W H E R E n a m e = " c o n s u l t i n g " ) ' , 0 2 0 1 3 0 8 1 0 0 2 : 2 1 : 0 7 , l o c a l h o s t . l o c a l d o m a i n , J o h n , l o c a l h o s t , 3 , 3 1 , R E A D , d b 1 , s e r v i c e s , 2 0 1 3 0 8 1 0 0 2 : 2 1 : 0 7 , l o c a l h o s t . l o c a l d o m a i n , J o h n , l o c a l h o s t , 3 , 3 1 , R E A D , d b 1 , s e r v i c e s _ t y p e s , 2 0 1 3 0 8 1 0 0 2 : 2 1 : 0 7 , l o c a l h o s t . l o c a l d o m a i n , J o h n , l o c a l h o s t , 3 , 3 1 , Q U E R Y , d b 1 , ' S E L E C T * f r o m m y v i e w ' , 0 2 0 1 3 0 8 1 0 0 2 : 2 1 : 0 7 , l o c a l h o s t . l o c a l d o m a i n , J o h n , l o c a l h o s t , 3 , 3 2 , W R I T E , d b 1 , s e r v i c e s , 2 0 1 3 0 8 1 0 0 2 : 2 1 : 0 7 , l o c a l h o s t . l o c a l d o m a i n , J o h n , l o c a l h o s t , 3 , 3 2 , Q U E R Y , d b 1 , ' U P D A T E s e r v i c e s S E T n a m e = " T i m e H i r e " W H E R E i d = 2 ' , 0 2 0 1 3 0 8 1 0 0 2 : 2 1 : 0 7 , l o c a l h o s t . l o c a l d o m a i n , J o h n , l o c a l h o s t , 3 , 3 3 , W R I T E , d b 1 , s e r v i c e s , 2 0 1 3 0 8 1 0 0 2 : 2 1 : 0 7 , l o c a l h o s t . l o c a l d o m a i n , J o h n , l o c a l h o s t , 3 , 3 3 , Q U E R Y , d b 1 , ' R E P L A C E I N T O s e r v i c e s V A L U E S ( 2 , 3 , " H e a l t h C h e c k " ) ' , 0 2 0 1 3 0 8 1 0 0 2 : 2 1 : 0 9 , l o c a l h o s t . l o c a l d o m a i n , J o h n , l o c a l h o s t , 3 , 3 4 , W R I T E , d b 1 , s e r v i c e s , 2 0 1 3 0 8 1 0 0 2 : 2 1 : 0 9 , l o c a l h o s t . l o c a l d o m a i n , J o h n , l o c a l h o s t , 3 , 3 4 , Q U E R Y , d b 1 , ' D E L E T E F R O M s e r v i c e s W H E R E i d = 1 ' , 0 2 0 1 3 0 8 1 0 0 2 : 2 1 : 2 7 , l o c a l h o s t . l o c a l d o m a i n , J o h n , l o c a l h o s t , 3 , 3 5 , R E A D , d b 1 , s e r v i c e s , 2 0 1 3 0 8 1 0 0 2 : 2 1 : 2 7 , l o c a l h o s t . l o c a l d o m a i n , J o h n , l o c a l h o s t , 3 , 3 5 , A L T E R , d b 1 , s e r v i c e s , 2 0 1 3 0 8 1 0 0 2 : 2 1 : 2 7 , l o c a l h o s t . l o c a l d o m a i n , J o h n , l o c a l h o s t , 3 , 3 5 , Q U E R Y , d b 1 , ' A L T E R T A B L E s e r v i c e s M O D I F Y n a m e V A R C H A R ( 6 4 ) ' , 0 2 0 1 3 0 8 1 0 0 2 : 2 1 : 2 7 , l o c a l h o s t . l o c a l d o m a i n , J o h n , l o c a l h o s t , 3 , 3 6 , R E A D , d b 1 , s e r v i c e s , 2 0 1 3 0 8 1 0 0 2 : 2 1 : 2 7 , l o c a l h o s t . l o c a l d o m a i n , J o h n , l o c a l h o s t , 3 , 3 6 , A L T E R , d b 1 , s e r v i c e s , 2 0 1 3 0 8 1 0 0 2 : 2 1 : 2 7 , l o c a l h o s t . l o c a l d o m a i n , J o h n , l o c a l h o s t , 3 , 3 6 , R E N A M E , d b 1 , s e r v i c e s | d b 1 . s e r v i c e s _ n e w , 2 0 1 3 0 8 1 0 0 2 : 2 1 : 2 7 , l o c a l h o s t . l o c a l d o m a i n , J o h n , l o c a l h o s t , 3 , 3 6 , Q U E R Y , d b 1 , ' a l t e r t a b l e s e r v i c e s r e n a m e t o s e r v i c e s _ n e w ' , 0 2 0 1 3 0 8 1 0 0 2 : 2 1 : 3 7 , l o c a l h o s t . l o c a l d o m a i n , J o h n , l o c a l h o s t , 3 , 3 7 , Q U E R Y , d b 1 , ' d r o p d b 1 ' , 1 0 6 4 2 0 1 3 0 8 1 0 0 2 : 2 1 : 4 5 , l o c a l h o s t . l o c a l d o m a i n , J o h n , l o c a l h o s t , 3 , 3 8 , R E A D , m y s q l , p r o c , 2 0 1 3 0 8 1 0 0 2 : 2 1 : 4 5 , l o c a l h o s t . l o c a l d o m a i n , J o h n , l o c a l h o s t , 3 , 3 8 , D R O P , d b 1 , s e r v i c e s _ t y p e s , 2 0 1 3 0 8 1 0 0 2 : 2 1 : 4 5 , l o c a l h o s t . l o c a l d o m a i n , J o h n , l o c a l h o s t , 3 , 3 8 , D R O P , d b 1 , s e r v i c e s _ n e w , 2 0 1 3 0 8 1 0 0 2 : 2 1 : 4 5 , l o c a l h o s t . l o c a l d o m a i n , J o h n , l o c a l h o s t , 3 , 3 8 , D R O P , d b 1 , m y v i e w , 2 0 1 3 0 8 1 0 0 2 : 2 1 : 4 5 , l o c a l h o s t . l o c a l d o m a i n , J o h n , l o c a l h o s t , 3 , 3 8 , W R I T E , m y s q l , p r o c , 2 0 1 3 0 8 1 0 0 2 : 2 1 : 4 5 , l o c a l h o s t . l o c a l d o m a i n , J o h n , l o c a l h o s t , 3 , 3 8 , W R I T E , m y s q l , e v e n t , 2 0 1 3 0 8 1 0 0 2 : 2 1 : 4 5 , l o c a l h o s t . l o c a l d o m a i n , J o h n , l o c a l h o s t , 3 , 3 8 , Q U E R Y , d b 1 , ' d r o p d a t a b a s e d b 1 ' , 0
Appendix B
The header file, s y s l o g . huses the values set in the variable, s e r v e r _ a u d i t _ s y s l o g _ f a c i l i t y . This in turn is used by the function, o p e n l o g ( ) . There are several possible values for the variable:
L O G _ U S E R L O G _ C R O N L O G _ M A I L L O G _ D A E M O NL O G _ A U T H L O G _ N E W S L O G _ U U C P L O G _ L O C A L 0
L O G _ S Y S L O GL O G _ L P R L O G _ L O C A L 1L O G _ L O C A L 2 L O G _ L O C A L 5L O G _ L O C A L 6
L O G _ A U T H P R I VL O G _ F T P L O G _ L O C A L 7
L O G _ L O C A L 3L O G _ L O C A L 4
The header file, s y s l o g . huses also the values set in the variable, s e r v e r _ a u d i t _ s y s l o g _ p r i o r i t y , in conjunction also with the function, s y s l o g ( ) . There are also several values possible for this variable:
L O G _ E M E R GL O G _ A L E R T L O G _ E R R L O G _ I N F O L O G _ D E B U G L O G _ C R I T
L O G _ W A R N I N GL O G _ N O T I C E
References
Below is a list of links to web sites where you may find more information on the audit plugin: SkySQL Website: http://www.skysql.com MariaDB Knowledgbase: https://kb.askmonty.org/en/server_auditplugin/ Syslog.h: http://pubs.opengroup.org/onlinepubs/7908799/xsh/syslog.h.html
MySQL is a trademark of Oracle Corporation. MariaDB is a trademark of Monty Program Ab. Copyright 2013 SkySQL Ab. All Rights Reserved.