MySQL-Audit安装配置

安装插件

下载地址: https://dl.bintray.com/mcafee/mysql-audit-plugin/
选择audit-plugin-mysql-5.6-1.0.9-541-linux-x86_64.zip(按所安装MySQL版本选择)

将audit插件解压:

#unzip audit-plugin-mysql-XXX-linux-x86_64.zip

进入解压后的文件目录中的lib目录中,拷贝libaudit_plugin.so文件到MySQL插件目录中:

1、查看mysql插件目录:

mysql> SHOW VARIABLES LIKE 'plugin_dir'\G  
*************************** 1. row ***************************
Variable_name: plugin_dir  
        Value: /usr/local/mysql/lib/plugin/

2、拷贝libaudit_plugin.so文件

#cp libaudit_plugin.so /usr/local/mysql/lib/plugin/
配置插件

方式1:官方推荐,修改my.cnf配置文件,添加:

plugin-load=AUDIT=libaudit_plugin.so  

方式2:

INSTALL PLUGIN AUDIT SONAME 'libaudit_plugin.so';  

开启audit功能:

mysql> SET GLOBAL audit_json_file=ON;  

系统变量:

mysql > show variables like '%audit%';  
设定记录审计日志条件
set global audit_record_cmds="insert,update,delete,drop,alter"  

可设置多个,使用逗号分开。 或者写入配置文件:

[mysqld]
   audit-record-cmds=insert,update,delete,drop,alter
参数说明
audit_json_log_file:json日志文件名,如果audit_json_file选项启用,将写审计跟踪到该设置的文件,可以设置为绝对路径  
audit_json_file:启用或关闭json 日志文件  
audit_json_file_sync:json文件同步周期,如果大于0,将每多少次写后同步到磁盘  
audit_json_file_flush:将刷新日志文件,关闭和重新打开文件,能手动进行轮转日志  
audit_json_socket_name:json unix socket name,如果audit_json_socket选项启用,将写审计日志到该unix套接字  
audit_json_socket:启用或关闭json unix socket  
audit_uninstall_plugin:在命令行或配置文件启用或关闭AUDIT uninstall 插件  
audit_validate_checksum:启用或关闭mysqld二进制校验和确认  
audit_checksum:在命令行或配置文件启用mysqld校验和确认,当设置audit_offsets  
audit_record_cmds:逗号分隔的标记记录哪些命令到审计日志,如insert、update、delete  
audit_record_objs:逗号分隔的哪些对象记录到审计日志,格式为database.table,支持通配符  
audit_whitelist_users:逗号分隔的白名单用户,将不记录到审计日志  
audit_header_msg:启用或关闭记录消息头,1.0.6引入  
audit_password_masking_cmds:逗号分隔的命令,将隐藏密码,如CREATE_USER,GRANT,SET_OPTION,SLAVE_START,CREATE_SERVER,ALTER_SERVER,CHANGE_MASTER,1.0.6引入  
audit_password_masking_regex:使用PCRE正则表达式屏蔽密码,仅仅audit_password_masking_cmds指定的命令,1.0.6引入  
查看日志

日志在mysql数据目录里面:

#more mysql-audit.json
日志格式
# more mysql-audit.json 
{"msg-type":"header","date":"1450148043701","audit-version":"1.0.9-541","audit-protocol-version":"1.0","hostname":"olmaster1.com","mysql-version":"5.6.27-log","mysql-program":"/usr/local/mysql/bin/mysqld","mysql-socket":"/usr/local/mysql/data/mysql.sock","mysql-port":"3306"}

{"msg-type":"activity","date":"1450148120021","thread-id":"1","query-id":"16","user":"root","priv_user":"root","host":"localhost","ip":"","cmd":"show_variables","objects":[{"db":"information_schema","name":"/tmp/#sql_4ef_0","obj_type":"VIEW"}],"query":"show variables like '%audit%'"}

{"msg-type":"activity","date":"1450148818775","thread-id":"1","query-id":"17","user":"root","priv_user":"root","host":"localhost","ip":"","cmd":"select","query":"SELECT DATABASE()"}

{"msg-type":"activity","date":"1450148818796","thread-id":"1","query-id":"18","user":"root","priv_user":"root","host":"localhost","ip":"","cmd":"InitDB","objects":[{"db":"newdb","obj_type":"DATABASE"}],"query":"Init DB"}

{"msg-type":"activity","date":"1450148818796","thread-id":"1","query-id":"19","user":"root","priv_user":"root","host":"localhost","ip":"","cmd":"show_databases","objects":[{"db":"information_schema","name":"/tmp/#sql_4ef_0","obj_type":"VIEW"}],"query":"show databases"}