MySQL Audit

*************************** 1. row *************************** PLUGIN_NAME: audit_log PLUGIN_VERSION: 0.2 PLUGIN_STATUS: ACTIVE PLUGIN_TYPE: AUDIT PLUGIN_TYPE_VERSION: 4.1 PLUGIN_LIBRARY: audit_log.soPLUGIN_LIBRARY_VERSION: 1.7 PLUGIN_AUTHOR: Percona LLC and/or its affiliates. PLUGIN_DESCRIPTION: Audit log PLUGIN_LICENSE: GPL LOAD_OPTION: ON1 row in set (0.00 sec)

SHOW variables LIKE 'audit%';

+-----------------------------+---------------+| Variable_name | Value |+-----------------------------+---------------+| audit_log_buffer_size | 1048576 || audit_log_exclude_accounts | || audit_log_exclude_commands | || audit_log_exclude_databases | || audit_log_file | audit.log || audit_log_flush | OFF || audit_log_format | OLD || audit_log_handler | FILE || audit_log_include_accounts | || audit_log_include_commands | || audit_log_include_databases | || audit_log_policy | ALL || audit_log_rotate_on_size | 0 || audit_log_rotations | 0 || audit_log_strategy | ASYNCHRONOUS || audit_log_syslog_facility | LOG_USER || audit_log_syslog_ident | percona-audit || audit_log_syslog_priority | LOG_INFO |+-----------------------------+---------------+18 rows in set (0.00 sec)

+-----------------------------------------------| Description+-----------------------------------------------|||||| OFF, ON| OLD, NEW, CSV, JSON| FILE, SYSLOG|||| ALL, LOGINS, QUERIES, NONE| Size in bytes; 0 = Don't rotate| Defines how many log files should be kept when audit_log_rotate_on_size is non-zero and handler = FILE| ASYNCHRONOUS, PERFORMANCE, SEMISYNCHRONOUS, SYNCHRONOUS|||+-----------------------------------------------

Example Usage

Filtering by accounts...

SET GLOBAL audit_log_include_accounts = 'myuser@localhost,root@localhost';

SET GLOBAL audit_log_include_accounts = NULL;

SET GLOBAL audit_log_exclude_accounts = 'myuser@localhost,root@localhost';

SELECT @@audit_log_exclude_accounts;

SELECT @@audit_log_include_accounts;

Filtering by SQL command...

SELECT name

FROM performance_schema.setup_instruments

WHERE name LIKE "statement/sql/%"

ORDER BY name;

SET GLOBAL audit_log_include_commands= 'set_option,create_db';

SET GLOBAL audit_log_include_commands = NULL;

SET GLOBAL audit_log_exclude_commands= 'set_option,create_db';

Filtering by database...

SET GLOBAL audit_log_include_databases = 'mysql,mydb';

SET GLOBAL audit_log_exclude_databases = 'mysql,mydb';

MariaDB Audit Plugin

TODO

McAfee / Trellix mysql-audit Plugin

TODO

mysql-audit (github)

Bibliography

https://serverfault.com/questions/65255/log-mysql-login-attemptshttps://www.percona.com/blog/auditing-login-attempts-in-mysql/https://dba.stackexchange.com/questions/668/audit-logins-on-mysql-databasehttps://stackoverflow.com/questions/47034690/mysql-user-last-login-access-date-time
https://github.com/trellix-enterprise/mysql-audithttps://github.com/trellix-enterprise/mysql-audit/wiki
Audit Pluginshttps://dev.mysql.com/doc/extending-mysql/5.7/en/writing-audit-plugins.html
Percona Audit Log Pluginhttps://docs.percona.com/percona-server/5.7/management/audit_log_plugin.htmlhttps://www.percona.com/blog/perconas-mysql-audit-log-plugin-an-enterprise-feature-at-a-community-price/https://www.percona.com/blog/percona-audit-log-plugin-and-the-percona-monitoring-and-management-security-threat-tool/
McAfeehttps://www.percona.com/blog/experiences-with-the-mcafee-mysql-audit-plugin/