MySQL Audit Plugin now available in Percona Server 5.5 and 5.6
2014-07-21 15:36
549 查看
本文转载自: http://www.mysqlperformanceblog.com/2014/05/07/mysql-audit-plugin-now-available-in-percona-server-5-5-and-5-6/
Alexander Rubin 13 Comments
Tweet
The
new
Percona Server 5.5.37-35.0 and
Percona Server 5.6.17-65.0-56, announced yesterday (May 6), both include the open source version of the MySQL Audit Plugin. The MySQL Audit Plugin is used to log all queries or connections (“audit” MySQL usage). Until yesterday’s release, the MySQL Audit
Plugin was only available in
MySQL Enterprise.
EDIT: Just to be clear, this implementation is alternative to the MySQL Enterprise Audit Log Plugin. Percona
re-implemented the Audit Plugin code as GPL as Oracle’s code was closed source.
EDIT 2: I should also mention: two other Open Source Audit Plugin implementations existed for a while:
McAfee MySQL Audit Plugin and MariaDB Audit Plugin for MySQL. Both
these implementation use their own audit log formats different from what Oracle’s implementation is using. Percona’s implementation is the first to be a drop-in replacement for MySQL Enterprise Audit Plugin.
Logging all MySQL usage is very important for a number of applications, for example:
Required: applications which deals with sensitive data (credit cards, medical records, etc); required for security compliances (i.e. HIPAA)
Very helpful: multi-tenants applications or MySQL as a service; MySQL administrators can audit the MySQL usage from the security and performance standpoint
Very helpful: investigating and troubleshooting; it is great to have a full log of
all queries, which can help a lot for troubleshooting of MySQL and even for performance audit.
Originally, the only “easy” option was to
enable general log. (Other options included using binary logs which does not include select queries or enabling queries “trace” in the application or MySQL connector). However, logging all queries using a general log may dramatically decrease performance
in the highly loaded MySQL applications: Aleksandr Kuzminsky published a benchmark in 2009 to show
the overhead of MySQL general and slow log. The main benefit of MySQL Log Audit plugin is that it logs all queries
asynchronously (can be changed in the config). I’ve decided to try the new audit plugin in Percona Server and measure the performance impact of the new plugin compared to enabling the general log for the CPU bound applications.
How to start with MySQL Audit Plugin
First, we will need to enable (or “install”) MySQL audit plugin as decribed in the doc:
MySQL
mysql> select version();
+-------------+
| version() |
+-------------+
| 5.5.37-35.0 |
+-------------+
1 row in set (0.00 sec)
mysql> INSTALL PLUGIN audit_log SONAME 'audit_log.so';
Query OK, 0 rows affected (0.00 sec)
Now can see all MySQL audit plugin options:
MySQL
mysql> show global variables like '%audit%';
+--------------------------+--------------+
| Variable_name | Value |
+--------------------------+--------------+
| audit_log_buffer_size | 1048576 |
| audit_log_file | audit.log |
| audit_log_flush | OFF |
| audit_log_format | OLD |
| audit_log_policy | ALL |
| audit_log_rotate_on_size | 0 |
| audit_log_rotations | 0 |
| audit_log_strategy | ASYNCHRONOUS |
+--------------------------+--------------+
8 rows in set (0.00 sec)
There are a bunch of options we can tweak here, the most important for MySQL performance are:
audit_log_buffer_size; this buffer is used to cache the queries (for asynchronous operation).
audit_log_strategy; All options are listed in the documentation page:
[thead]
The most useful option in my mind is ASYNCHRONOUS, providing us with good balance between performance and not loosing transactions if the output buffer is not large enough.
audit_log_policy; we can log all queries or MySQL logins only (very useful if we only need to audit MySQL connections)
Open Source Audit Plugin in MySQL Community server
You can also use Percona Open Source version of Audit Plugin in MySQL community version (5.5.37 and 5.6.17). Simply download the linux tarball of Percona Server and copy the audit_log.so to your MySQL plugin dir.
Find plugin dir:
MySQL
mysql> show global variables like '%plugin%';
+---------------+------------------------------+
| Variable_name | Value |
+---------------+------------------------------+
| plugin_dir | /usr/local/mysql/lib/plugin/ |
+---------------+------------------------------+
1 row in set (0.00 sec)
Copy the file:
Shell
# cp audit_log.so /usr/local/mysql/lib/plugin/
Install plugin:
Shell
Server version: 5.5.37 MySQL Community Server (GPL)
mysql> INSTALL PLUGIN audit_log SONAME 'audit_log.so';
Query OK, 0 rows affected (0.00 sec)
Server version: 5.6.17 MySQL Community Server (GPL)
mysql> INSTALL PLUGIN audit_log SONAME 'audit_log.so';
Query OK, 0 rows affected (0.00 sec)
Using MySQL audit plugin
When plugin is enabled, it will log entries in audit.log file in XML format. Example:
XHTML
<AUDIT_RECORD
"NAME"="Audit"
"RECORD"="1_2014-04-30T00:04:42"
"TIMESTAMP"="2014-04-30T00:04:42 UTC"
"MYSQL_VERSION"="5.5.37-35.0"
"STARTUP_OPTIONS"="--basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib64/mysql/plugin --user=mysql --log-error=/var/log/mysqld.log --pid-file=/var/lib/mysql/localhost.localdomain.pid --socket=/var/lib/mysql/mysql.sock"
"OS_VERSION"="x86_64-Linux",
/>
<AUDIT_RECORD
"NAME"="Query"
"RECORD"="2_2014-04-30T00:04:42"
"TIMESTAMP"="2014-04-30T00:04:42 UTC"
"COMMAND_CLASS"="install_plugin"
"CONNECTION_ID"="1"
"STATUS"="0"
"SQLTEXT"="INSTALL PLUGIN audit_log SONAME 'audit_log.so'"
"USER"="root[root] @ localhost []"
"HOST"="localhost"
"OS_USER"=""
"IP"=""
/>
<AUDIT_RECORD
"NAME"="Query"
"RECORD"="3_2014-04-30T00:04:42"
"TIMESTAMP"="2014-04-30T00:05:07 UTC"
"COMMAND_CLASS"="show_variables"
"CONNECTION_ID"="1"
"STATUS"="0"
"SQLTEXT"="show global variables like '%audit%'"
"USER"="root[root] @ localhost []"
"HOST"="localhost"
"OS_USER"=""
"IP"=""
/>
…
Shell
<AUDIT_RECORD
"NAME"="Query"
"RECORD"="10_2014-04-30T00:04:42"
"TIMESTAMP"="2014-04-30T12:33:20 UTC"
"COMMAND_CLASS"="grant"
"CONNECTION_ID"="2"
"STATUS"="0"
"SQLTEXT"="grant all on sbtest.* to sb@localhost identified by 'sb'"
"USER"="root[root] @ localhost []"
"HOST"="localhost"
"OS_USER"=""
"IP"=""
/>
<AUDIT_RECORD
"NAME"="Connect"
"RECORD"="11_2014-04-30T00:04:42"
"TIMESTAMP"="2014-04-30T12:34:53 UTC"
"CONNECTION_ID"="3"
"STATUS"="0"
"USER"="sb"
"PRIV_USER"="sb"
"OS_LOGIN"=""
"PROXY_USER"=""
"HOST"="localhost"
"IP"=""
"DB"="sbtest"
/>
<AUDIT_RECORD
"NAME"="Query"
"RECORD"="1292_2014-04-30T00:04:42"
"TIMESTAMP"="2014-04-30T12:45:07 UTC"
"COMMAND_CLASS"="select"
"CONNECTION_ID"="32"
"STATUS"="1146"
"SQLTEXT"="SELECT pad FROM sbtest8 WHERE id=5036031"
"USER"="sb[sb] @ localhost []"
"HOST"="localhost"
"OS_USER"=""
"IP"=""
/>
Important notes:
As all queries will be logged here, the passwords from “GRANT” will also be saved in clear text (as you can see above). It is very important to secure the file on disk.
EDIT: Clear text passwords issue only applies to MySQL 5.5 version. As of MySQL 5.6.3, passwords in statements written to the general query log are rewritten by the server not to occur literally in plain text (quote from the documentation).
In MySQL 5.6 version here is what we will see:
XHTML
<AUDIT_RECORD
"NAME"="Query"
"RECORD"="14_2014-05-05T21:56:20"
"TIMESTAMP"="2014-05-07T13:51:04 UTC"
"COMMAND_CLASS"="grant"
"CONNECTION_ID"="2"
"STATUS"="0"
"SQLTEXT"="GRANT ALL PRIVILEGES ON `test`.* TO 'test'@'localhost' IDENTIFIED BY PASSWORD '*1E752E353CAA631945738535152AE894E47F5A48'"
"USER"="root[root] @ localhost []"
"HOST"="localhost"
"OS_USER"=""
"IP"=""
/>
The file can grow very large on disk:
Shell
ls -lah /var/lib/mysql/audit.log
-rw-rw---- 1 mysql mysql 7.1G May 4 07:30 /var/lib/mysql/audit.log
Searching the Audit Log entries
MySQL utilities provide a useful tool, mysqlauditgrep, to search / grep the logs file. Unfortunately, I was not able to make it work (tried
both v. 1.3 and v 1.4) with audit plugin format created by Percona server. According to
this bug it can’t parse the “new” audit format. In my case, mysqlauditgrep will return a parsing error when I use the default format and returned no results when I set the
“audit_log_format=NEW”. It will be nice to use the mysqlauditgrep as it looks like a very powerful tool, but for now our searching options are limited to conventional linux grep (which is not very easy for XML documents) or custom application to parse/search
XML.
Performance overhead of Audit Log Plugin and General Log
Finally, I wanted to measure the overhead of the Audit Log Plugin compared to General Log. I did a quick benchmark with
sysbench OLTP test (CPU bound workload) with 4 modes:
Audit Plugin disabled (to measure baseline)
Audit Plugin enabled and logs all queries
Audit Plugin enabled and logs only logins
General Log enabled, Audit Plugin disabled
Here are the results:
[thead]
As we can see here, audit log is not free from overhead, however, it is much smaller than enabling general_log to log all and every query. Those are quick benchmark results and more tests are need for more accurate measurements. Also, as always, your milage
can vary.
Nice to have features
What I would love to have for audit plugin is the ability to log only some specific actions. For example, only log activity from a specific user or access to a specific table (i.e. a table with a sensitive data), etc. This will give more control and less
overhead (=better performance).
Conclusion
The MySQL Audit Plugin is a great feature – it is a valuable tool for MySQL security and performance audits. The performance overhead may be a concern for a highly loaded systems, however, it looks reasonable and is much better than using general log to
log all queries.
If you use general log or any other audit plugins, please share your experience in the comments.
注:近期参加MySQL运维学习,老师推荐该文章作为学习和技术提高的扩展阅读,先记录到自己的博客中,随后慢慢消化、学习、提高。本文章与“字符集和权限安全”主题相关。
MySQL Audit Plugin now available in Percona Server 5.5 and 5.6
May 7, 2014 byAlexander Rubin 13 Comments
Tweet
The
new
Percona Server 5.5.37-35.0 and
Percona Server 5.6.17-65.0-56, announced yesterday (May 6), both include the open source version of the MySQL Audit Plugin. The MySQL Audit Plugin is used to log all queries or connections (“audit” MySQL usage). Until yesterday’s release, the MySQL Audit
Plugin was only available in
MySQL Enterprise.
EDIT: Just to be clear, this implementation is alternative to the MySQL Enterprise Audit Log Plugin. Percona
re-implemented the Audit Plugin code as GPL as Oracle’s code was closed source.
EDIT 2: I should also mention: two other Open Source Audit Plugin implementations existed for a while:
McAfee MySQL Audit Plugin and MariaDB Audit Plugin for MySQL. Both
these implementation use their own audit log formats different from what Oracle’s implementation is using. Percona’s implementation is the first to be a drop-in replacement for MySQL Enterprise Audit Plugin.
Logging all MySQL usage is very important for a number of applications, for example:
Required: applications which deals with sensitive data (credit cards, medical records, etc); required for security compliances (i.e. HIPAA)
Very helpful: multi-tenants applications or MySQL as a service; MySQL administrators can audit the MySQL usage from the security and performance standpoint
Very helpful: investigating and troubleshooting; it is great to have a full log of
all queries, which can help a lot for troubleshooting of MySQL and even for performance audit.
Originally, the only “easy” option was to
enable general log. (Other options included using binary logs which does not include select queries or enabling queries “trace” in the application or MySQL connector). However, logging all queries using a general log may dramatically decrease performance
in the highly loaded MySQL applications: Aleksandr Kuzminsky published a benchmark in 2009 to show
the overhead of MySQL general and slow log. The main benefit of MySQL Log Audit plugin is that it logs all queries
asynchronously (can be changed in the config). I’ve decided to try the new audit plugin in Percona Server and measure the performance impact of the new plugin compared to enabling the general log for the CPU bound applications.
How to start with MySQL Audit Plugin
First, we will need to enable (or “install”) MySQL audit plugin as decribed in the doc:
MySQL
mysql> select version();
+-------------+
| version() |
+-------------+
| 5.5.37-35.0 |
+-------------+
1 row in set (0.00 sec)
mysql> INSTALL PLUGIN audit_log SONAME 'audit_log.so';
Query OK, 0 rows affected (0.00 sec)
| 1 2 3 4 5 6 7 8 9 10 | mysql> select version(); +-------------+ | version() | +-------------+ | 5.5.37-35.0 | +-------------+ 1 row in set (0.00 sec) mysql> INSTALL PLUGIN audit_log SONAME 'audit_log.so'; Query OK, 0 rows affected (0.00 sec) |
MySQL
mysql> show global variables like '%audit%';
+--------------------------+--------------+
| Variable_name | Value |
+--------------------------+--------------+
| audit_log_buffer_size | 1048576 |
| audit_log_file | audit.log |
| audit_log_flush | OFF |
| audit_log_format | OLD |
| audit_log_policy | ALL |
| audit_log_rotate_on_size | 0 |
| audit_log_rotations | 0 |
| audit_log_strategy | ASYNCHRONOUS |
+--------------------------+--------------+
8 rows in set (0.00 sec)
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 | mysql> show global variables like '%audit%'; +--------------------------+--------------+ | Variable_name | Value | +--------------------------+--------------+ | audit_log_buffer_size | 1048576 | | audit_log_file | audit.log | | audit_log_flush | OFF | | audit_log_format | OLD | | audit_log_policy | ALL | | audit_log_rotate_on_size | 0 | | audit_log_rotations | 0 | | audit_log_strategy | ASYNCHRONOUS | +--------------------------+--------------+ 8 rows in set (0.00 sec) |
audit_log_buffer_size; this buffer is used to cache the queries (for asynchronous operation).
audit_log_strategy; All options are listed in the documentation page:
| Value | Meaning |
|---|---|
ASYNCHRONOUS | Log asynchronously, wait for space in output buffer |
PERFORMANCE | Log asynchronously, drop request if insufficient space in output buffer |
SEMISYNCHRONOUS | Log synchronously, permit caching by operating system |
SYNCHRONOUS | Log synchronously, call sync()after each request |
audit_log_policy; we can log all queries or MySQL logins only (very useful if we only need to audit MySQL connections)
Open Source Audit Plugin in MySQL Community server
You can also use Percona Open Source version of Audit Plugin in MySQL community version (5.5.37 and 5.6.17). Simply download the linux tarball of Percona Server and copy the audit_log.so to your MySQL plugin dir.
Find plugin dir:
MySQL
mysql> show global variables like '%plugin%';
+---------------+------------------------------+
| Variable_name | Value |
+---------------+------------------------------+
| plugin_dir | /usr/local/mysql/lib/plugin/ |
+---------------+------------------------------+
1 row in set (0.00 sec)
| 1 2 3 4 5 6 7 | mysql> show global variables like '%plugin%'; +---------------+------------------------------+ | Variable_name | Value | +---------------+------------------------------+ | plugin_dir | /usr/local/mysql/lib/plugin/ | +---------------+------------------------------+ 1 row in set (0.00 sec) |
Shell
# cp audit_log.so /usr/local/mysql/lib/plugin/
| 1 | # cp audit_log.so /usr/local/mysql/lib/plugin/ |
Shell
Server version: 5.5.37 MySQL Community Server (GPL)
mysql> INSTALL PLUGIN audit_log SONAME 'audit_log.so';
Query OK, 0 rows affected (0.00 sec)
Server version: 5.6.17 MySQL Community Server (GPL)
mysql> INSTALL PLUGIN audit_log SONAME 'audit_log.so';
Query OK, 0 rows affected (0.00 sec)
| 1 2 3 4 5 6 7 | Server version: 5.5.37 MySQL Community Server (GPL) mysql> INSTALL PLUGIN audit_log SONAME 'audit_log.so'; Query OK, 0 rows affected (0.00 sec) Server version: 5.6.17 MySQL Community Server (GPL) mysql> INSTALL PLUGIN audit_log SONAME 'audit_log.so'; Query OK, 0 rows affected (0.00 sec) |
When plugin is enabled, it will log entries in audit.log file in XML format. Example:
XHTML
<AUDIT_RECORD
"NAME"="Audit"
"RECORD"="1_2014-04-30T00:04:42"
"TIMESTAMP"="2014-04-30T00:04:42 UTC"
"MYSQL_VERSION"="5.5.37-35.0"
"STARTUP_OPTIONS"="--basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib64/mysql/plugin --user=mysql --log-error=/var/log/mysqld.log --pid-file=/var/lib/mysql/localhost.localdomain.pid --socket=/var/lib/mysql/mysql.sock"
"OS_VERSION"="x86_64-Linux",
/>
<AUDIT_RECORD
"NAME"="Query"
"RECORD"="2_2014-04-30T00:04:42"
"TIMESTAMP"="2014-04-30T00:04:42 UTC"
"COMMAND_CLASS"="install_plugin"
"CONNECTION_ID"="1"
"STATUS"="0"
"SQLTEXT"="INSTALL PLUGIN audit_log SONAME 'audit_log.so'"
"USER"="root[root] @ localhost []"
"HOST"="localhost"
"OS_USER"=""
"IP"=""
/>
<AUDIT_RECORD
"NAME"="Query"
"RECORD"="3_2014-04-30T00:04:42"
"TIMESTAMP"="2014-04-30T00:05:07 UTC"
"COMMAND_CLASS"="show_variables"
"CONNECTION_ID"="1"
"STATUS"="0"
"SQLTEXT"="show global variables like '%audit%'"
"USER"="root[root] @ localhost []"
"HOST"="localhost"
"OS_USER"=""
"IP"=""
/>
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 | <AUDIT_RECORD "NAME"="Audit" "RECORD"="1_2014-04-30T00:04:42" "TIMESTAMP"="2014-04-30T00:04:42 UTC" "MYSQL_VERSION"="5.5.37-35.0" "STARTUP_OPTIONS"="--basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib64/mysql/plugin --user=mysql --log-error=/var/log/mysqld.log --pid-file=/var/lib/mysql/localhost.localdomain.pid --socket=/var/lib/mysql/mysql.sock" "OS_VERSION"="x86_64-Linux", /> <AUDIT_RECORD "NAME"="Query" "RECORD"="2_2014-04-30T00:04:42" "TIMESTAMP"="2014-04-30T00:04:42 UTC" "COMMAND_CLASS"="install_plugin" "CONNECTION_ID"="1" "STATUS"="0" "SQLTEXT"="INSTALL PLUGIN audit_log SONAME 'audit_log.so'" "USER"="root[root] @ localhost []" "HOST"="localhost" "OS_USER"="" "IP"="" /> <AUDIT_RECORD "NAME"="Query" "RECORD"="3_2014-04-30T00:04:42" "TIMESTAMP"="2014-04-30T00:05:07 UTC" "COMMAND_CLASS"="show_variables" "CONNECTION_ID"="1" "STATUS"="0" "SQLTEXT"="show global variables like '%audit%'" "USER"="root[root] @ localhost []" "HOST"="localhost" "OS_USER"="" "IP"="" /> |
Shell
<AUDIT_RECORD
"NAME"="Query"
"RECORD"="10_2014-04-30T00:04:42"
"TIMESTAMP"="2014-04-30T12:33:20 UTC"
"COMMAND_CLASS"="grant"
"CONNECTION_ID"="2"
"STATUS"="0"
"SQLTEXT"="grant all on sbtest.* to sb@localhost identified by 'sb'"
"USER"="root[root] @ localhost []"
"HOST"="localhost"
"OS_USER"=""
"IP"=""
/>
<AUDIT_RECORD
"NAME"="Connect"
"RECORD"="11_2014-04-30T00:04:42"
"TIMESTAMP"="2014-04-30T12:34:53 UTC"
"CONNECTION_ID"="3"
"STATUS"="0"
"USER"="sb"
"PRIV_USER"="sb"
"OS_LOGIN"=""
"PROXY_USER"=""
"HOST"="localhost"
"IP"=""
"DB"="sbtest"
/>
<AUDIT_RECORD
"NAME"="Query"
"RECORD"="1292_2014-04-30T00:04:42"
"TIMESTAMP"="2014-04-30T12:45:07 UTC"
"COMMAND_CLASS"="select"
"CONNECTION_ID"="32"
"STATUS"="1146"
"SQLTEXT"="SELECT pad FROM sbtest8 WHERE id=5036031"
"USER"="sb[sb] @ localhost []"
"HOST"="localhost"
"OS_USER"=""
"IP"=""
/>
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 | <AUDIT_RECORD "NAME"="Query" "RECORD"="10_2014-04-30T00:04:42" "TIMESTAMP"="2014-04-30T12:33:20 UTC" "COMMAND_CLASS"="grant" "CONNECTION_ID"="2" "STATUS"="0" "SQLTEXT"="grant all on sbtest.* to sb@localhost identified by 'sb'" "USER"="root[root] @ localhost []" "HOST"="localhost" "OS_USER"="" "IP"="" /> <AUDIT_RECORD "NAME"="Connect" "RECORD"="11_2014-04-30T00:04:42" "TIMESTAMP"="2014-04-30T12:34:53 UTC" "CONNECTION_ID"="3" "STATUS"="0" "USER"="sb" "PRIV_USER"="sb" "OS_LOGIN"="" "PROXY_USER"="" "HOST"="localhost" "IP"="" "DB"="sbtest" /> <AUDIT_RECORD "NAME"="Query" "RECORD"="1292_2014-04-30T00:04:42" "TIMESTAMP"="2014-04-30T12:45:07 UTC" "COMMAND_CLASS"="select" "CONNECTION_ID"="32" "STATUS"="1146" "SQLTEXT"="SELECT pad FROM sbtest8 WHERE id=5036031" "USER"="sb[sb] @ localhost []" "HOST"="localhost" "OS_USER"="" "IP"="" /> |
As all queries will be logged here, the passwords from “GRANT” will also be saved in clear text (as you can see above). It is very important to secure the file on disk.
EDIT: Clear text passwords issue only applies to MySQL 5.5 version. As of MySQL 5.6.3, passwords in statements written to the general query log are rewritten by the server not to occur literally in plain text (quote from the documentation).
In MySQL 5.6 version here is what we will see:
XHTML
<AUDIT_RECORD
"NAME"="Query"
"RECORD"="14_2014-05-05T21:56:20"
"TIMESTAMP"="2014-05-07T13:51:04 UTC"
"COMMAND_CLASS"="grant"
"CONNECTION_ID"="2"
"STATUS"="0"
"SQLTEXT"="GRANT ALL PRIVILEGES ON `test`.* TO 'test'@'localhost' IDENTIFIED BY PASSWORD '*1E752E353CAA631945738535152AE894E47F5A48'"
"USER"="root[root] @ localhost []"
"HOST"="localhost"
"OS_USER"=""
"IP"=""
/>
| 1 2 3 4 5 6 7 8 9 10 11 12 13 | <AUDIT_RECORD "NAME"="Query" "RECORD"="14_2014-05-05T21:56:20" "TIMESTAMP"="2014-05-07T13:51:04 UTC" "COMMAND_CLASS"="grant" "CONNECTION_ID"="2" "STATUS"="0" "SQLTEXT"="GRANT ALL PRIVILEGES ON `test`.* TO 'test'@'localhost' IDENTIFIED BY PASSWORD '*1E752E353CAA631945738535152AE894E47F5A48'" "USER"="root[root] @ localhost []" "HOST"="localhost" "OS_USER"="" "IP"="" /> |
Shell
ls -lah /var/lib/mysql/audit.log
-rw-rw---- 1 mysql mysql 7.1G May 4 07:30 /var/lib/mysql/audit.log
| 1 2 | ls -lah /var/lib/mysql/audit.log -rw-rw---- 1 mysql mysql 7.1G May 4 07:30 /var/lib/mysql/audit.log |
MySQL utilities provide a useful tool, mysqlauditgrep, to search / grep the logs file. Unfortunately, I was not able to make it work (tried
both v. 1.3 and v 1.4) with audit plugin format created by Percona server. According to
this bug it can’t parse the “new” audit format. In my case, mysqlauditgrep will return a parsing error when I use the default format and returned no results when I set the
“audit_log_format=NEW”. It will be nice to use the mysqlauditgrep as it looks like a very powerful tool, but for now our searching options are limited to conventional linux grep (which is not very easy for XML documents) or custom application to parse/search
XML.
Performance overhead of Audit Log Plugin and General Log
Finally, I wanted to measure the overhead of the Audit Log Plugin compared to General Log. I did a quick benchmark with
sysbench OLTP test (CPU bound workload) with 4 modes:
Audit Plugin disabled (to measure baseline)
Audit Plugin enabled and logs all queries
Audit Plugin enabled and logs only logins
General Log enabled, Audit Plugin disabled
Here are the results:
| Test | Overhead |
|---|---|
| Plugin + audit_log_policy = ALL | ~15% overhead |
| Plugin + audit_log_policy = LOGINS | ~0% overhead (sysbench only connects once, so there may be bigger overhead here) |
| General_log | ~62% overhead |
can vary.
Nice to have features
What I would love to have for audit plugin is the ability to log only some specific actions. For example, only log activity from a specific user or access to a specific table (i.e. a table with a sensitive data), etc. This will give more control and less
overhead (=better performance).
Conclusion
The MySQL Audit Plugin is a great feature – it is a valuable tool for MySQL security and performance audits. The performance overhead may be a concern for a highly loaded systems, however, it looks reasonable and is much better than using general log to
log all queries.
If you use general log or any other audit plugins, please share your experience in the comments.
注:近期参加MySQL运维学习,老师推荐该文章作为学习和技术提高的扩展阅读,先记录到自己的博客中,随后慢慢消化、学习、提高。本文章与“字符集和权限安全”主题相关。
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- Percona-mysql server 5.5升级5.6
- Multi Range Read (MRR) in MySQL 5.6 and MariaDB 5.5
- Failover and Flexible Replication Topologies in MySQL 5.6
- MySQL之功能1 --- Percona-Server5.6首发提供日志审计功能
- Percona-Server5.5——mysql安装配置
- 优化系列 | MySQL 5.6 vs MariaDB 5.5 vs Percona(5.5 & 5.6) 之TPCC性能测试
- Error: MySQL server is requesting the old and insecure pre-4.1 auth mechanism.
- Install Nginx with PHP5 and MySQL (LEMP) in Ubuntu 13.10 Server
- Lock pages in memory now available for 64 bit Standard Edition of SQL Server
- MySQL5.5-audit plugin的函数调用流程分析
- sql: MySQL and Microsoft SQL Server Stored Procedures IN, OUT using csharp code
- sql: MySQL and Microsoft SQL Server Stored Procedures IN, OUT using csharp code
- visual studio 2017添加数据源(mysql)报 "missing server and user in credentials" 或报 "给定关键字不在字典"
- 优化系列 | MySQL 5.6 vs MariaDB 5.5 vs Percona(5.5 & 5.6) 之TPCC性能测试
- sql: MySQL and Microsoft SQL Server Stored Procedures IN, OUT using csharp code
- [转]各种分页 in SQL Server 2005, SQL Server 2000, MS Access and MySQL
- MySQL 5.6 vs MariaDB 5.5 vs Percona(5.5 & 5.6) 之TPCC性能测试
- 边学边做ROR( 错误信息error_messages_for was removed from Rails and is now available as a plugin)
- mysql -server-5.6 install master and slave on ubuntu 14.04server
- MySQL5.5的audit plugin