Mariadb审计

与不同Mysql的是，Mariadb审计插件不用单独下载，直接安装即可。

MariaDB [(none)]> INSTALL PLUGIN server_audit SONAME 'server_audit';

查看安装的插件

MariaDB [(none)]> show plugins;
+--------------------------------+--------+--------------------+-----------------+---------+
| Name                           | Status | Type               | Library         | License |
+--------------------------------+--------+--------------------+-----------------+---------+
...
| SERVER_AUDIT                   | ACTIVE | AUDIT              | server_audit.so | GPL     |
+--------------------------------+--------+--------------------+-----------------+---------+

安装成功后生成的变量

MariaDB [(none)]> show variables like '%audit%';
+-------------------------------+-----------------------+
| Variable_name                 | Value                 |
+-------------------------------+-----------------------+
| server_audit_events           |                       |
| server_audit_excl_users       |                       |
| server_audit_file_path        | server_audit.log      |
| server_audit_file_rotate_now  | OFF                   |
| server_audit_file_rotate_size | 1000000               |
| server_audit_file_rotations   | 9                     |
| server_audit_incl_users       |                       |
| server_audit_logging          | OFF                   |
| server_audit_mode             | 0                     |
| server_audit_output_type      | file                  |
| server_audit_query_log_limit  | 1024                  |
| server_audit_syslog_facility  | LOG_USER              |
| server_audit_syslog_ident     | mysql-server_auditing |
| server_audit_syslog_info      |                       |
| server_audit_syslog_priority  | LOG_INFO              |
+-------------------------------+-----------------------+

状态信息

MariaDB [(none)]> show status like '%audit%';
+----------------------------+-------+
| Variable_name              | Value |
+----------------------------+-------+
| server_audit_active        | OFF   |
| server_audit_current_log   |       |
| server_audit_last_error    |       |
| server_audit_writes_failed | 0     |
+----------------------------+-------+

同mysql，安装完成后默认没有开启，需要进一步设置并开启。

1:开启审计2:审计为file时指定的文件3:开启日志轮换4:不记录zabbix_user用户（connect操作不受影响）5:只记录root和ogg用户操作6:记录的操作7:日志文件大小

set global server_audit_logging=1;
set global server_audit_file_path='mariadb-audit.log';
set global server_audit_file_rotate_now=on;
set global server_audit_excl_users='zabbix_user';
set global server_audit_incl_users='root,ogg';
set global server_audit_events='query,table';
set global server_audit_file_rotate_size=10*1024;

设置my.cnf

server_audit_logging=1
server_audit_file_path='mariadb-audit.log'
server_audit_incl_users='root,ogg'
server_audit_events='query,table'
server_audit_file_rotate_size=1102400

说明

1、日志格式，mysql日志格式为json；mariadb有file和syslog，syslog则是将日志记录到系统日志/var/log/messages文件

2、卸载uninstall plugin server_audit;