MARIADB Log Audit to help you find out what's going on inside a bad guy.

Part1: who did that?

As DBAs often encounter, some tables are mistakenly manipulated, truncate, deleted, and even drop. Most of the reasons for this are caused by human + permission issues. Some public accounts, such as the Ceshi account, can be operated by all people, and by mistake caused by these public accounts, you shout in the office: who deleted my watch? 80% no one will respond to you.

Audit log functionality, which is implemented primarily in the mariadb10.0/10.1 and Percona 5.6 versions. This feature is also supported in the mysql5.6/5.7 Enterprise Edition. This article mainly introduces and demonstrates how to open the audit log in MariaDB10.1, to help you find out the inside of a bad thing boy ~

Part2: Build Your Environment

In this article, we used the MARIADB version of 10.1.16, of course, with other versions of MARIADB also, how to install the MARIADB database environment This article does not repeat, if necessary can be:

http://suifu.blog.51cto.com/9167728/1830575

Here's how to install the Audit Audit plugin plugin in MariaDB10.1.16

Execute the following command in the MARIADB database:

Nstall PLUGIN server_audit SONAME ' server_audit.so ';

The exact code is as shown.

650) this.width=650; "src=" http://s2.51cto.com/wyfs02/M01/88/36/wKioL1fsYOqyR4VhAAD9zQVbwLs526.jpg "title=" 1.JPG " alt= "Wkiol1fsyoqyr4vhaad9zqvbwls526.jpg"/>

Warning: Warning

It is worth noting that the server_audit.so name is not arbitrary, because it will read the/usr/local/mariadb/lib/plugin directory of the file, if it is given as mariadb-audit.so, will throw the following error, Because the file is not in the plugin directory.

650) this.width=650; "src=" http://s4.51cto.com/wyfs02/M00/88/36/wKioL1fsYb2iSN-9AAEgvCrxd6w821.jpg "title=" 2.JPG " alt= "Wkiol1fsyb2isn-9aaegvcrxd6w821.jpg"/>

Part2: parameter Interpretation

Server_audit_events= ' Connect,query,table ' represents the DML/DDL/DCL operation of the IP, username, and table that the Whitney road links in.

Server_audit_logging=on indicates that the audit log service is turned on.

Server_audit_excl_users=helei indicates that only all operations of the Helei user are logged.

SERVER_AUDIT_FILE_ROTATE_SIZE=1G means that more than the defined 1GB, the log is automatically rotation.

Server_audit_file_path=server_audit.log represents the path of the audit log.

More relevant parameters can be viewed as shown by using show variables like ' server_audit% ';

650) this.width=650; "src=" http://s5.51cto.com/wyfs02/M00/88/36/wKioL1fsYyzyL37_AAF7wyAmOiM317.jpg "title=" 3.JPG " alt= "Wkiol1fsyyzyl37_aaf7wyamoim317.jpg"/>

Part3: turn on related parameters

Server_audit_events, server_audit_logging and other parameters are global dynamic parameters, can be changed directly in the database, the command is as follows:

Set global server_audit_events= ' connect,query,table ';

Set global server_audit_logging=on;

650) this.width=650; "src=" http://s2.51cto.com/wyfs02/M00/88/3A/wKiom1fsZH7CliSlAAHhMBHs5Ho029.jpg "title=" 5.JPG " alt= "Wkiom1fszh7clislaahhmbhs5ho029.jpg"/>

PART4: Check Effect

After opening the relevant parameters, no need to restart the database, you can directly see that the relevant operation has been recorded to Server_audit.log, as shown in.

650) this.width=650; "src=" http://s2.51cto.com/wyfs02/M02/88/36/wKioL1fsZSOgGtCZAALxEbz5bss436.jpg "title=" 6.JPG " alt= "Wkiol1fszsoggtczaalxebz5bss436.jpg"/>

-- summary --

Since the audit function, mother no longer have to worry about I can not find the "bad guy". due to the author's limited level, writing time is also very hasty, the text will inevitably appear some errors or inaccurate places, inappropriate to ask readers to criticize correct.

This article is from the "Age volt" blog, please make sure to keep this source http://suifu.blog.51cto.com/9167728/1857594

MARIADB Log Audit to help you find out what's going on inside a bad guy.