MariaDB Audit Plugin logging remotely to syslog

存储架构 2013-09-27

Syslog is widely used for logging. It allows distributed logging. Having MySQL/MariaDB audit data logged to a remote Syslog server is a strong guaranty regarding security of the audit data. PCI compliance requires separation of duties. The separation of duties between DBA profiles and a security officer is a way to guaranty that Audit data is tamper-proof from the DBA.

To set up the MariaDB Audit Plugin to log to remotely syslog is quite simple. First you install the MariaDB Audit Pluggin : You
download the MariaDB audit plugin
, you copy it to lib/plugin in your MySQL/MariaDB install directory and you activate it :

MariaDB [(none)]> INSTALL PLUGIN server_audit SONAME '';
MariaDB [test]> SET GLOBAL server_audit_output_type=SYSLOG;
MariaDB [test]> SET GLOBAL server_audit_events='CONNECT,QUERY ';
MariaDB [test]> SET GLOBAL server_audit_logging=on;

To have the audit logging data sent to a remote server you first need to configure the remote syslog server to accept request from the network(here on port 514) by editing /etc/rsyslog.conf

# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514

Restart the syslog daemon :

service syslog restart

To check that your syslog system accept data from a remote source we verify that it is listening on the configured 514 port :

[root@centos2 etc]# netstat -anp|grep 514
tcp        0      0       *                   LISTEN      11467/rsyslogd      
tcp        0      0 :::514                      :::*                        LISTEN      11467/rsyslogd      
udp        0      0       *                               11467/rsyslogd      
udp        0      0 :::514                      :::*                                    11467/rsyslogd

On the source server where your MariaDB / MySQL server produce audit entries you should configure syslog to push log entries to the remote system here You edit /etc/rsyslog.conf that way:

*.info;mail.none;authpriv.none;cron.none                @

And on the target system you now get the audit records tagged withe the originating system:

Sep 21 00:52:37 centos1 kernel: imklog 5.8.10, log source = /proc/kmsg started.
Sep 21 00:52:37 centos1 rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="1647" x-info=""] start
Sep 21 00:52:59 centos1 mysql-server_auditing:  centos1.localdomain,root,localhost,1,19,QUERY,test,'show tables',0
Sep 21 00:53:14 centos1 mysql-server_auditing:  centos1.localdomain,root,localhost,1,20,QUERY,test,'show tables',0

So this is quite simple to setup. Of course you can have multiple MariaDB/MySQL servers sending audit data to a single syslog server.

责编内容by:Serge Frezefond 's blog (源链)。感谢您的支持!


MariaRocks available in MariaDB 10.2 Release Candi... It’s about two months since the release of the first release candidate of MariaDB 10.2. Release Candidates are nice especially from the view that this...
How to Benchmark Performance of MySQL & MariaD... What is SysBench? If you work with MySQL on a regular basis, then you most probably have heard of it. SysBench has been in the MySQL ecos...
Using tail_n_mail after hours (Photo of Turtle Island by Edwin Poon ) Someone recently asked me something about tail_n_mail , a program that watches over your log files, ...
GET DIAGNOSTICS I know of seven DBMSs that support GET DIAGNOSTICS: DB2 , Oracle Rdb , MySQL , MariaDB , PostgreSQL , Teradata , Mimer . I r...
MariaDB 10.0.32, and updated connectors now availa... The MariaDB project is pleased to announce the immediate availability ofMariaDB 10.0.32. In the past week, MariaDB Connector/J and MariaDB Connector/...