Backport of Percona Audit Plugin

Since yesterday, the new Percona Server (5.5.37-35.0) includes an audit plugin. This is the announcement on mysqlperformance blog. I needed to have this feature for a customer running an older version of Percona Server (5.5.33-31.1), so I back ported the plugin (revision 654) removing some extra info that is not available on previous version of Percona Server. The information above in struct mysql_event_general (include/mysql/plugin_audit.h) were not yet present: MYSQL_LEX_STRING general_host; MYSQL_LEX_STRING general_sql_command; MYSQL_LEX_STRING general_external_user; MYSQL_LEX_STRING general_ip; Additionally, as I needed to parse the audit log quickly, I added a new format (CSV) to replace both implementation of XML output (OLD & NEW). This is an example of the new output:
AUDIT_RECORD - Audit::35531_2014-05-07T06:15:32::2014-05-07T06:15:36 UTC::5.5.33-31.1::--basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib64/mysql/plugin --user=mysql --log-error=/var/lib/mysql/percona1.err --pid-file=/var/lib/mysql/percona1.pid::x86_64-Linux
AUDIT_RECORD - Connect,35532_2014-05-07T06:15:32,2014-05-07T06:16:04 UTC,1,0,root,root,,,localhost,
AUDIT_RECORD - Query::35533_2014-05-07T06:15:32::2014-05-07T06:16:04 UTC::1::0::select @@version_comment limit 1::root[root] @ localhost []
AUDIT_RECORD - Query::35534_2014-05-07T06:15:32::2014-05-07T06:16:20 UTC::1::0::SELECT DATABASE()::root[root] @ localhost []
AUDIT_RECORD - Init DB::35535_2014-05-07T06:15:32::2014-05-07T06:16:20 UTC::1::0::(null)::root[root] @ localhost []
AUDIT_RECORD - Query::35536_2014-05-07T06:15:32::2014-05-07T06:16:20 UTC::1::0::show databases::root[root] @ localhost []
AUDIT_RECORD - Query::35537_2014-05-07T06:15:32::2014-05-07T06:16:20 UTC::1::0::show tables::root[root] @ localhost []
AUDIT_RECORD - Field List::35538_2014-05-07T06:15:32::2014-05-07T06:16:20 UTC::1::0::::root[root] @ localhost []
AUDIT_RECORD - Field List::35539_2014-05-07T06:15:32::2014-05-07T06:16:20 UTC::1::0::::root[root] @ localhost []
AUDIT_RECORD - Query::35540_2014-05-07T06:15:32::2014-05-07T06:16:23 UTC::1::0::show databases::root[root] @ localhost []
AUDIT_RECORD - Query::35541_2014-05-07T06:15:32::2014-05-07T06:16:27 UTC::1::0::SELECT DATABASE()::root[root] @ localhost []
AUDIT_RECORD - Init DB::35542_2014-05-07T06:15:32::2014-05-07T06:16:27 UTC::1::0::(null)::root[root] @ localhost []
AUDIT_RECORD - Query::35543_2014-05-07T06:15:32::2014-05-07T06:16:29 UTC::1::0::show tables::root[root] @ localhost []
AUDIT_RECORD - Query::35544_2014-05-07T06:15:32::2014-05-07T06:16:34 UTC::1::0::select * from t::root[root] @ localhost []
The patch is available below and the compiled plugin for Centos 6 x86_64 for Percona Server 5.5.33-rel31. Update: I've now added the
code in launchpad and changed the default audit format to CVS, so the first time the plugin is loaded, CVS is used and no need to restart mysqld to enable CVS.

Since yesterday, the new Percona Server (5.5.37-35.0) includes an audit plugin.

This is the announcement on mysqlperformance blog.

I needed to have this feature for a customer running an older version of Percona Server (5.5.33-31.1), so I back ported the plugin (revision 654) removing some extra info that is not available on previous version of Percona Server.

The information above in struct mysql_event_general (include/mysql/plugin_audit.h) were not yet present:


MYSQL_LEX_STRING general_host;
MYSQL_LEX_STRING general_sql_command;
MYSQL_LEX_STRING general_external_user;
MYSQL_LEX_STRING general_ip;

Additionally, as I needed to parse the audit log quickly, I added a new format (CSV) to replace both implementation of XML output (OLD & NEW).

This is an example of the new output:

AUDIT_RECORD - Audit::35531_2014-05-07T06:15:32::2014-05-07T06:15:36 UTC::5.5.33-31.1::--basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib64/mysql/plugin --user=mysql --log-error=/var/lib/mysql/percona1.err --pid-file=/var/lib/mysql/percona1.pid::x86_64-Linux
AUDIT_RECORD - Connect,35532_2014-05-07T06:15:32,2014-05-07T06:16:04 UTC,1,0,root,root,,,localhost,
AUDIT_RECORD - Query::35533_2014-05-07T06:15:32::2014-05-07T06:16:04 UTC::1::0::select @@version_comment limit 1::root[root] @ localhost []
AUDIT_RECORD - Query::35534_2014-05-07T06:15:32::2014-05-07T06:16:20 UTC::1::0::SELECT DATABASE()::root[root] @ localhost []
AUDIT_RECORD - Init DB::35535_2014-05-07T06:15:32::2014-05-07T06:16:20 UTC::1::0::(null)::root[root] @ localhost []
AUDIT_RECORD - Query::35536_2014-05-07T06:15:32::2014-05-07T06:16:20 UTC::1::0::show databases::root[root] @ localhost []
AUDIT_RECORD - Query::35537_2014-05-07T06:15:32::2014-05-07T06:16:20 UTC::1::0::show tables::root[root] @ localhost []
AUDIT_RECORD - Field List::35538_2014-05-07T06:15:32::2014-05-07T06:16:20 UTC::1::0::::root[root] @ localhost []
AUDIT_RECORD - Field List::35539_2014-05-07T06:15:32::2014-05-07T06:16:20 UTC::1::0::::root[root] @ localhost []
AUDIT_RECORD - Query::35540_2014-05-07T06:15:32::2014-05-07T06:16:23 UTC::1::0::show databases::root[root] @ localhost []
AUDIT_RECORD - Query::35541_2014-05-07T06:15:32::2014-05-07T06:16:27 UTC::1::0::SELECT DATABASE()::root[root] @ localhost []
AUDIT_RECORD - Init DB::35542_2014-05-07T06:15:32::2014-05-07T06:16:27 UTC::1::0::(null)::root[root] @ localhost []
AUDIT_RECORD - Query::35543_2014-05-07T06:15:32::2014-05-07T06:16:29 UTC::1::0::show tables::root[root] @ localhost []
AUDIT_RECORD - Query::35544_2014-05-07T06:15:32::2014-05-07T06:16:34 UTC::1::0::select * from t::root[root] @ localhost []

The patch is available below and the compiled plugin for Centos 6 x86_64 for Percona Server 5.5.33-rel31.

Update: I’ve now added the code in launchpad and changed the default audit format to CVS, so the first time the plugin is loaded, CVS is used and no need to restart mysqld to enable CVS.

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Leave a Reply

Your email address will not be published. Required fields are marked *

As MySQL Community Manager, I am an employee of Oracle and the views expressed on this blog are my own and do not necessarily reflect the views of Oracle.

You can find articles I wrote on Oracle’s blog.