MariaDB Audit Plugin - Location and Rotation of Logs

Logs can be written to a separate file or to the system logs. If you prefer to have the logging separated from other system information, the value of the variable, server_audit_output_type should be set to file. Incidentally, file is the only option on Windows systems.

You can force a rotation by enabling the server_audit_file_rotate_now variable like so:

SET GLOBAL server_audit_file_rotate_now = ON;

Separate log files

In addition to setting server_audit_output_type, you will have to provide the file path and name of the audit file. This is set in the variable, server_audit_file_path. You can set the file size limit of the log file with the variable, server_audit_file_rotate_size.

So, if rotation is on and the log file has reached the size limit you set, a copy is created with a consecutive number as extension, the original file will be truncated to be used for the auditing again. To limit the number of log files created, set the variable, server_audit_file_rotations. You can force log file rotation by setting the variable, server_audit_file_rotate_now to a value of ON. When the number of files permitted is reached, the oldest file will be overwritten. Below is an example of how the variables described above might be set in a server's configuration files:

[mysqld]
...
server_audit_file_rotate_now=ON 
server_audit_file_rotate_size=1000000 
server_audit_file_rotations=5
...

System logs

For security reasons, it's better sometimes to use the system logs instead of a local file owned by the mysql user. To do this, the value of server_audit_output_type needs to be set to syslog. Advanced configurations, such as using a remote syslogd service, are part of the syslogd configuration.

The variables, server_audit_syslog_ident and server_audit_syslog_info can be used to identify a system log entry made by the audit plugin. If a remote syslogd service is used for several MariaDB servers, these same variables are also used to identify the MariaDB server.

Below is an example of a system log entry taken from a server which had server_audit_syslog_ident set to the default value of mysql­-server_auditing, and server_audit_syslog_info set to <prod1>.

Aug 717:19:58localhostmysql-­server_auditing: 
<prod1> localhost.localdomain,root,localhost,1,7, 
QUERY, mysql, 'SELECT * FROM user',0

Although the default values for server_audit_syslog_facility and server_audit_syslog_priority should be sufficient in most cases, they can be changed based on the definition in syslog.h for the functions openlog() and syslog().

  •  
  • mariadb, audit, plugin, log rotation
  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

 Introducing the MariaDB Audit Plugin

Auditing is an essential task for monitoring your database environment. Auditing...

 MariaDB Audit Plugin

MariaDB and MySQL are used in a broad range of environments, but if you needed to record user...

 MariaDB Audit Plugin - Configuration

After the audit plugin has been installed and loaded, there will be some new global variables...

 MariaDB Audit Plugin - Log Format

The audit plugin logs user access to MariaDB and its objects. The audit trail (i.e., audit log)...

 MariaDB Audit Plugin - Log Settings

Events that are logged by the MariaDB Audit Plugin are grouped generally into different types:...