MySQL Enterprise Audit is a commercial extension. To learn more about commercial products (MySQL Enterprise Edition), see http://www.mysql.com/products/.
In MySQL 5.7, MySQL Enterprise Edition includes MySQL Enterprise Audit, implemented using a server plugin named
audit_log. MySQL Enterprise Audit uses the open MySQL Audit API to enable standard,
policy-based monitoring and logging of connection and query activity executed on specific MySQL servers.
Designed to meet the Oracle audit specification, MySQL Enterprise Audit provides an out of box, easy to use
auditing and compliance solution for applications that are governed by both internal and external regulatory
When installed, the audit plugin enables MySQL Server to produce a log file containing an audit record of server activity. The log contents include when clients connect and disconnect, and what actions they perform while connected, such as which databases and tables they access.
After you install the plugin (see Section 220.127.116.11,
"Installing the Audit Log Plugin"), it writes an audit log file. By default, the file is named
audit.log in the server data directory. To change the name of the file, set the
system variable at server startup.
Audit log file contents are not encrypted. See Section 18.104.22.168, "Audit Log Plugin Security Considerations".
The audit log file is written in XML format, with auditable events encoded as
elements. For details on file format and contents, see Section 22.214.171.124,
"The Audit Log File".
To control what information
audit_log writes to its log file, set the
system variable. By default, this variable is set to
ALL (write all auditable
events), but also permits values of
to log only login or query events, or
NONE to disable logging.
For more information about controlling how logging occurs, see Section 126.96.36.199, "Audit Log Plugin Logging Control". For descriptions of the parameters used to configure the audit log plugin, see Section 188.8.131.52, "Audit Log Plugin Options and Variables".
The Performance Schema (see Chapter 20, MySQL Performance Schema) has instrumentation for the audit log plugin. To identify the relevant instruments, use this query:
SELECT NAME FROM performance_schema.setup_instrumentsWHERE NAME LIKE '%/alog/%';
Several changes were made to the audit log plugin in MySQL 5.7 for better compatibility with Oracle Audit Vault.
The format of the audit log file has changed:
previously written using attributes now is written using subelements.
More information is included in
elements. Every element includes a
RECORD_ID value providing a unique
TIMESTAMP value includes time zone information. Query
USER information. There are
Example of old
<AUDIT_RECORD TIMESTAMP="2013-04-15T15:27:27" NAME="Query" CONNECTION_ID="3" STATUS="0" SQLTEXT="SELECT 1"/>
Example of new format:
<AUDIT_RECORD> <TIMESTAMP>2013-04-15T15:27:27 UTC</TIMESTAMP> <RECORD_ID>3998_2013-04-15T15:27:27</RECORD_ID> <NAME>Query</NAME> <CONNECTION_ID>3</CONNECTION_ID> <STATUS>0</STATUS> <STATUS_CODE>0</STATUS_CODE> <USER>root[root] @ localhost [127.0.0.1]</USER> <OS_LOGIN></OS_LOGIN> <HOST>localhost</HOST> <IP>127.0.0.1</IP> <COMMAND_CLASS>select</COMMAND_CLASS> <SQLTEXT>SELECT 1</SQLTEXT></AUDIT_RECORD>
When the audit log plugin rotates the audit log file, it uses a different file name format. For a log file named
audit.log, the plugin previously renamed the file to
audit.log.. The plugin now renames the file to
audit.log. to indicate
that it is an XML file.
If you previously used an older version of the audit log plugin, use this procedure to avoid writing new-format log entries to an existing log file that contains old-format entries:
Stop the server.
Rename the current audit log file manually. This file will contain only old-format log entries.
Update the server and restart it. The audit log plugin will create a new log file, which will contain only new-format log entries.
The API for writing audit plugins has also changed. The
structure has new members to represent client host name and IP address, command class, and external user. For
more information, see Section 184.108.40.206, "Writing Audit Plugins".