Spec-Zone .ru
спецификации, руководства, описания, API
|
Audit log file contents are not encrypted. See Section 6.3.11.2, "Audit Log Plugin Security Considerations".
The audit log file is written as XML, using UTF-8 (up to 4 bytes per character). The root element is <AUDIT>
. The closing </AUDIT>
tag of the
root element is written when the audit log plugin terminates, so the tag is not present in the file while the
plugin is active.
The root element contains <AUDIT_RECORD>
elements, each of which contains
other elements that provide information about the audited event.
Here is a sample log file, reformatted slightly for readability:
<?xml version="1.0" encoding="UTF-8"?><AUDIT> <AUDIT_RECORD> <TIMESTAMP>2013-04-17T15:03:24 UTC</TIMESTAMP> <RECORD_ID>1_2013-04-17T15:03:24</RECORD_ID> <NAME>Audit</NAME> <SERVER_ID>1</SERVER_ID> <VERSION>1</VERSION> <STARTUP_OPTIONS>/usr/local/mysql/bin/mysqld --socket=/usr/local/mysql/mysql.sock --port=3306</STARTUP_OPTIONS> <OS_VERSION>x86_64-osx10.6</OS_VERSION> <MYSQL_VERSION>5.7.2-m12-log</MYSQL_VERSION> </AUDIT_RECORD> <AUDIT_RECORD> <TIMESTAMP>2013-04-17T15:03:40 UTC</TIMESTAMP> <RECORD_ID>2_2013-04-17T15:03:24</RECORD_ID> <NAME>Connect</NAME> <CONNECTION_ID>2</CONNECTION_ID> <STATUS>0</STATUS> <STATUS_CODE>0</STATUS_CODE> <USER>root</USER> <OS_LOGIN></OS_LOGIN> <HOST>localhost</HOST> <IP>127.0.0.1</IP> <COMMAND_CLASS>connect</COMMAND_CLASS> <PRIV_USER>root</PRIV_USER> <PROXY_USER></PROXY_USER> <DB>test</DB> </AUDIT_RECORD>... <AUDIT_RECORD> <TIMESTAMP>2013-04-17T15:03:41 UTC</TIMESTAMP> <RECORD_ID>4_2013-04-17T15:03:24</RECORD_ID> <NAME>Query</NAME> <CONNECTION_ID>2</CONNECTION_ID> <STATUS>0</STATUS> <STATUS_CODE>0</STATUS_CODE> <USER>root[root] @ localhost [127.0.0.1]</USER> <OS_LOGIN></OS_LOGIN> <HOST>localhost</HOST> <IP>127.0.0.1</IP> <COMMAND_CLASS>drop_table</COMMAND_CLASS> <SQLTEXT>DROP TABLE IF EXISTS t</SQLTEXT> </AUDIT_RECORD> <AUDIT_RECORD> <TIMESTAMP>2013-04-17T15:03:41 UTC</TIMESTAMP> <RECORD_ID>5_2013-04-17T15:03:24</RECORD_ID> <NAME>Query</NAME> <CONNECTION_ID>2</CONNECTION_ID> <STATUS>0</STATUS> <STATUS_CODE>0</STATUS_CODE> <USER>root[root] @ localhost [127.0.0.1]</USER> <OS_LOGIN></OS_LOGIN> <HOST>localhost</HOST> <IP>127.0.0.1</IP> <COMMAND_CLASS>create_table</COMMAND_CLASS> <SQLTEXT>CREATE TABLE t (i INT)</SQLTEXT> </AUDIT_RECORD>... <AUDIT_RECORD> <TIMESTAMP>2013-04-17T15:03:41 UTC</TIMESTAMP> <RECORD_ID>7_2013-04-17T15:03:24</RECORD_ID> <NAME>Quit</NAME> <CONNECTION_ID>2</CONNECTION_ID> <STATUS>0</STATUS> <STATUS_CODE>0</STATUS_CODE> <USER></USER> <OS_LOGIN></OS_LOGIN> <HOST></HOST> <IP></IP> <COMMAND_CLASS>connect</COMMAND_CLASS> </AUDIT_RECORD>... <AUDIT_RECORD> <TIMESTAMP>2013-04-17T15:03:47 UTC</TIMESTAMP> <RECORD_ID>9_2013-04-17T15:03:24</RECORD_ID> <NAME>Shutdown</NAME> <CONNECTION_ID>3</CONNECTION_ID> <STATUS>0</STATUS> <STATUS_CODE>0</STATUS_CODE> <USER>root[root] @ localhost [127.0.0.1]</USER> <OS_LOGIN></OS_LOGIN> <HOST>localhost</HOST> <IP>127.0.0.1</IP> <COMMAND_CLASS></COMMAND_CLASS> </AUDIT_RECORD> <AUDIT_RECORD> <TIMESTAMP>2013-04-17T15:03:47 UTC</TIMESTAMP> <RECORD_ID>10_2013-04-17T15:03:24</RECORD_ID> <NAME>Quit</NAME> <CONNECTION_ID>3</CONNECTION_ID> <STATUS>0</STATUS> <STATUS_CODE>0</STATUS_CODE> <USER></USER> <OS_LOGIN></OS_LOGIN> <HOST></HOST> <IP></IP> <COMMAND_CLASS>connect</COMMAND_CLASS> </AUDIT_RECORD> <AUDIT_RECORD> <TIMESTAMP>2013-04-17T15:03:49 UTC</TIMESTAMP> <RECORD_ID>11_2013-04-17T15:03:24</RECORD_ID> <NAME>NoAudit</NAME> <SERVER_ID>1</SERVER_ID> </AUDIT_RECORD></AUDIT>
Elements within <AUDIT_RECORD>
elements have these characteristics:
Some elements appear in every <AUDIT_RECORD>
element, but many are optional and do not necessarily appear in every element.
Order of elements within an <AUDIT_RECORD>
element is not guaranteed.
Element values are not fixed length. Long values may be truncated as indicated in the element descriptions given later.
The <
, >
, "
, and &
characters are encoded as <
, >
, "
,
and &
, respectively. NUL bytes (U+00) are encoded as the ?
character.
Characters not valid as XML characters are encoded using numeric character references. Valid XML characters are:
#x9 | #xA | #xD | [#x20-#xD7FF] | [#xE000-#xFFFD] | [#x10000-#x10FFFF]
Every <AUDIT_RECORD>
element contains a set of mandatory elements. Other
optional elements may appear, depending on the audit record type.
The following elements are mandatory in every <AUDIT_RECORD>
element:
<NAME>
A string representing the type of instruction that generated the audit event, such as a command that the server received from a client.
Example:
<NAME>Query</NAME>
Some common <NAME>
values:
Audit When auditing starts, which may be server startup timeConnect When a client connects, also known as logging inQuery An SQL statement (executed directly)Prepare Preparation of an SQL statement; usually followed by ExecuteExecute Execution of an SQL statement; usually follows PrepareShutdown Server shutdownQuit When a client disconnectsNoAudit Auditing has been turned off
The possible values are Audit
, Binlog Dump
,
Change user
, Close stmt
, Connect Out
, Connect
, Create DB
, Daemon
, Debug
, Delayed insert
, Drop DB
, Execute
, Fetch
,
Field List
, Init DB
, Kill
, Long Data
, NoAudit
,
Ping
, Prepare
, Processlist
,
Query
, Quit
, Refresh
, Register Slave
, Reset stmt
, Set option
, Shutdown
, Sleep
, Statistics
,
Table Dump
, Time
.
With the exception of Audit
and NoAudit
,
these values correspond to the COM_
command values listed in the xxx
mysql_com.h
header file. For example, Create
DB
and Shutdown
correspond to COM_CREATE_DB
and COM_SHUTDOWN
, respectively.
<RECORD_ID>
A unique identifier for the audit record. The value is composed from a sequence number and
timestamp, in the format
. The sequence number is
initialized to the size of the audit log file at the time the audit log plugin opens it and
increments by 1 for each record logged. The timestamp is a UTC value in SEQ_TIMESTAMP
format indicating the time when the
audit log plugin opened the file. yyyy-mm-dd
Thh:mm:ss
Example:
<RECORD_ID>28743_2013-04-18T21:03:24</RECORD_ID>
<TIMESTAMP>
The date and time that the audit event was generated. For example, the event corresponding to
execution of an SQL statement received from a client has a
<TIMESTAMP>
value occurring after the statement finishes, not when it is received.
The value has the format
(with yyyy-mm-dd
Thh:mm:ss
UTCT
, no decimals). The format includes a time zone specifier at the
end. Currently, the time zone is always UTC.
Example:
<TIMESTAMP>2013-04-17T15:03:49 UTC</TIMESTAMP>
The following elements are optional in <AUDIT_RECORD>
elements. Many of them
occur only with specific <NAME>
values.
<COMMAND_CLASS>
A string that indicates the type of action performed.
Example:
<COMMAND_CLASS>drop_table</COMMAND_CLASS>
The values come from the com_status_vars
array in the sql/mysqld.cc
file in a MySQL source distribution. They correspond to
the status variables displayed by this statment:
SHOW STATUS LIKE 'Com%';
<CONNECTION_ID>
An unsigned integer representing the client connection identifier. This is the same as the CONNECTION_ID()
function value within the session.
Example:
<CONNECTION_ID>127</CONNECTION_ID>
<DB>
A string representing the default database name. This element appears only if the <NAME>
value is Connect
or Change user
.
<HOST>
A string representing the client host name. This element appears only if the
<NAME>
value is Connect
, Change
user
, or Query
.
Example:
<HOST>localhost</HOST>
<IP>
A string representing the client IP address. This element appears only if the
<NAME>
value is Connect
, Change
user
, or Query
.
Example:
<IP>127.0.0.1</IP>
<MYSQL_VERSION>
A string representing the MySQL server version. This is the same as the value of the VERSION()
function or version
system variable. This element appears only if the <NAME>
value is Audit
.
Example:
<MYSQL_VERSION>5.7.1-m11-log</MYSQL_VERSION>
<OS_LOGIN>
A string representing the external user (empty if none). The value may differ from the <USER>
value, for example, if the server authenticates the client
using an external authentication method. This element appears only if the <NAME>
value is Connect
, Change user
, or Query
.
<OS_VERSION>
A string representing the operating system on which the server was built or is running. This element
appears only if the <NAME>
value is Audit
.
Example:
<OS_VERSION>x86_64-Linux</OS_VERSION>
<PRIV_USER>
A string representing the user that the server authenticated the client as. This is the user name
that the server uses for privilege checking, and may differ from the <USER>
value. This element appears only if the <NAME>
value is Connect
or Change user
.
<PROXY_USER>
A string representing the proxy user. The value is empty if user proxying is not in effect. This
element appears only if the <NAME>
value is Connect
or Change user
.
<SERVER_ID>
An unsigned integer representing the server ID. This is the same as the value of the server_id
system variable. This element appears only if the <NAME>
value is Audit
or NoAudit
.
Example:
<SERVER_ID>1</SERVER_ID>
<SQLTEXT>
A string representing the text of an SQL statement. The value can be empty. Long values may be
truncated. This element appears only if the <NAME>
value is Query
or Execute
.
The string, like the audit log file itself, is written using UTF-8 (up to 4 bytes per character), so the value may be the result of conversion. For example, the original statement might have been received from the client as an SJIS string.
Example:
<SQLTEXT>DELETE FROM t1</SQLTEXT>
<STARTUP_OPTIONS>
A string representing the options that were given on the command line or in option files when the
MySQL server was started. This element appears only if the <NAME>
value is Audit
.
Example:
<STARTUP_OPTIONS>/usr/local/mysql/bin/mysqld --port=3306 --log-output=FILE</STARTUP_OPTIONS>
<STATUS>
An unsigned integer representing the command status: 0 for success, nonzero if an error occurred.
This is the same as the value of the mysql_errno()
C API function.
The audit log does not contain the SQLSTATE value or error message. To see the associations between error codes, SQLSTATE values, and messages, see Section C.3, "Server Error Codes and Messages".
Warnings are not logged.
Example:
<STATUS>1051</STATUS>
<STATUS_CODE>
An unsigned integer representing the command status: 0 for success, 1 if an error occurred.
Example:
<STATUS_CODE>0</STATUS_CODE>
<USER>
A string representing the user name sent by the client. This may differ from the <PRIV_USER>
value. This element appears only if the <NAME>
value is Connect
, Change user
, or Query
.
Example:
<USER>root[root] @ localhost [127.0.0.1]</USER>
<VERSION>
An unsigned integer representing the version of the audit log file format. This element appears only
if the <NAME>
value is Audit
.
Example:
<VERSION>1</VERSION>