作为一名dba,有时候,总会遇到数据库某个库,某个表,某个字段异常,或者数据被莫名的删除了,这个时候大家各种推断是不是bug了啊,是不是被黑了啊。。。这个时候一个审计功能就凸显出来了。

       mariadb数据库对审计插件(server_audit.so)支持比较良好,今天我们进行一个简单安装和测试

 安装方法也很简单:INSTALL SONAME "server_audit.so"

 

这样就安装完成了,我们可以看看对应的参数变量

数据库内置审计功能_第1张图片

这些参数和变量都是可以动态设置的,具体参数说明,见官网:https://mariadb.com/kb/en/mariadb/server_audit-system-variables/

 一般我们主要设置一下几个参数就可以了


                    

                     set  global server_audit_events = QUERY  /*这个参数有三个值connect,table,query

set  global server_audit_file_rotate_size = 524288000  /*每个日志文件的大小

set  global  server_audit_file_rotations = 200   

set  global  server_audit_file_path  ="/data/mysql/auditlog/server_audit.log"  /*log文件路径   必须保证/data/mysql/auditlog/这个路径是存在的!而且 chown mysql.mysql  ,否则将 开启审计功能 后,将导致mysql报错,甚至服务挂掉!

 set  global  server_audit_logging = 1   /*开启审计功能    强烈建议:在设置好以下参数完成后,再开启

设置完成后,再将对应参数添加到配置文件中


                     server_audit_logging = 1

server_audit_events = QUERY

server_audit_file_rotate_size = 524288000

server_audit_file_rotations = 200

server_audit_file_path  =/data/mysql/auditlog/server_audit.log

下面我们看看实际效果,对比一下server_audit_events这个参数connet,table,query三个不同值的日志对比;

 1.参数为server_audit_events= query时

 数据库内置审计功能_第2张图片

 日志内容:
20161229 11:35:39,localhost.localdomain,root,localhost,42,745,QUERY,mysql,'show databases',0
20161229 11:35:55,localhost.localdomain,root,localhost,42,746,QUERY,mysql,'create database yhtest',0
20161229 11:36:03,localhost.localdomain,root,localhost,42,747,QUERY,mysql,'SELECT DATABASE()',0
20161229 11:36:03,localhost.localdomain,root,localhost,42,749,QUERY,yhtest,'show databases',0
20161229 11:36:03,localhost.localdomain,root,localhost,42,750,QUERY,yhtest,'show tables',0
20161229 11:36:42,localhost.localdomain,root,localhost,42,751,QUERY,yhtest,'create table yhtest(a int primary ,b int)',1064
20161229 11:36:56,localhost.localdomain,root,localhost,42,752,QUERY,yhtest,'create table yhtest(a int primary key ,b int)',0
20161229 11:37:35,localhost.localdomain,root,localhost,42,753,QUERY,yhtest,'insert into yhtest value(1,1),(2,2),(3,3)',0
20161229 11:37:46,localhost.localdomain,root,localhost,42,754,QUERY,yhtest,'select * from yhtest',0
20161229 11:38:07,localhost.localdomain,root,localhost,42,755,QUERY,yhtest,'delete from yhtest where a=1',0
20161229 11:38:15,localhost.localdomain,root,localhost,42,756,QUERY,yhtest,'drop table yhtest',0
20161229 15:45:07,localhost.localdomain,root,localhost,42,757,QUERY,yhtest,'show variables like \'server%\'',0


 2.参数为server_audit_events=connect时                                                                                                        20161229 16:09:50,localhost.localdomain,root,localhost,42,0,DISCONNECT,yhtest,,0
20161229 16:09:54,localhost.localdomain,root,localhost,43,0,CONNECT,,,0
20161229 16:11:37,localhost.localdomain,root,localhost,43,0,DISCONNECT,yhtest2,,0
20161229 16:11:39,localhost.localdomain,root,localhost,44,0,CONNECT,,,0
20161229 16:12:06,localhost.localdomain,root,localhost,44,0,DISCONNECT,mysql,,0

 3.参数为server_audit_events=table时                                                                                                    20161229 16:17:52,localhost.localdomain,root,localhost,47,857,CREATE,yhtest,t2,
20161229 16:17:59,localhost.localdomain,root,localhost,47,858,WRITE,mysql,table_stats,
20161229 16:17:59,localhost.localdomain,root,localhost,47,858,WRITE,mysql,column_stats,
20161229 16:17:59,localhost.localdomain,root,localhost,47,858,WRITE,mysql,index_stats,
20161229 16:17:59,localhost.localdomain,root,localhost,47,858,DROP,yhtest,t2,
20161229 16:18:04,localhost.localdomain,root,localhost,47,859,CREATE,yhtest,t3,
20161229 16:18:27,localhost.localdomain,root,localhost,47,860,WRITE,yhtest,t3,
20161229 16:19:04,localhost.localdomain,root,localhost,47,861,WRITE,yhtest,t3,
20161229 16:19:18,localhost.localdomain,root,localhost,47,862,WRITE,mysql,table_stats,
20161229 16:19:18,localhost.localdomain,root,localhost,47,862,WRITE,mysql,column_stats,
20161229 16:19:18,localhost.localdomain,root,localhost,47,862,WRITE,mysql,index_stats,
20161229 16:19:18,localhost.localdomain,root,localhost,47,862,DROP,yhtest,t3,

 从上面可以看出,我们需要一般我们使用query就足够了,需要注意的是我们在使用这个插件的时候需要注意磁盘空间,如果数据库操作频繁,可能产生大量的日志!