Rechercher dans le manuel MySQL

6.4.5.6 Reading Audit Log Files

Contents

The audit log plugin supports user-defined functions that provide an SQL interface for reading JSON-format audit log files. (This capability does not apply to log files written in other formats.)

When the audit log plugin initializes and is configured for JSON logging, it uses the directory containing the current audit log file as the location to search for readable audit log files. The plugin determines the file location, base name, and suffix from the value of the audit_log_file system variable, then looks for files with names that match the following pattern, where [...] indicates optional file name parts: 

basename[.timestamp].suffix[.gz][[.pwd_id].enc]

If a file name ends with .enc, the file is encrypted and reading its unencrypted contents requires a decryption password obtained from the keyring. The audit log plugin determines the keyring ID of the decryption password as follows:

  • If .enc is preceded by pwd_id, the keyring ID is audit_log-pwd_id.

  • If .enc is not preceded by pwd_id, the file has an old name from before audit log encryption password history was implemented. The keyring ID is audit_log.

For more information about encrypted audit log files, see Encrypting Audit Log Files.

The plugin ignores files that have been renamed manually and do not match the pattern, and files that were encrypted with a password no longer available in the keyring. The plugin opens each remaining candidate file, verifies that the file actually contains JSON audit events, and sorts the files using the timestamps from the first event of each file. The result is a sequence of files that are subject to access using the log-reading user-defined functions (UDFs):

audit_log_read() takes an optional JSON string argument, and the result returned from a successful call to either function is a JSON string.

To use the functions to read the audit log, follow these principles:

  • Call audit_log_read() to read events beginning from a given position or the current position, or to close reading:

    • To initialize an audit log read sequence, pass an argument that indicates the position at which to begin. One way to do so is to pass the bookmark returned by audit_log_read_bookmark(): 

      1. SELECT audit_log_read(audit_log_read_bookmark());

    • To continue reading from the current position in the sequence, call audit_log_read() with no position specified: 

      1. SELECT audit_log_read();

    • To explicitly close the read sequence, pass a JSON null argument: 

      1. SELECT audit_log_read('null');

      It is unnecessary to close reading explicitly. Reading is closed implicitly when the session ends or a new read sequence is initialized by calling audit_log_read() with an argument that indicates the position at which to begin.

  • A successful call to audit_log_read() to read events returns a JSON string containing an array of audit events:

    • If the final value of the returned array is not a JSON null value, there are more events following those just read and audit_log_read() can be called again to read more of them.

    • If the final value of the returned array is a JSON null value, there are no more events left to be read in the current read sequence.

    Each non-null array element is an event represented as a JSON hash. For example: 

    [
  {
    "timestamp": "2020-05-18 13:39:33", "id": 0,
    "class": "connection", "event": "connect",
    ...
  },
  {
    "timestamp": "2020-05-18 13:39:33", "id": 1,
    "class": "general", "event": "status",
    ...
  },
  {
    "timestamp": "2020-05-18 13:39:33", "id": 2,
    "class": "connection", "event": "disconnect",
    ...
  },
  null
]

    For more information about JSON-format audit events, see JSON Audit Log File Format.

  • An audit_log_read() call to read events that does not specify a position produces an error under any of these conditions:

    • A read sequence has not yet been initialized by passing a position to audit_log_read().

    • There are no more events left to be read in the current read sequence; that is, audit_log_read() previously returned an array ending with a JSON null value.

    • The most recent read sequence has been closed by passing a JSON null value to audit_log_read().

    To continue reading events in these cases, it is necessary to initialize a new read sequence by calling audit_log_read() with an argument that specifies a position.

To specify a position to audit_log_read(), pass a bookmark, which is a JSON hash containing timestamp and id elements that uniquely identify a particular event. Here is an example bookmark, obtained by calling the audit_log_read_bookmark() function: 

  1. mysql> SELECT audit_log_read_bookmark();
  2. +-------------------------------------------------+
  3. | audit_log_read_bookmark()                       |
  4. +-------------------------------------------------+
  5. | { "timestamp": "2020-05-18 21:03:44", "id": 0 } |
  6. +-------------------------------------------------+

Passing the current bookmark to audit_log_read() initializes event reading beginning at the bookmark position: 

  1. mysql> SELECT audit_log_read(audit_log_read_bookmark());
  2. +-----------------------------------------------------------------------+
  3. | audit_log_read(audit_log_read_bookmark())                             |
  4. +-----------------------------------------------------------------------+
  5. | [ {"timestamp":"2020-05-18 22:41:24","id":0,"class":"connection", ... |
  6. +-----------------------------------------------------------------------+

The argument to audit_log_read() is optional. If present, it can be a JSON null value to close the read sequence, or a JSON hash containing optional items that indicate a read position and how much to read. The following items are significant (other items are ignored):

  • timestamp, id: The position within the audit log of the first event to read. If the position is omitted from the argument, reading continues from the current position. The timestamp and id items together comprise a bookmark that uniquely identify a particular event. If an audit_log_read() argument includes either item, it must include both to completely specify a position or an error occurs.

  • max_array_length: The maximum number of events to read from the log. If this item is omitted, the default is to read to the end of the log or until the read buffer is full, whichever comes first.

A JSON string returned from either log-reading function can be manipulated as necessary. Suppose that a call to obtain a bookmark produces this value: 

  1. mysql> SET @mark := audit_log_read_bookmark();
  2. mysql> SELECT @mark;
  3. +-------------------------------------------------+
  4. | @mark                                           |
  5. +-------------------------------------------------+
  6. | { "timestamp": "2020-05-18 16:10:28", "id": 2 } |
  7. +-------------------------------------------------+

Calling audit_log_read() with that argument can return multiple events. To limit audit_log_read() to reading at most N events, add to the string a max_array_length item with that value. For example, to read a single event, modify the string as follows: 

  1. mysql> SET @mark := JSON_SET(@mark, '$.max_array_length', 1);
  2. mysql> SELECT @mark;
  3. +----------------------------------------------------------------------+
  4. | @mark                                                                |
  5. +----------------------------------------------------------------------+
  6. | {"id": 2, "timestamp": "2020-05-18 16:10:28", "max_array_length": 1} |
  7. +----------------------------------------------------------------------+

The modified string, when passed to audit_log_read(), produces a result containing at most one event, no matter how many are available.

To read a specific number of events beginning at the current position, pass a JSON hash that includes a max_array_length value but no position. This statement invoked repeatedly returns five events each time until no more events are available: 

  1. SELECT audit_log_read('{"max_array_length": 5}');

Prior to MySQL 8.0.19, string return values from audit log UDFs are binary strings. To use a binary string with functions that require a nonbinary string (such as functions that manipulate JSON values), convert it to a nonbinary string. For example, before passing a bookmark to JSON_SET(), convert it to utf8mb4 as follows: 

  1. SET @mark = CONVERT(@mark USING utf8mb4);

That statement can be used even for MySQL 8.0.19 and higher; for those versions, it is essentially a no-op and is harmless.

To set a limit on the number of bytes that audit_log_read() reads, set the audit_log_read_buffer_size system variable. As of MySQL 8.0.12, this variable has a default of 32KB and can be set at runtime. Each client should set its session value of audit_log_read_buffer_size appropriately for its use of audit_log_read().

Each call to audit_log_read() returns as many available events as fit within the buffer size. Events that do not fit within the buffer size are skipped and generate warnings. Given this behavior, consider these factors when assessing the proper buffer size for an application:

  • There is a tradeoff between number of calls to audit_log_read() and events returned per call:

    • With a smaller buffer size, calls return fewer events, so more calls are needed.

    • With a larger buffer size, calls return more events, so fewer calls are needed.

  • With a smaller buffer size, such as the default size of 32KB, there is a greater chance that events will exceed the buffer size and be skipped.

Prior to MySQL 8.0.12, audit_log_read_buffer_size has a default of 1MB, affects all clients, and can be changed only at server startup.

For additional information about audit log-reading functions, see Audit Log Functions.


Find a PHP function

Document created the 26/06/2006, last modified the 26/10/2018
Source of the printed document:https://www.gaudry.be/en/mysql-rf-audit-log-file-reading.html

The infobrol is a personal site whose content is my sole responsibility. The text is available under CreativeCommons license (BY-NC-SA). More info on the terms of use and the author.

References

  1. View the html document Language of the document:en Manuel MySQL : https://dev.mysql.com/

These references and links indicate documents consulted during the writing of this page, or which may provide additional information, but the authors of these sources can not be held responsible for the content of this page.
The author This site is solely responsible for the way in which the various concepts, and the freedoms that are taken with the reference works, are presented here. Remember that you must cross multiple source information to reduce the risk of errors.

Contents Haut