-
2021-02-02 15:03:14
1、mysql配置文件
$ cat mysql.cfg
[3306]
ip=xxx.xxx.xxxx.xxx
user=root
pass=xxxxx
port=3306
auditlog=/home/mysql/data/mysql-audit.json
socket=/tmp/mysql.sock
2、函数文件,主要是日志函数
[mysql@trs bin]$ cat common.sh
#!/bin/sh
logger(){
local info="$*"
echo "[`date +'%Y/%m/%d %H:%M:%S'`] $info"
}
logger
3、获取my.cnf中的配置
#!/bin/sh
. /etc/profile
. ~/.bash_profile
#根据配置文件、section、item,得到item对应的value
#其中$1 为section,$2为item,$3为配置文件
getvalue()
{
awk -F '=' '/\['$1'\]/{a=1}a==1&&$1~/'$2'/{print $2;exit}' $3 |sed 's/ *$//g'|sed 's/^ *//g'
}
getconfig()
{
SECTION=$1
CONFILE=$2
#一个段中的名值对,必须实现把所有的都列出来
ENDPRINT="user pass port auditlog ip socket"
dd=`date +'%Y%m%d'`
for loop in $ENDPRINT
do
case $loop in
"user")
#user=`awk -F '=' '/\['$SECTION'\]/{a=1}a==1&&$1~/'$loop'/{print $2;exit}' $CONFILE |sed 's/ *$//g'|sed 's/^ *//g'`
user=`getvalue $SECTION $loop $CONFILE`
;;
"pass")
pass=`getvalue $SECTION $loop $CONFILE`
;;
"port")
port=`getvalue $SECTION $loop $CONFILE`
;;
"auditlog")
auditlog=`getvalue $SECTION $loop $CONFILE`
;;
"ip")
host=`getvalue $SECTION $loop $CONFILE`
;;
"socket")
socket=`getvalue $SECTION $loop $CONFILE`
;;
esac
#auditlog=`grep $auditlog config.ini |awk -F '=' '{print $2}'|sed 's/ *$//g'|sed 's/^ *//g'`
done
logdir=$AUD_HOME/logs/$host:$port
[ ! -d $logdir ] && mkdir -p $logdir
( $AUD_HOME/bin/audit_logrotate.sh $user $pass $auditlog $host $port $socket >>$logdir/${host}:${port}_$dd 2>&1 )
}
bdir=`dirname $0`
cd $bdir >/dev/null
AUD_HOME=`dirname $PWD`
cd - >/dev/null
PATH=$AUD_HOME/bin:$PATH
export PATH AUD_HOME
config=$AUD_HOME/config/mysql.cfg
dd=`date +'%Y%m%d'`
#获取配置文件中的段名称,如存在[3306]、[3307],会得到3306和3307
section=`grep "^\[.*\]$" $config|grep -o "[[:digit:]]\{4,\}" | xargs`
for OneCom in $section
do
getconfig $OneCom $config
done
#删除过期的日志
find $AUD_HOME/mysql_audit/* -ctime +10 |xargs rm -rf;
find $AUD_HOME/logs -ctime +10 -exec rm {} \;
4、根据my.cnf的值生成审计日志
$ cat audit_logrotate.sh
#!/bin/bash
AUD_HOME=${AUD_HOME:-/home/mysql/audit_archive}
. $AUD_HOME/bin/common.sh
tt=`date +%Y%m%d%H%M%S`
user=$1
pass=$2
auditlog=$3
host=$4
port=$5
socket=$6
dd=`date +'%Y%m%d'`
root=mysql_audit
logserver=172.30.4.104
logrotate(){
if [ -s $3 ]; then
mv $3 $4
chmod o+r $4
echo "set global audit_json_file_flush=ON;" | mysql -u$1 -p$2 -S $5
else
logger $3 is empty, not need rotate!
exit
fi
}
logger $host $port
dir=$AUD_HOME/$root/${host}:${port}/$dd
[ ! -d $dir ] && mkdir -p $dir
file=mysql-audit.json$tt
out=$dir/$file
logrotate $user $pass $auditlog $out $socket
logger rotate mysql audit to file $out
( $AUD_HOME/bin/rsynclog.sh $AUD_HOME/$root/${host}:${port} $logserver $root)
更多相关内容 -
Mysql审计日志
2021-10-13 16:57:56Mysql审计日志 1、下载mariadb-5.5.56-linux-x86_64.tar.gz解压获取server_audit.so插件 下载链接:https://downloads.mariadb.org/mariadb-galera/5.5.56/#file_type=source 2、登录MySQL,执行命令获取MySQL的...展开全文Mysql审计日志
1、下载mariadb-5.5.56-linux-x86_64.tar.gz解压获取server_audit.so插件
下载链接:https://downloads.mariadb.org/mariadb-galera/5.5.56/#file_type=source
2、登录MySQL,执行命令获取MySQL的plugin目录
mysql> SHOW GLOBAL VARIABLES LIKE 'plugin_dir'; +---------------+--------------------------+ | Variable_name | Value | +---------------+--------------------------+ | plugin_dir | /usr/lib64/mysql/plugin/ | +---------------+--------------------------+ 1 row in set (0.02 sec)3、将server_audit.so上传到 /usr/lib64/mysql/plugin/下
4、在命令下安装server_audit.so
mysql> INSTALL PLUGIN server_audit SONAME 'server_audit.so';5、查看变量开启设置情况,默认貌似都是关闭的
mysql> show variables like '%audit%';6、编辑my.cnf,添加配置
/etc/my.cnf
server_audit_events='CONNECT,QUERY,TABLE,QUERY_DDL,QUERY_DML,QUERY_DCL' 备注:指定哪些操作被记录到日志文件中 server_audit_logging=on server_audit_file_path =/data/mysql/auditlogs/ 备注:审计日志存放路径,该路径下会生成一个server_audit.log文件,就会记录相关操作记录了 server_audit_file_rotate_size=200000000 server_audit_file_rotations=200 server_audit_file_rotate_now=ON注意:server_audit_file_path =/data/mysql/auditlogs/的目录需要开启权限 chmod 777 /data/mysql/auditlogs/ ,并且要关闭SElinux,否则无法生成日志。
7、重启服务,service mysqld restart
登录MySQL后发现,在MySQL环境下执行的任何命令都被记录到/data/mysql/auditlogs/server_audit.log,如果日志文件达到指定的大小,会自动切割
mysql> show variables like '%audit%';日志为:
20170516 23:21:23,salt-master,audit_log_user,localhost,4,19,QUERY,‘show variables like ‘%audit%’’,08、参数说明:
详细请参考:https://mariadb.com/kb/en/mariadb/server_audit-system-variables/
server_audit_output_type:指定日志输出类型,可为SYSLOG或FILE server_audit_logging:启动或关闭审计 server_audit_events:指定记录事件的类型,可以用逗号分隔的多个值(connect,query,table),如果开启了查询缓存(query cache),查询直接从查询缓存返回数据,将没有table记录 server_audit_file_path:如server_audit_output_type为FILE,使用该变量设置存储日志的文件,可以指定目录,默认存放在数据目录的server_audit.log文件中 server_audit_file_rotate_size:限制日志文件的大小 server_audit_file_rotations:指定日志文件的数量,如果为0日志将从不轮转 server_audit_file_rotate_now:强制日志文件轮转 server_audit_incl_users:指定哪些用户的活动将记录,connect将不受此变量影响,该变量比server_audit_excl_users优先级高 server_audit_syslog_facility:默认为LOG_USER,指定facility server_audit_syslog_ident:设置ident,作为每个syslog记录的一部分 server_audit_syslog_info:指定的info字符串将添加到syslog记录 server_audit_syslog_priority:定义记录日志的syslogd priority server_audit_excl_users:该列表的用户行为将不记录,connect将不受该设置影响 server_audit_mode:标识版本,用于开发测试9、卸载server_audit
mysql> UNINSTALL PLUGIN server_audit; mysql> show variables like '%audit%'; Empty set (0.00 sec)防止server_audit 插件被卸载,需要在配置文件中添加:
[mysqld] server_audit=FORCE_PLUS_PERMANENT重启MySQL生效
值得注意的是,应该在server_audit插件被安装好,并且已经运行之后添加这些配置,否则过早在配置文件添加这个选项,会导致MySQL发生启动错误!
mysql> UNINSTALL PLUGIN server_audit; ERROR 1702 (HY000): Plugin 'server_audit' is force_plus_permanent and can not be unloaded
-
MySQL审计日志
2018-09-19 18:27:35数据库审计能够实时记录网络上的数据库活动,对数据库操作进行细粒度审计的合规性管理,对数据库遭受到的...MySQL官网的收费组件需要购买企业版才可以使用审计功能。下面利用第三方开源审计插件 libaudit_plugin....展开全文数据库审计能够实时记录网络上的数据库活动,对数据库操作进行细粒度审计的合规性管理,对数据库遭受到的风险行为进行警告,对攻击行为进行阻断。它通过对用户访问数据库行为的记录、分析和汇报,用来帮助用户时候生成合规报告、事故追根溯源,同时加强内外部数据库网络行为记录,提高数据资产安全。
MySQL官网的收费组件需要购买企业版才可以使用审计功能。下面利用第三方开源审计插件 libaudit_plugin.so 在 MySQL 5.7 上完成审计工作。
下载地址 https://bintray.com/mcafee/mysql-audit-plugin/release/1.1.4-725#files
解压插件包
# unzip audit-plugin-mysql-5.7-1.1.4-725.zip
将解压好的插件复制到 MySQL 的插件目录下
# cd audit-plugin-mysql-5.7-1.1.4-725/lib/
# cp libaudit_plugin.so /usr/local/mysql/lib/plugin/
安装插件
root@localhost 18:18: [(none)]> install plugin audit soname 'libaudit_plugin.so';
查看插件功能是否开启
root@localhost 18:19: [(none)]> show variables like '%audit_json_file%';
+-------------------------+-------+
| Variable_name | Value |
+-------------------------+-------+
| audit_json_file | OFF |
| audit_json_file_bufsize | 1 |
| audit_json_file_flush | OFF |
| audit_json_file_retry | 60 |
| audit_json_file_sync | 0 |
+-------------------------+-------+
5 rows in set (0.00 sec)开启插件功能
root@localhost 18:20: [(none)]> set global audit_json_file = 1;
Query OK, 0 rows affected (0.00 sec)root@localhost 18:20: [(none)]> show variables like '%audit_json_file%';
+-------------------------+-------+
| Variable_name | Value |
+-------------------------+-------+
| audit_json_file | ON |
| audit_json_file_bufsize | 1 |
| audit_json_file_flush | OFF |
| audit_json_file_retry | 60 |
| audit_json_file_sync | 0 |
+-------------------------+-------+
5 rows in set (0.00 sec)OK,现在在 MySQL 目录下会多出一个审计日志
# ls /usr/local/mysql/data/mysql-audit.json
查看 mysql-audit.json 文件,可以找到操作SQL语句的用户名、主机地址。这可以让在数据库上做了坏事又不认账的人无法赖账,起到了对操作数据库很好的监控效果。
比如现在有一个家伙,对 scott 库下的 emp 表,做了 select * from emp; 的操作,现在来看下审计日志中的记录。
# cat /usr/local/mysql/data/mysql-audit.json
{"msg-type":"activity","date":"1537352639624","thread-id":"3","query-id":"20","user":"root","priv_user":"root","ip":"","host":"localhost","connect_attrs":{"_os":"Linux","_client_name":"libmysql","_pid":"2201","_client_version":"5.7.18","_platform":"x86_64","program_name":"mysql"},"pid":"2201","os_user":"root","appname":"mysql","rows":"1","cmd":"select","query":"SELECT DATABASE()"}
{"msg-type":"activity","date":"1537352639624","thread-id":"3","query-id":"21","user":"root","priv_user":"root","ip":"","host":"localhost","connect_attrs":{"_os":"Linux","_client_name":"libmysql","_pid":"2201","_client_version":"5.7.18","_platform":"x86_64","program_name":"mysql"},"pid":"2201","os_user":"root","appname":"mysql","rows":"1","cmd":"Init DB","objects":[{"db":"scott","obj_type":"DATABASE"}],"query":"Init DB"}
{"msg-type":"activity","date":"1537352640539","thread-id":"3","query-id":"22","user":"root","priv_user":"root","ip":"","host":"localhost","connect_attrs":{"_os":"Linux","_client_name":"libmysql","_pid":"2201","_client_version":"5.7.18","_platform":"x86_64","program_name":"mysql"},"pid":"2201","os_user":"root","appname":"mysql","rows":"14","cmd":"select","objects":[{"db":"scott","name":"emp","obj_type":"TABLE"}],"query":"select * from emp"}
-
mysql 审计日志表备份及清理
2020-09-11 23:21:16################################################# cat >>/home/backup_audit_log.sh<<EOF #!bin/bash #author conan #read -p "Please input remote ...read -sp "Please input mysql user’s passwor展开全文#################################################
cat >>/home/backup_audit_log.sh<<EOF
#!bin/bash
#author conan
#read -p "Please input remote server: " server
read -p "Please input mysql user: " user
read -sp "Please input mysql user’s password: " password
read -p "Please input mysql databasename: " dbname
read -p "Please input mysql old_tablename will be delete: " old_table
read -p "Please input mysql new_tablename will be create: " new_table
############# get current time
current=date "+%Y-%m-%d %H:%M:%S"
timeStamp=date -d "$current" +%s
currentTimeStamp=$((timeStamp*1000+date "+%N"/1000000))
#echo $currentTimeStamp
############# get 180day before
backtime=expr $currentTimeStamp - 15465600000
#echo $backtime
##############
#mysql -h s e r v e r − u server -u server−uuser -p p a s s w o r d − e " ; " m y s q l − u password -e ";" mysql -u password−e";"mysql−uuser -p$password -e “use $dbname;
create table if not exists $new_table like old_table;
insert into n e w t a b l e s e l e c t ∗ f r o m o l d t a b l e w h e r e l o g T i m e < new_table select * from old_table where logTime< newtableselect∗fromoldtablewherelogTime<backtime;
delete from old_table where logTime<$backtime;”
EOF
sudo chmod 777 /home/backup_audit_log.sh
#################################
sudo echo “0 0 * * * sh /home/backup_audit_log.sh” >> /etc/crontab
############ redhat/centos 7
sudo systemctl restart crond.service &> /dev/null
############ redhat/centos 6
sudo service crond restart &> /dev/null
-
Ubuntu下rsyslog集中收集mysql审计日志
2021-01-19 08:48:32get install software-properties-common python-software-propertiessudo add-apt-repository ppa:adiscon/v8-stablesudo apt-get updatesudo apt-get install rsyslog2、配置目录存储mysql审计日... -
mysql审计日志开启
2019-05-09 15:05:01个人选择了MariaDB Audit Plugin安装到我的MySQL_5.7.18上,以下为具体部署操作:1、下载mariadb-5.5.56-linux-x86_64.tar.gz解压获取server_audit.so插件 2、登录MySQL,执行命令获取MySQL的plugin目录 mysql> ... -
MYSQL_审计日志查看
2021-01-18 18:54:04安装插件# unzipaudit-plugin-percona-5.7-1.1.7-805-linux-x86_64.zip# cd /u01/soft/audit-plugin-percona-5.7-1.1.7-805/lib# cp libaudit_plugin.so /usr/local/mysql/lib/plugin/# cd/... -
mysql清除审计日志
2022-02-23 17:49:38查看审计日志存放的位置 mysql>show variables like ‘general_log’; – 查看日志是否开启 mysql>show variables like ‘general_log_file’; – 看看日志文件保存位置 mysql>show variables like ‘log_... -
MySQL Audit日志审计
2021-01-18 18:54:03一、简介数据库审计能够实时记录网络上的数据库活动,对数据库操作进行细粒度审计的合规性管理,对数据库受到的风险行为进行告警,对攻击行为进行阻断,它通过对用户访问数据库行为的记录、分析和汇报,用来帮助用户... -
mysql的开启审计日志功能
2021-07-14 21:37:011、需要下载审计插件audit-plugin-mysql-5.7-1.1.7-921-linux-x86_64.zip,大量的时间花费到找这个资源了,我上传到博客里,后面的人直接拿走不谢。 2、开始做了 (1)先把整个压缩包上传到linux服务器/opt,然后... -
配置Mysql审计
2021-01-30 21:11:04mysql-audit.json:Mysql审计日志插件下载地址:https://bintray.com/mcafee/mysql-audit-plugin/release/1.1.4-725#files首先查看mysql的插件保存目录:mysql> show global variables like 'plugin_dir';+------... -
MySql开启日志审计功能三种方法——筑梦之路
2021-10-21 17:27:25mysql 日志审计功能有三种方式 1.开启general_log 2.BinLog+Init_connect 3.审计插件 开启general_log set global general_log=on #检查验证 show variables like '%general_log%'; 弊端:只要用户执行了操作... -
Mysql5.7 数据库日志审计功能-附件资源
2021-03-02 15:07:59Mysql5.7 数据库日志审计功能-附件资源 -
Mysql开启审计日志、忽略大小写配置
2021-12-13 20:53:59开启审计日志 1、查看mysql的general_log文件位置及名称; show variables like '%general_log%'; show variables like '%general_log_file%'; 在Mysql命令行执行: SET GLOBAL general_log = 'ON'; -- SET ... -
三级等保 MySQL8.0.24审计日志功能开启
2022-01-21 09:08:55三级等保mysql8.0.24审计日志开启 -
Mysql日志审计工具
2019-06-27 10:00:07Mysql日志审计工具 参考网址:http://www.omgdba.com/mysql-audit-plugin-now-available-in-percona-server-5-5-and-5-6.html 个人感觉审计没啥用处,偶然间看到这个功能总结了解下。 ... -
MySQL之添加日志审计功能
2020-04-14 11:11:29数据库审计主要用于监视并记录对数据库服务器的各类操作行为,并记入审计日志或数据库中以便日后进行跟踪、查询、分析,以实现对用户操作的监控和审计。审计是一项非常重要的工作,也是企业数据安全体系的重要组成... -
MySQL审计audit
2021-01-19 06:42:54导读: MySQL社区版是不带审计功能的,如果要使用MySQL审计,可以考虑使用中间件(例如proxysql)或者是MariaDB的审计插件。这里以MariaDB的审计插件为例,实现MySQL 5.7的审计功能。版本信息 操作系统版本 :CentOS ... -
mysql如何开启审计
2021-01-18 22:16:201.获取到安全审计插件可以下载mariadb后,解压找到server_audit.so我这里下载的mariadb版本是10.42.将server_audit.so 拷贝到mysql插件的路径下[root@localhost plugin]#cp /soft/server_audit.so /opt/mysql57/lib/...
mysql
订阅