MariaDB Audit Plugin - Location and Rotation of Logs
Contents
Logs can be written to a separate file or to the system logs. If you prefer to have the logging separated from other system information, the value of the variable, server_audit_output_type should be set to file. Incidentally, file is the only option on Windows systems.
You can force a rotation by enabling the server_audit_file_rotate_now variable like so:
SET GLOBAL server_audit_file_rotate_now = ON;
Separate log files
In addition to setting server_audit_output_type, you will have to provide the file path and name of the audit file. This is set in the variable, server_audit_file_path. You can set the file size limit of the log file with the variable, server_audit_file_rotate_size.
So, if rotation is on and the log file has reached the size limit you set, a copy is created with a consecutive number as extension, the original file will be truncated to be used for the auditing again. To limit the number of log files created, set the variable, server_audit_file_rotations. You can force log file rotation by setting the variable, server_audit_file_rotate_now to a value of ON. When the number of files permitted is reached, the oldest file will be overwritten. Below is an example of how the variables described above might be set in a server's configuration files:
[mysqld] ... server_audit_file_rotate_now=ON server_audit_file_rotate_size=1000000 server_audit_file_rotations=5 ...
System logs
For security reasons, it's better sometimes to use the system logs instead of a local file owned by the mysql user. To do this, the value of server_audit_output_type needs to be set to syslog. Advanced configurations, such as using a remote syslogd service, are part of the syslogd configuration.
The variables, server_audit_syslog_ident and server_audit_syslog_info can be used to identify a system log entry made by the audit plugin. If a remote syslogd service is used for several MariaDB servers, these same variables are also used to identify the MariaDB server.
Below is an example of a system log entry taken from a server which had server_audit_syslog_ident set to the default value of mysql-server_auditing, and server_audit_syslog_info set to <prod1>.
Aug 717:19:58localhostmysql-server_auditing: <prod1> localhost.localdomain,root,localhost,1,7, QUERY, mysql, 'SELECT * FROM user',0
Although the default values for server_audit_syslog_facility and server_audit_syslog_priority should be sufficient in most cases, they can be changed based on the definition in syslog.h for the functions openlog() and syslog().
