8.0.37 - Percona Audit Log Variables Not Being Adhered to

Good Day,

I have the audit log implementation in my non-prod environments with the hope of implementing into prod as follows:

mysql> show variables like ‘aud%’;
±----------------------------±----------------------------------------------------------------------------------------------------+
| Variable_name | Value |
±----------------------------±----------------------------------------------------------------------------------------------------+
| audit_log_buffer_size | 5242880 |
| audit_log_exclude_accounts | |
| audit_log_exclude_commands | |
| audit_log_exclude_databases | |
| audit_log_file | audit.log |
| audit_log_flush | OFF |
| audit_log_format | NEW |
| audit_log_handler | FILE |
| audit_log_include_accounts | DB_Admin@localhost,DB_Admin@127.0.0.1,root@localhost,root@127.0.0.1,admin@localhost,admin@127.0.0.1 |
| audit_log_include_commands | |
| audit_log_include_databases | |
| audit_log_policy | ALL |
| audit_log_rotate_on_size | 536870912 |
| audit_log_rotations | 1 |
| audit_log_strategy | SEMISYNCHRONOUS |
| audit_log_syslog_facility | LOG_USER |
| audit_log_syslog_ident | percona-audit |
| audit_log_syslog_priority | LOG_INFO |
±----------------------------±----------------------------------------------------------------------------------------------------+

The issue is two fold with the following parameters not being adhered to:

  1. audit_log_rotate_on_size - which based on this variable is meant to rotate at 500MB only rotated when I restarted the instance at the size of 4.6GB (with another of my non prod host with the same implementation saw the file grow to 40GB or so to be rescued by a restart as well before rolling over)
  2. audit_log_include_accounts - according to documentation: “This variable is used to specify the list of users for which Filtering by user is applied” which my assumption is that by me setting this value, only audit events from the accounts listed on it would be logged, If my understanding is in-correct on this, please feel free to correct me on this.

Below Details of Audit log file in default location (datadir):
mysql> ! ls -alh audi*
-rw-r----- 1 mysql mysql 182K Feb 5 09:41 audit.log
-rw-r----- 1 mysql mysql 4.6G Feb 4 15:58 audit.log.1

Please assist with any clarity if my implementation is missing some or other key implementation consideration to get my desired state i.e. rotate log files at 500MB and filter & log only the user accounts listed in the config.

more specifics on OS host as well as daemon versions:

mysql> ! mysqld --version
/usr/sbin/mysqld Ver 8.0.37-29 for Linux on x86_64 (Percona Server (GPL), Release 29, Revision 30dc4e71)
mysql> ! cat /etc/os-release
NAME=“Rocky Linux”
VERSION=“8.10 (Green Obsidian)”
ID=“rocky”
ID_LIKE=“rhel centos fedora”
VERSION_ID=“8.10”
PLATFORM_ID=“platform:el8”
PRETTY_NAME=“Rocky Linux 8.10 (Green Obsidian)”
ANSI_COLOR=“0;32”
LOGO=“fedora-logo-icon”
CPE_NAME=“cpe:/o:rocky:rocky:8:GA”
HOME_URL=“https://rockylinux.org/
BUG_REPORT_URL=“https://bugs.rockylinux.org/
SUPPORT_END=“2029-05-31”
ROCKY_SUPPORT_PRODUCT=“Rocky-Linux-8”
ROCKY_SUPPORT_PRODUCT_VERSION=“8.10”
REDHAT_SUPPORT_PRODUCT=“Rocky Linux”
REDHAT_SUPPORT_PRODUCT_VERSION=“8.10”

thank you in advance.

Hello,
Any information in mysql’s error log, or the system log? Do you have SELinux enabled?

Hi @matthewb ,

Selinux enabled - Nope:
mysql> ! sestatus
SELinux status: disabled

Any Information in the error logs (in particular for Audit) - Nope.

Good Day,

any implementation suggestions you have for this?