Audit plugin is not honouring configuration parameters

macbar · March 6, 2024, 3:24pm

Hi all,

I’m having issues in making the audit log plugin behave correctly, notably, ignoring audit_log_syslog_facility, audit_log_syslog_ident and audit_log_include_accounts.

First of all, here’s my config:

mysql> show variables like 'audit%';
+-----------------------------+--------------+
| Variable_name               | Value        |
+-----------------------------+--------------+
| audit_log_buffer_size       | 1048576      |
| audit_log_exclude_accounts  |              |
| audit_log_exclude_commands  |              |
| audit_log_exclude_databases |              |
| audit_log_file              | audit.log    |
| audit_log_flush             | OFF          |
| audit_log_format            | JSON         |
| audit_log_handler           | SYSLOG       |
| audit_log_include_accounts  |              |
| audit_log_include_commands  |              |
| audit_log_include_databases |              |
| audit_log_policy            | ALL          |
| audit_log_rotate_on_size    | 0            |
| audit_log_rotations         | 0            |
| audit_log_strategy          | ASYNCHRONOUS |
| audit_log_syslog_facility   | LOG_LOCAL1   |
| audit_log_syslog_ident      | myaudit      |
| audit_log_syslog_priority   | LOG_INFO     |
+-----------------------------+--------------+
18 rows in set (0.00 sec)

Using this config, I’m seeing audit_record messages being logged using the ‘mysqld’ ident instead of the ‘myaudit’ ident.
The audit_record messages are also being logged using the ‘LOG_AUTH’ facility instead of ‘LOG_LOCAL1’.

The strange thing is, that neither ‘mysqld’ nor ‘LOG_AUTH’ are defailt values for ident respectively facility.

Mysql starts with this config file:

[mysqld]
plugin-load="audit_log=audit_log.so"
audit_log_format = JSON
audit_log_handler = SYSLOG
audit_log_syslog_ident='myaudit'
audit_log_syslog_facility = LOG_LOCAL1
audit_log_syslog_priority = LOG_INFO
audit_log_policy = ALL

The first log entry upon starting is:

Mar  6 11:40:49 mydb myaudit: {"audit_record":{"name":"Audit","record":"1_1970-01-01T00:00:00","timestamp":"2024-03-06T10:40:49 UTC","mysql_version":"5.7.44-48-log","startup_optionsi":"--daemonize --pid-file=/var/run/mysqld/mysqld.pid","os_version":"x86_64-debian-linux-gnu"}}

This message uses the correct ident and is using the correct facility as well.

All subsequent audit log entries are using LOG_AUTH and mysqld:

Mar  6 11:40:50 mydb mysqld[2614148]: {"audit_record":{"name":"Connect","record":"2_1970-01-01T00:00:00","timestamp":"2024-03-06T10:40:49 UTC","connection_id":"2","status":0,"user":"pt_heartbeat","priv_user":"pt_heartbeat","os_login":"","proxy_user":"","host":"localhost","ip":"","db":"pt_heartbeat"}}

up until the last log entry:

Mar  6 11:41:34 mydb mysqld[2614148]: {"audit_record":{"name":"NoAudit","record":"389_1970-01-01T00:00:00","timestamp":"2024-03-06T10:41:34 UTC","mysql_version":"5.7.44-48-log","startup_optionsi":"--daemonize --pid-file=/var/run/mysqld/mysqld.pid","os_version":"x86_64-debian-linux-gnu"}}

Furthermore, as soon as I start using the audit_log_include_accounts, no logging is produced.

I’ve been trying to get the audit log to behave for the last few days, using strace, tcpdump, etc. All to no avail.

What am I doing wrong or am I using a buggy version?

Thanks,
Pieter.

Agustin_G · March 9, 2024, 2:28am

Hi Pieter,

I quickly tested this and couldn’t reproduce what you are getting with the ident string:

[root@default ~]# journalctl -u mysqld
-- Logs begin at Sat 2024-03-09 01:59:45 UTC, end at Sat 2024-03-09 02:05:54 UTC. --
Mar 09 02:03:48 default myaudit[1301]: {"audit_record":{"name":"Audit","record":"1_1970-01-01T00:00:00","timestamp":"2024-03-09T02:03:48 UTC","mysql_version":"5.7.44-48-log",>
Mar 09 02:03:51 default myaudit[1301]: {"audit_record":{"name":"Connect","record":"2_1970-01-01T00:00:00","timestamp":"2024-03-09T02:03:51 UTC","connection_id":"2","status":0>
Mar 09 02:03:51 default myaudit[1301]: {"audit_record":{"name":"Query","record":"3_1970-01-01T00:00:00","timestamp":"2024-03-09T02:03:51 UTC","command_class":"select","connec>
Mar 09 02:03:52 default myaudit[1301]: {"audit_record":{"name":"Query","record":"4_1970-01-01T00:00:00","timestamp":"2024-03-09T02:03:52 UTC","command_class":"show_variables">
Mar 09 02:03:58 default myaudit[1301]: {"audit_record":{"name":"Quit","record":"5_1970-01-01T00:00:00","timestamp":"2024-03-09T02:03:58 UTC","connection_id":"2","status":0,"u>
Mar 09 02:05:48 default myaudit[1301]: {"audit_record":{"name":"Connect","record":"6_1970-01-01T00:00:00","timestamp":"2024-03-09T02:05:48 UTC","connection_id":"3","status":0>
...

I copy/pasted the configurations you sent over here.

Note that 5.7 is EOL already (since Nov 2023) and it’s likely it won’t get any work done in this area. I suggest you to test with 8.0, and if you are still seeing these issues, report a bug in https://jira.percona.com/.

Topic		Replies	Views
Audit_log_include_accounts not working Percona Server for MySQL 8.0	9	1393	February 3, 2023
Audit plugin include/exclude accounts doesn't seem to work Percona Monitoring Plugins	9	2246	December 10, 2020
Audit plugin excluded accounts still being logged Other MySQL® Questions mysql , percona	1	812	September 26, 2022
Audit plugin include/exclude accounts doesn't seem to work Percona Monitoring Plugins	8	1607	December 11, 2020
audit plugin audit_log_exclude_accounts not working in 5.7.24-27 Other MySQL® Questions	11	2172	December 8, 2020

Audit plugin is not honouring configuration parameters

Related topics