Percona audit log filter not working

MySQL & MariaDB Percona Distribution for MySQL
1

Percona for mysql 8.4
Ubuntu 24.04

I configured the server to use audit log component.

  1. I create the filter below to log connections and admin commands, and assigned it to ‘%’. It only captured only connections but not admin commands issued. Same issue obtained when I assigned the filter to a specific account like root@localhost.

SELECT audit_log_filter_set_filter(
'log_connections_and_admin_commands',
'{
"filter": {
"class": [
{
"name": "connection",
"event": [
{ "name": "connect" },
{ "name": "disconnect" }
]
},
{
"name": "general",
"event": [
{
"name": "query",
"log": {
"or": [
{ "field": { "name": "general_sql_command.str", "value": "create_db" } },
{ "field": { "name": "general_sql_command.str", "value": "drop_db" } },
{ "field": { "name": "general_sql_command.str", "value": "alter_db" } },
{ "field": { "name": "general_sql_command.str", "value": "create_user" } },
{ "field": { "name": "general_sql_command.str", "value": "alter_user" } },
{ "field": { "name": "general_sql_command.str", "value": "drop_user" } }
]
}
}
]
}
]
}
}'
);

SELECT audit_log_filter_set_user('%', 'log_connections_and_admin_commands');

  1. I then tried a filter that monitors connections and queries without the ‘log’ (see below) and assigned it to first ‘%’ then to a specific account. Same issue: connections were logged but not admin commands.

SELECT audit_log_filter_set_filter(
‘log_connections_and_query’,
‘{
“filter”: {
“class”: [
{
“name”: “connection”,
“event”: [
{ “name”: “connect” },
{ “name”: “disconnect” }
]
},
{
“name”: “general”,
“event”: [
{
“name”: “query”
}
]
}
]
}
}’
);

  1. i then tried a new filter that captures queries only (no connections). Again, it still does not capture my admin commands.
    SELECT audit_log_filter_set_filter(
    ‘log_query’,
    ‘{
    “filter”: {
    “class”: [
    {
    “name”: “general”,
    “event”: [
    {
    “name”: “query”
    }
    ]
    }
    ]
    }
    }’
    );

Question: What could be the issue? Are my filters not defined correctly?

Thanks.

2

Hi @lxnguyen

Try this audit filter rule. It should meet your requirements,

SELECT audit_log_filter_set_filter(
  'admin_operations_audit',
  '{
  "filter": {
    "class": [
      {
        "name": "query",
        "event": {
          "name": ["start","status_end"],
          "log": {
            "or": [
              {"field":{"name":"sql_command_id","value":"alter_user"}},
              {"field":{"name":"sql_command_id","value":"create_user"}},
              {"field":{"name":"sql_command_id","value":"drop_user"}},
              {"field":{"name":"sql_command_id","value":"grant"}},
              {"field":{"name":"sql_command_id","value":"revoke"}},
              {"field":{"name":"sql_command_id","value":"revoke_all"}},
              {"field":{"name":"sql_command_id","value":"set_password"}},
              {"field":{"name":"sql_command_id","value":"create_db"}},
              {"field":{"name":"sql_command_id","value":"drop_db"}}
            ]
          }
        }
      },
      {
        "name": "connection"
      }
    ]
  }
}'
);
3

Hi. Yes, I tried the user_operations_audit filter. It captures the events but also causes server crash.

4

Is it crashing on Percona Server for MySQL 8.4 or MySQL Community 8.4?

I have tested this on Percona Server for MySQL 8.4. If you’re using MySQL Community instead, then compatibility issues are expected because the audit log filter component is not developed/tested with MySQL Community.

5

Yes, it crashed on mysql 8.4 CE and worked on Percona for MySQL 8.4. Ta.