Add mysql server host name in audit_log details when writing to syslog
Description
Environment
AFFECTED CS IDs
Smart Checklist
Activity
Oleksandr Kachan August 8, 2023 at 5:58 AM
Improved for the new audit_log_filter plugin - replaced audit_log_filter_syslog_ident sysvar with audit_log_filter_syslog_tag. This tag will be added as a prefix to actual syslog message. Server's syslog ident will be used for messages written by the plugin.
Oleksandr Kachan June 27, 2023 at 8:18 AMEdited
As I can see the main issue here is conflicting audit_log_syslog_ident and syslog_ident for the server itself. This is going to be solved for the new audit plugin. There will be no way to set separate syslog ident for the plugin, it will use server's ident while writing to syslog. Instead there will be a audit_log_syslog{}_tag set for the plugin. This tag will be prepended to the actual message. Using this tag it will be possible to distinguish messages from different server instances.
Oleksandr Kachan June 13, 2023 at 1:18 PM
Thanks @Lalit Choudhary,
> audit_log_syslog_ident DOES NOT work on 5.7+ if you don't enable log-syslog
Here log-syslog is probably server system variable. There is one for MySQL 5.7, it was removed in 8.0.
Jeffrey Clark June 23, 2021 at 2:31 AM
plugin seems to ignore audit_log_syslog_facility also if log-syslog is not enabled.
Jeffrey Clark June 23, 2021 at 2:29 AM
After a bit more research, this is indeed a bug - but only in 5.7+
audit_log_syslog_ident DOES NOT work on 5.7+ if you don't enable log-syslog. It still sends to syslog, but the ident is always mysqld
Details
Details
Assignee
Reporter
Fix versions
Priority
MediumSmart Checklist
Open Smart Checklist
Smart Checklist
When running multiple percona server instances on a single machine and writing audit_log to SYSLOG (audit_log_handler =SYSLOG) there is no way to identify/differentiate audit log entries for a particular instance.
Example:
Running 2 percona server instance on the machine with the percona audit log plugin and the following setting.
Instance1: 192.168.0.128:5721
[mysqld] audit_log_handler =SYSLOGInstance2: 192.168.0.128:8015
[mysqld] audit_log_handler =SYSLOGConnecting form remote host: 192.168.0.185
mysql -h 192.168.0.128 -u msandbox -p -P 5721 mysql> create database remote_hostmysql -h 192.168.0.128 -u msandbox -p -P 8017 mysql> create database remote_nodePercona server Host: 192.168.0.128
/var/log/syslog:
------ PS instance1 audit log entry in syslog--- Sep 6 18:15:32 lalit-ThinkPad-T480 percona-audit: <AUDIT_RECORD>#012 <NAME>Query</NAME>#012 <RECORD>13_1970-01-01T00:00:00</RECORD>#012 <TIMESTAMP>2019-09-06T12:45:32 UTC</TIMESTAMP>#012 <COMMAND_CLASS>create_db</COMMAND_CLASS>#012 <CONNECTION_ID>5</CONNECTION_ID>#012 <STATUS>0</STATUS>#012 <SQLTEXT>create database remote_host</SQLTEXT>#012 <USER>msandbox[msandbox] @ [192.168.0.185]</USER>#012 <HOST></HOST>#012 <OS_USER></OS_USER>#012 <IP>192.168.0.185</IP>#012 <DB></DB>#012</AUDIT_RECORD> ----PS instance2 audit log entry in syslog------ Sep 6 18:48:23 lalit-ThinkPad-T480 percona-audit: <AUDIT_RECORD>#012 <NAME>Query</NAME>#012 <RECORD>8_1970-01-01T00:00:00</RECORD>#012 <TIMESTAMP>2019-09-06T13:18:23Z</TIMESTAMP>#012 <COMMAND_CLASS>create_db</COMMAND_CLASS>#012 <CONNECTION_ID>9</CONNECTION_ID>#012 <STATUS>0</STATUS>#012 <SQLTEXT>create database remote_node</SQLTEXT>#012 <USER>msandbox[msandbox] @ [192.168.0.185]</USER>#012 <HOST></HOST>#012 <OS_USER></OS_USER>#012 <IP>192.168.0.185</IP>#012 <DB></DB>#012</AUDIT_RECORD>looking at the audit_log entries in Syslog, we can't differentiate which audit log entry belongs to which percona server instance.
It would good to have percona server host information while writing audit log details in SYSLOG.
Similar settings/options are available in mariaDB audit plugin.
syslog_host
Host from which the syslog entry was received.
syslog_ident
For identifying a system log entry, including the MariaDB server.
syslog_info
For providing information for identifying a system log entry.
serverhost
The MariaDB server host name.
https://mariadb.com/kb/en/library/mariadb-audit-plugin-log-format/