{"id":4705,"date":"2021-12-09T17:32:27","date_gmt":"2021-12-09T09:32:27","guid":{"rendered":"https:\/\/cybersecthreat.com\/?p=4705"},"modified":"2024-04-01T13:47:00","modified_gmt":"2024-04-01T05:47:00","slug":"mysql-community-edition-audit-logging","status":"publish","type":"post","link":"https:\/\/cybersecthreat.com\/zh\/2021\/12\/09\/mysql-community-edition-audit-logging\/","title":{"rendered":"MySQL community audit logging"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\" id=\"1-introduction\">Introduction<\/h2>\n\n\n\n<p>This time, we are going to discuss various options for MySQL community edition authentication audit logging.<\/p>\n\n\n\n<p>Authentication audit is certainly an important part of continuous monitoring. If a hacker can get the credentials of the database from elsewhere (e.g. compromise of another machine), then the adversary may also be able to directly access the database. Therefore, we may catch attackers earlier using these kinds of IoC.<\/p>\n\n\n<style>.kb-table-of-content-nav.kb-table-of-content-id4705_b6ba87-24 .kb-table-of-content-wrap{padding-top:var(--global-kb-spacing-sm, 1.5rem);padding-right:var(--global-kb-spacing-sm, 1.5rem);padding-bottom:var(--global-kb-spacing-sm, 1.5rem);padding-left:var(--global-kb-spacing-sm, 1.5rem);}.kb-table-of-content-nav.kb-table-of-content-id4705_b6ba87-24 .kb-table-of-contents-title-wrap{padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.kb-table-of-content-nav.kb-table-of-content-id4705_b6ba87-24 .kb-table-of-contents-title{font-weight:regular;font-style:normal;}.kb-table-of-content-nav.kb-table-of-content-id4705_b6ba87-24 .kb-table-of-content-wrap .kb-table-of-content-list{font-weight:regular;font-style:normal;margin-top:var(--global-kb-spacing-sm, 1.5rem);margin-right:0px;margin-bottom:0px;margin-left:0px;}<\/style>\n\n<style>.kadence-column4705_b7ad81-17 > .kt-inside-inner-col{display:flex;}.kadence-column4705_b7ad81-17 > .kt-inside-inner-col,.kadence-column4705_b7ad81-17 > .kt-inside-inner-col:before{border-top-left-radius:0px;border-top-right-radius:0px;border-bottom-right-radius:0px;border-bottom-left-radius:0px;}.kadence-column4705_b7ad81-17 > .kt-inside-inner-col{column-gap:var(--global-kb-gap-sm, 1rem);}.kadence-column4705_b7ad81-17 > .kt-inside-inner-col{flex-direction:column;align-items:center;}.kadence-column4705_b7ad81-17 > .kt-inside-inner-col > .kb-image-is-ratio-size{align-self:stretch;}.kadence-column4705_b7ad81-17 > .kt-inside-inner-col > .wp-block-kadence-advancedgallery{align-self:stretch;}.kadence-column4705_b7ad81-17 > .kt-inside-inner-col > .aligncenter{width:100%;}.kadence-column4705_b7ad81-17 > .kt-inside-inner-col:before{opacity:0.3;}.kadence-column4705_b7ad81-17{position:relative;}@media all and (max-width: 1024px){.kadence-column4705_b7ad81-17 > .kt-inside-inner-col{flex-direction:column;justify-content:center;align-items:center;}}@media all and (max-width: 767px){.kadence-column4705_b7ad81-17 > .kt-inside-inner-col{flex-direction:column;justify-content:center;align-items:center;}}<\/style>\n<div class=\"wp-block-kadence-column kadence-column4705_b7ad81-17\"><div class=\"kt-inside-inner-col\"><style>.kb-table-of-content-nav.kb-table-of-content-id4705_1124ea-63 .kb-table-of-content-wrap{padding-top:var(--global-kb-spacing-sm, 1.5rem);padding-right:var(--global-kb-spacing-sm, 1.5rem);padding-bottom:var(--global-kb-spacing-sm, 1.5rem);padding-left:0px;background-color:rgba(255,255,255,0.99);border-top:3px solid #313131;border-right:3px solid #313131;border-bottom:3px solid #313131;border-left:3px solid #313131;box-shadow:0px 0px 14px 0px #abb8c3;}.kb-table-of-content-nav.kb-table-of-content-id4705_1124ea-63 .kb-table-of-contents-title-wrap{padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.kb-table-of-content-nav.kb-table-of-content-id4705_1124ea-63 .kb-table-of-contents-title{font-size:var(--global-kb-font-size-lg, 2rem);font-weight:bold;font-style:normal;}.kb-table-of-content-nav.kb-table-of-content-id4705_1124ea-63 .kb-table-of-content-wrap .kb-table-of-content-list{color:#d65a02;font-size:var(--global-kb-font-size-md, 1.25rem);font-weight:regular;font-style:normal;margin-top:var(--global-kb-spacing-sm, 1.5rem);margin-right:0px;margin-bottom:0px;margin-left:0px;}.kb-table-of-content-nav.kb-table-of-content-id4705_1124ea-63 .kb-toggle-icon-style-basiccircle .kb-table-of-contents-icon-trigger:after, .kb-table-of-content-nav.kb-table-of-content-id4705_1124ea-63 .kb-toggle-icon-style-basiccircle .kb-table-of-contents-icon-trigger:before, .kb-table-of-content-nav.kb-table-of-content-id4705_1124ea-63 .kb-toggle-icon-style-arrowcircle .kb-table-of-contents-icon-trigger:after, .kb-table-of-content-nav.kb-table-of-content-id4705_1124ea-63 .kb-toggle-icon-style-arrowcircle .kb-table-of-contents-icon-trigger:before, .kb-table-of-content-nav.kb-table-of-content-id4705_1124ea-63 .kb-toggle-icon-style-xclosecircle .kb-table-of-contents-icon-trigger:after, .kb-table-of-content-nav.kb-table-of-content-id4705_1124ea-63 .kb-toggle-icon-style-xclosecircle .kb-table-of-contents-icon-trigger:before{background-color:rgba(255,255,255,0.99);}@media all and (max-width: 1024px){.kb-table-of-content-nav.kb-table-of-content-id4705_1124ea-63 .kb-table-of-content-wrap{margin-left:var(--global-kb-spacing-auto, auto);border-top:3px solid #313131;border-right:3px solid #313131;border-bottom:3px solid #313131;border-left:3px solid #313131;}}@media all and (max-width: 767px){.kb-table-of-content-nav.kb-table-of-content-id4705_1124ea-63 .kb-table-of-content-wrap{margin-left:var(--global-kb-spacing-auto, auto);border-top:3px solid #313131;border-right:3px solid #313131;border-bottom:3px solid #313131;border-left:3px solid #313131;}}<\/style><\/div><\/div>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"2-testing-environments\">Testing Environments:<\/h3>\n\n\n\n<p>During our research work, we have selected the following 3 environments:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>A. Red Hat Enterprise Linux (RHEL) 7.2 &amp; MySQL community server 5.7.19<\/code><\/li>\n\n\n\n<li><code>B. Red Hat 7.4 &amp; MySQL community server 5.7.29<\/code><\/li>\n\n\n\n<li><code>C. Redhat 8.0 &amp; MySQL community server 8.0.16<\/code><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"3--available-solutions-for-mysql-community-audit-logging-\"><strong>Available solutions for MySQL community audit logging:<\/strong><\/h2>\n\n\n\n<p>Before we go in-depth for technical details, we will first list available solutions. However, We will not discuss the MySQL Enterprise audit logging plugin because it only supports MySQL&nbsp;Enterprise.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>Native MySQL general_log configuration<\/code><\/li>\n\n\n\n<li><code>MySQL Enterprise audit logging plugin (audit_log.so)<\/code><\/li>\n\n\n\n<li><code>MariaDB audit logging plugin (server_audit.so)<\/code><\/li>\n\n\n\n<li><code>Mcafee audit logging plugin (libaudit_plugin.so)<\/code><\/li>\n\n\n\n<li><code>Percona audit logging plugin (audit_log.so)<\/code><\/li>\n<\/ul>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<h2 class=\"wp-block-heading\" id=\"4-support-matrix--for-mysql-community-audit-logging--\">Support Matrix <strong>for MySQL community audit logging<\/strong>:<\/h2>\n\n\n\n<p>Check out the following compatibility matrix so that you can select the solutions suitable for your environment:<\/p>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-9d6595d7 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:100%\">\n<figure class=\"wp-block-table alignleft is-style-stripes\"><table><tbody><tr><td><\/td><td class=\"has-text-align-center\" data-align=\"center\"><strong><code>RHEL 7.2 &amp; MySQL community server 5.7.19<\/code><\/strong><\/td><td class=\"has-text-align-center\" data-align=\"center\"><strong><code>RHEL 7.4 &amp; MySQL community server 5.7.29<\/code><\/strong><\/td><td class=\"has-text-align-center\" data-align=\"center\"><strong><code>Red Hat 8.0 &amp; MySQL community server 8.0.16<\/code><\/strong><\/td><\/tr><tr><td><strong><code>Native MySQL general_log configuration<\/code><\/strong><\/td><td class=\"has-text-align-center\" data-align=\"center\"> <code>\u2714\ufe0f<\/code><\/td><td class=\"has-text-align-center\" data-align=\"center\"><code>\u2714\ufe0f<\/code><\/td><td class=\"has-text-align-center\" data-align=\"center\"><code>\u2714\ufe0f<\/code><\/td><\/tr><tr><td><strong><code>MySQL Enterprise audit logging plugin (audit_log.so)<\/code><\/strong><\/td><td class=\"has-text-align-center\" data-align=\"center\"><code>\u274c<\/code><\/td><td class=\"has-text-align-center\" data-align=\"center\"><code>\u274c<\/code><\/td><td class=\"has-text-align-center\" data-align=\"center\"><code>\u274c<\/code><\/td><\/tr><tr><td><strong><code>MariaDB audit logging plugin (server_audit.so)<\/code><\/strong><\/td><td class=\"has-text-align-center\" data-align=\"center\"><code>\u2714\ufe0f<\/code><\/td><td class=\"has-text-align-center\" data-align=\"center\"><code>\u2714\ufe0f<\/code><\/td><td class=\"has-text-align-center\" data-align=\"center\"><code>\u274c<\/code><\/td><\/tr><tr><td><strong><code>Mcafee audit logging plugin (libaudit_plugin.so)<\/code><\/strong><\/td><td class=\"has-text-align-center\" data-align=\"center\"><code>\u2714\ufe0f<\/code><\/td><td class=\"has-text-align-center\" data-align=\"center\"><code>\u2714\ufe0f<\/code><\/td><td class=\"has-text-align-center\" data-align=\"center\"><code>\u2714\ufe0f<\/code><\/td><\/tr><tr><td><strong><code>Percona audit logging plugin (audit_log.so)<\/code><\/strong><\/td><td class=\"has-text-align-center\" data-align=\"center\"><code>\u274c<\/code><\/td><td class=\"has-text-align-center\" data-align=\"center\"><code>\u274c<\/code><\/td><td class=\"has-text-align-center\" data-align=\"center\"><code>\u2714\ufe0f<\/code><\/td><\/tr><\/tbody><\/table><figcaption class=\"wp-element-caption\"> Support Matrix for MySQL community authentication logging<\/figcaption><\/figure>\n\n\n\n<p><\/p>\n<\/div>\n<\/div>\n<\/div><\/div>\n<\/div><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"5--description-pros-and-cons-\"> Description, Pros, and Cons of different MySQL community audit logging:<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"6-1-native-logging-using-general_log-settings\">1. Native MySQL <code>general_log<\/code> configuration<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Description\n<ul class=\"wp-block-list\">\n<li>Natively supported by both MySQL community\/enterprise version and MariaDB<\/li>\n\n\n\n<li>Logs both authentication and query without the option to filter<\/li>\n\n\n\n<li>Native app by Splunk, but the parsing needs to be fine-tuned.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Pros\n<ul class=\"wp-block-list\">\n<li>Support both MySQL community server 5.7.X and 8.X<\/li>\n\n\n\n<li>Third-party plugin is not needed and therefore no compatibility concerns<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Cons\n<ul class=\"wp-block-list\">\n<li>May impact MySQL performance due to it logs ALL query<\/li>\n\n\n\n<li>May raise privacy concern due to SQL statement logged may contain unencrypted sensitive information<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"7--2-mysql-enterprise-audit-logging-plugin-audit_logso-\">2. MySQL Enterprise audit logging plugin (<code>audit_log.so<\/code>)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Description\n<ul class=\"wp-block-list\">\n<li>Introduced since MySQL Enterprise version&nbsp;<a href=\"https:\/\/dev.mysql.com\/doc\/mysql-security-excerpt\/5.7\/en\/audit-log-reference.html\">5.7.9<\/a><\/li>\n\n\n\n<li>Support full auditing as well as only log authentication-related events by using <code>--audit-log-policy=LOGINS<\/code> options.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Pros\n<ul class=\"wp-block-list\">\n<li>Natively comes with MySQL Enterprise edition, thus no compatibility concerns<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Cons\n<ul class=\"wp-block-list\">\n<li>Only supports MySQL Enterprise version<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"8-3-mariadb-audit-logging-plugin-server_auditso\">3. MariaDB audit logging plugin (<code>server_audit.so<\/code>)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Description\n<ul class=\"wp-block-list\">\n<li>Audit logging plugins developed by MariaDB, which is another company contributed by original founder of MySQL.<\/li>\n\n\n\n<li>Support full auditing as well as only log authentication-related event <code>server_audit_events='CONNECT'<\/code> options<\/li>\n\n\n\n<li>Only supports MySQL community server 5.7.X, but it does not work since MySQL community v5.7.30<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Pros\n<ul class=\"wp-block-list\">\n<li>Less compatibility concern because MariaDB 5.5 is completely based on MySQL 5.x<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Cons\n<ul class=\"wp-block-list\">\n<li>Additional third-party plugin installation is needed<\/li>\n\n\n\n<li>MySQL community server 8.x is not supported.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"9--4-percona-audit-logging-plugin-audit_logso-\">4. Percona audit logging plugin (<code>audit_log.so<\/code>)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Description\n<ul class=\"wp-block-list\">\n<li>Audit logging plugins developed by Percona, which is another drop-in replacement of MySQL server.<\/li>\n\n\n\n<li>Support full auditing in different formats (e.g. OLD XML, NEW, JSON, and CSV) as well as only log authentication-related events with <code>audit_log_policy = LOGINS<\/code> options<\/li>\n\n\n\n<li>Only support MySQL community server 8.x<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Pros\n<ul class=\"wp-block-list\">\n<li>Less compatibility concern due to Percona 8.0 is based on MySQL 8.0<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Cons\n<ul class=\"wp-block-list\">\n<li>Additional third-party plugin installation is required<\/li>\n\n\n\n<li>MySQL community server 5.7 is not supported.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"10--5-mcafee-audit-logging-plugin-libaudit_pluginso-\">5. Mcafee audit logging plugin (<code>libaudit_plugin.so<\/code>)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Description\n<ul class=\"wp-block-list\">\n<li>Audit logging plugins developed by Mcafee, which has been a CyberSecurity Company for a long time.<\/li>\n\n\n\n<li>Support full auditing in JSON format as well as only log authentication-related events using <code>audit_record_cmds='connect,Failed Login,Quit'<\/code> options<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Pros\n<ul class=\"wp-block-list\">\n<li>Support both MySQL community server 5.7.X and 8.X<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Cons\n<ul class=\"wp-block-list\">\n<li>Third-party plugin is needed<\/li>\n\n\n\n<li>This may introduce performance impact due to this plugin using non-standard API<\/li>\n\n\n\n<li>Some additional packages (<code>gdb<\/code>, <code>policycoreutils-devel<\/code>) are needed to install<\/li>\n\n\n\n<li>Additional efforts to deal with <code>SELINUX<\/code> settings<\/li>\n\n\n\n<li>Additional effort to deal with process offset using <code>GDB<\/code><\/li>\n\n\n\n<li>Introduce additional complexity during MySQL upgrade as process offset may change after each MySQL upgrade<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-conclusion-and-recommendation\">Conclusion and Recommendation:<\/h2>\n\n\n\n<ol class=\"wp-block-list\">\n<li>In general, we recommend using the MariaDB audit logging plugin for MySQL community 5.7.x, and use  Percona audit logging plugin for MySQL community 8.x.<\/li>\n\n\n\n<li>If you have MySQL community version &gt; 5.7.30, then you can consider both Native MySQL general_log configuration or Mcafee audit logging plugin. <\/li>\n\n\n\n<li>If you choose Native MySQL general_log configuration, then you should consider to encrypt the partition\/mount point where logs resides. In addition, check out <a href=\"#native-mysql-general-log-filtering-using-splunk\">our solution<\/a> only includes authentication logs sent to Splunk.<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading has-cyan-bluish-gray-background-color has-background\" id=\"h-installation-instruction-for-mysql-community-audit-logging\">Installation instruction for MySQL community audit logging:<\/h2>\n\n\n\n<p>Although some audit logging plugins support various formats, the configuration format mentioned in this article aligned with our Splunk Apps.<\/p>\n\n\n\n<h3 class=\"wp-block-heading has-text-align-left\" id=\"h-redhat-7-4-amp-mysql-community-server-5-7-29\"><strong>Redhat 7.4 &amp; MySQL community server 5.7.29<\/strong><\/h3>\n\n\n\n<p>Since there is no difference between the configuration of <strong> <strong>Redhat 7.<\/strong><\/strong>2<strong><strong> &amp; MySQL community server 5.7.19<\/strong> <\/strong>and <strong>Redhat 7.4 &amp; MySQL community server 5.7.29<\/strong>, we will list only one here.<\/p>\n\n\n\n<h4 class=\"wp-block-heading has-text-align-left\" id=\"h-native-logging-using-general-log-settings\"><strong>Native logging using general_log settings<\/strong><\/h4>\n\n\n\n<p id=\"h-enter-mysql-console-1\">Enter MySQL console and show current log settings:<\/p>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<pre class=\"wp-block-code\"><code>&#91;root@myredhat74 ~]# mysql -uroot -p -hlocalhost\nEnter password:\nWelcome to the MySQL monitor.  Commands end with ; or \\g.\nYour MySQL connection id is 2\nServer version: 5.7.29 MySQL Community Server (GPL)\n\nCopyright (c) 2000, 2020, Oracle and\/or its affiliates. All rights reserved.\n\nOracle is a registered trademark of Oracle Corporation and\/or its\naffiliates. Other names may be trademarks of their respective\nowners.\n\nType 'help;' or '\\h' for help. Type '\\c' to clear the current input statement.\n\nmysql&gt; SHOW VARIABLES LIKE \"general_log%\";\n+------------------+-------------------------------+\n| Variable_name    | Value                         |\n+------------------+-------------------------------+\n| general_log      | OFF                           |\n| general_log_file | \/var\/lib\/mysql\/myredhat74.log |\n+------------------+-------------------------------+\n2 rows in set (0.00 sec)\n\nmysql&gt; SHOW VARIABLES LIKE \"log_output\";\n+---------------+-------+\n| Variable_name | Value |\n+---------------+-------+\n| log_output    | FILE  |\n+---------------+-------+\n1 row in set (0.00 sec)\n\nmysql&gt; SHOW VARIABLES LIKE \"log_warnings\";\n+---------------+-------+\n| Variable_name | Value |\n+---------------+-------+\n| log_warnings  | 2     |\n+---------------+-------+\n1 row in set (0.00 sec)\n\nmysql&gt;\n<\/code><\/pre>\n<\/div><\/div>\n\n\n\n<p id=\"h-enable-setting-at-runtime-1\">While still in MySQL console, we can enable log settings at runtime.<\/p>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<pre class=\"wp-block-code\"><code>mysql&gt; SET global general_log_file='\/var\/log\/mysql\/mysql_general.log';\nQuery OK, 0 rows affected (0.00 sec)\n\nmysql&gt; SET global general_log = on;\nQuery OK, 0 rows affected (0.01 sec)\n\nmysql&gt; SET global log_output = 'file';\nQuery OK, 0 rows affected (0.00 sec)\n\nmysql&gt;\n<\/code><\/pre>\n<\/div><\/div>\n\n\n\n<p id=\"h-edit-etc-my-cnf-to-enable-persistent-log-settings-1\">We will need to edit \/etc\/my.cnf to enable persistent log settings. The general_log settings will log all successful and failed attempts as well as queries.<\/p>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<pre class=\"wp-block-code\"><code>&#91;mysqld]\ngeneral_log = on\ngeneral_log_file=\/var\/log\/mysql\/mysql_general.log<\/code><\/pre>\n<\/div><\/div>\n\n\n\n<p id=\"h-side-impact-disable-dns-lookups-to-log-ip-address-but-need-to-set-permissions-using-ip-addresses-rather-than-host-names-1\">It is possible to disable DNS lookups so that MySQL will log source IP addresses instead of hostname. However, you will need to grant permissions using IP addresses rather than a hostname.<\/p>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<pre class=\"wp-block-code\"><code>skip-name-resolve<\/code><\/pre>\n<\/div><\/div>\n\n\n\n<p>Finally, we will need to create a log directory and restart MySQL daemon.<\/p>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<pre class=\"wp-block-code\"><code>&#91;root@myredhat74 ~]# mkdir -p \/var\/log\/mysql\/\n&#91;root@myredhat74 ~]# chown -R mysql:mysql \/var\/log\/mysql\n&#91;root@myredhat74 ~]# systemctl restart mysqld<\/code><\/pre>\n<\/div><\/div>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading has-text-align-left\" id=\"h-mariadb-audit-logging-plugin-server-audit-so-settings\">MariaDB audit logging plugin (<code>server_audit.so<\/code>) settings<\/h4>\n\n\n\n<p>For MariaDB audit logging plugin, we will need to download the MariaDB binary file and then extract it.<\/p>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<pre class=\"wp-block-code\"><code>&#91;root@myredhat74 ~]# wget https:\/\/downloads.mariadb.org\/f\/mariadb-5.5.68\/bintar-linux-x86_64\/mariadb-5.5.68-linux-x86_64.tar.gz\/from\/http%3A\/\/mirror.mephi.ru\/mariadb\/?serve -O mariadb-5.5.68-linux-x86_64.tar.gz\n&#91;root@myredhat74 ~]# tar -zvxf mariadb-5.5.68-linux-x86_64.tar.gz<\/code><\/pre>\n<\/div><\/div>\n\n\n\n<p id=\"h-check-plugin-dir-default-usr-lib64-mysql-plugin-for-rpm-installation-2\">Enter MySQL console and check plugin directory, this directory is default to \/usr\/lib64\/mysql\/plugin\/ for rpm installation.<\/p>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<pre class=\"wp-block-code\"><code>&#91;root@myredhat74 ~]# mysql -uroot -p -hlocalhost\nEnter password:\nWelcome to the MySQL monitor.  Commands end with ; or \\g.\nYour MySQL connection id is 6\nServer version: 5.7.29 MySQL Community Server (GPL)\n\nCopyright (c) 2000, 2020, Oracle and\/or its affiliates. All rights reserved.\n\nOracle is a registered trademark of Oracle Corporation and\/or its\naffiliates. Other names may be trademarks of their respective\nowners.\n\nType 'help;' or '\\h' for help. Type '\\c' to clear the current input statement.\n\nmysql&gt; SHOW GLOBAL VARIABLES LIKE 'plugin_dir';\n+---------------+--------------------------+\n| Variable_name | Value                    |\n+---------------+--------------------------+\n| plugin_dir    | \/usr\/lib64\/mysql\/plugin\/ |\n+---------------+--------------------------+\n1 row in set (0.00 sec)\n\nmysql&gt;\n<\/code><\/pre>\n\n\n\n<p>After confirming the correct plugin directory, we will need to copy the plugin library to MySQL plugin directory.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;root@myredhat74 ~]# cp .\/mariadb-5.5.68-linux-x86_64\/lib\/plugin\/server_audit.so \/usr\/lib64\/mysql\/plugin\/<\/code><\/pre>\n<\/div><\/div>\n\n\n\n<p> Enter MySQL console again, and install the plugin.<\/p>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<pre class=\"wp-block-code\"><code>&#91;root@myredhat74 ~]# mysql -uroot -p -hlocalhost\nEnter password:\nWelcome to the MySQL monitor.  Commands end with ; or \\g.\nYour MySQL connection id is 5\nServer version: 5.7.29 MySQL Community Server (GPL)\n\nCopyright (c) 2000, 2020, Oracle and\/or its affiliates. All rights reserved.\n\nOracle is a registered trademark of Oracle Corporation and\/or its\naffiliates. Other names may be trademarks of their respective\nowners.\n\nType 'help;' or '\\h' for help. Type '\\c' to clear the current input statement.\n\nmysql&gt; INSTALL PLUGIN server_audit SONAME 'server_audit.so';\nQuery OK, 0 rows affected (0.02 sec)\n\n\nmysql&gt; show variables like '%audit%';\n+-------------------------------+-----------------------+\n| Variable_name                 | Value                 |\n+-------------------------------+-----------------------+\n| server_audit_events           |                       |\n| server_audit_excl_users       |                       |\n| server_audit_file_path        | server_audit.log      |\n| server_audit_file_rotate_now  | OFF                   |\n| server_audit_file_rotate_size | 1000000               |\n| server_audit_file_rotations   | 9                     |\n| server_audit_incl_users       |                       |\n| server_audit_loc_info         |                       |\n| server_audit_logging          | OFF                   |\n| server_audit_mode             | 1                     |\n| server_audit_output_type      | file                  |\n| server_audit_query_log_limit  | 1024                  |\n| server_audit_syslog_facility  | LOG_USER              |\n| server_audit_syslog_ident     | mysql-server_auditing |\n| server_audit_syslog_info      |                       |\n| server_audit_syslog_priority  | LOG_INFO              |\n+-------------------------------+-----------------------+\n\n16 rows in set (0.00 sec)\n\nmysql&gt;<\/code><\/pre>\n<\/div><\/div>\n\n\n\n<p id=\"41-add-to-mysqld-section-in-mycnf-or-configuration-file-used-by-mysqld\">Now, we can add log settings to [mysqld] section in my.cnf (or configuration file used by MySQL)<\/p>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<pre class=\"wp-block-code\"><code>server_audit_events='CONNECT'\nserver_audit_logging=on\nserver_audit_file_path = \/var\/log\/mysql\/mysql_mariadb_audit.log\nserver_audit_file_rotate_size=200000000\nserver_audit_file_rotations=200\nserver_audit_file_rotate_now=ON<\/code><\/pre>\n<\/div><\/div>\n\n\n\n<p> Finally, we will need to create a log directory and restart MySQL daemon. <\/p>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<pre class=\"wp-block-code\"><code>&#91;root@myredhat74 ~]# mkdir -p \/var\/log\/mysql\/\n&#91;root@myredhat74 ~]# chown -R mysql:mysql \/var\/log\/mysql\n&#91;root@myredhat74 ~]# systemctl restart mysqld<\/code><\/pre>\n<\/div><\/div>\n\n\n\n<p>Let&#8217;s check the final result using Splunk.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity\"\/>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2021\/12\/MySQL_community_audit_logging_for_mariadb_splunk_view.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"195\" src=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2021\/12\/MySQL_community_audit_logging_for_mariadb_splunk_view-1024x195.png\" alt=\"MySQL community audit logging for MariaDB using Splunk view\" class=\"wp-image-5011\" srcset=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2021\/12\/MySQL_community_audit_logging_for_mariadb_splunk_view-1024x195.png 1024w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2021\/12\/MySQL_community_audit_logging_for_mariadb_splunk_view-300x57.png 300w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2021\/12\/MySQL_community_audit_logging_for_mariadb_splunk_view-768x146.png 768w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2021\/12\/MySQL_community_audit_logging_for_mariadb_splunk_view-1536x293.png 1536w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2021\/12\/MySQL_community_audit_logging_for_mariadb_splunk_view-18x3.png 18w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2021\/12\/MySQL_community_audit_logging_for_mariadb_splunk_view-600x114.png 600w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2021\/12\/MySQL_community_audit_logging_for_mariadb_splunk_view.png 1884w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><figcaption class=\"wp-element-caption\">MySQL community audit logging for MariaDB using Splunk view<\/figcaption><\/figure>\n\n\n\n<h4 class=\"wp-block-heading has-text-align-left\" id=\"h-mcafee-audit-logging-plugin-libaudit-plugin-so-settings\"><strong>Mcafee audit logging plugin (<code>libaudit_plugin.so<\/code>) settings<\/strong><\/h4>\n\n\n\n<p>For Mcafee audit logging plugin, we will need to download the Mcafee binary file and then extract it. Check out the correct version you need here: <a href=\"https:\/\/github.com\/mcafee\/mysql-audit\/releases\">https:\/\/github.com\/mcafee\/mysql-audit\/releases<\/a>.<\/p>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<pre class=\"wp-block-code\"><code>&#91;root@myredhat74 ~]# wget https:\/\/bintray.com\/mcafee\/mysql-audit-plugin\/download_file?file_path=audit-plugin-mysql-5.7-1.1.7-913-linux-x86_64.zip -O audit-plugin-mysql-5.7-1.1.7-913-linux-x86_64.zip\n&#91;root@myredhat74 ~]# unzip audit-plugin-mysql-5.7-1.1.7-913-linux-x86_64.zip\n&#91;root@myredhat74 ~]# cp audit-plugin-mysql-5.7-1.1.7-913\/lib\/libaudit_plugin.so \/usr\/lib64\/mysql\/plugin\/<\/code><\/pre>\n<\/div><\/div>\n\n\n\n<p id=\"43-check-plugin-dir-default-usrlib64mysqlplugin-for-rpm-installation\">Check plugin dir, default \/usr\/lib64\/mysql\/plugin\/ for  Enter MySQL console and check plugin directory, this directory is default to \/usr\/lib64\/mysql\/plugin\/ for rpm installation. <\/p>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<pre class=\"wp-block-code\"><code>&#91;root@myredhat74 ~]# mysql -uroot -p -hlocalhost\nEnter password:\nWelcome to the MySQL monitor.  Commands end with ; or \\g.\nYour MySQL connection id is 6\nServer version: 5.7.29 MySQL Community Server (GPL)\n\nCopyright (c) 2000, 2020, Oracle and\/or its affiliates. All rights reserved.\n\nOracle is a registered trademark of Oracle Corporation and\/or its\naffiliates. Other names may be trademarks of their respective\nowners.\n\nType 'help;' or '\\h' for help. Type '\\c' to clear the current input statement.\n\nmysql&gt; SHOW GLOBAL VARIABLES LIKE 'plugin_dir';\n+---------------+--------------------------+\n| Variable_name | Value                    |\n+---------------+--------------------------+\n| plugin_dir    | \/usr\/lib64\/mysql\/plugin\/ |\n+---------------+--------------------------+\n1 row in set (0.00 sec)\n\nmysql&gt;<\/code><\/pre>\n\n\n\n<p> After confirming the correct plugin directory, we will need to copy the plugin library to MySQL plugin directory. <\/p>\n<\/div><\/div>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<pre class=\"wp-block-code\"><code>&#91;root@myredhat74 ~]# cp audit-plugin-mysql-5.7-1.1.7-913\/lib\/libaudit_plugin.so \/usr\/lib64\/mysql\/plugin\/<\/code><\/pre>\n\n\n\n<p>We also need an extra shell script to get the offset of MySQL binary file.<\/p>\n<\/div><\/div>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<pre class=\"wp-block-code\"><code>&#91;root@myredhat74 ~]# wget https:\/\/raw.github.com\/mcafee\/mysql-audit\/master\/offset-extract\/offset-extract.sh\n&#91;root@myredhat74 ~]# chmod +x offset-extract.sh<\/code><\/pre>\n\n\n\n<p>Then, we can install gdb and run offset-extract.sh to retrieve the offset.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;root@myredhat74 ~]# yum -y install gdb\n&#91;root@myredhat74 ~]# .\/offset-extract.sh \/usr\/sbin\/mysqld\n\/\/offsets for: \/usr\/sbin\/mysqld (5.7.29)\n{\"5.7.29\",\"00b4b7c8931e964887789044c56346fa\", 7824, 7872, 3632, 4792, 456, 360, 0, 32, 64, 160, 536, 7988, 4360, 3648, 3656, 3660, 6072, 2072, 8, 7056, 7096, 7080, 13472, 148, 672, 0},\n<\/code><\/pre>\n\n\n\n<p>The output from offset-extract.sh is needed under <code>[mysqld]<\/code> section of <code>my.cnf<\/code>.<\/p>\n<\/div><\/div>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<pre class=\"wp-block-code\"><code>plugin-load=AUDIT=libaudit_plugin.so\naudit_offsets = 7824, 7872, 3632, 4792, 456, 360, 0, 32, 64, 160, 536, 7988, 4360, 3648, 3656, 3660, 6072, 2072, 8, 7056, 7096, 7080, 13472, 148, 672, 0\naudit_json_file=1\naudit_json_log_file=\/var\/log\/mysql\/mysql-audit.json\naudit_record_cmds='connect,Failed Login,Quit'<\/code><\/pre>\n\n\n\n<p>if SELINUX is enabled, then you will need to configure SELINUX Policy as well.<\/p>\n<\/div><\/div>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<pre class=\"wp-block-code\"><code>&#91;root@myredhat74 ~]# yum -y install policycoreutils-devel\n&#91;root@myredhat74 ~]# semanage fcontext -a -t textrel_shlib_t \/usr\/lib64\/mysql\/plugin\/libaudit_plugin.so\n&#91;root@myredhat74 ~]# restorecon -v \/usr\/lib64\/mysql\/plugin\/libaudit_plugin.so\n&#91;root@myredhat74 ~]# mkdir \/root\/mcafee-selinux-module\n&#91;root@myredhat74 ~]# cd \/root\/mcafee-selinux-module\n&#91;root@myredhat74 ~]# cat &lt;&lt;EOT &gt;&gt; mysql_libaudit.te\n\nmodule mysql_libaudit 1.0;\n\nrequire {\ntype mysqld_exec_t;\ntype mysqld_t;\nclass process execmem;\nclass file execmod;\n}\n#============= mysqld_t ==============\nallow mysqld_t mysqld_exec_t:file execmod;\nallow mysqld_t self:process execmem;\nEOT\n&#91;root@myredhat74 ~]# make -f \/usr\/share\/selinux\/devel\/Makefile\n&#91;root@myredhat74 ~]# semodule -i mysql_libaudit.pp\n&#91;root@myredhat74 ~]# cd \/root\/mcafee-selinux-module\n&#91;root@myredhat74 ~]# grep mysqld \/var\/log\/audit\/audit.log | grep -v lib_t | audit2allow -M mysql_libaudit\n&#91;root@myredhat74 ~]# semodule -i mysql_libaudit.pp\n&#91;root@myredhat74 ~]# cd \/root\n&#91;root@myredhat74 ~]# rm -rf \/root\/mcafee-selinux-module<\/code><\/pre>\n<\/div><\/div>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<p>Next, we will need to create a log directory and restart MySQL daemon.<\/p>\n<\/div><\/div>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<pre class=\"wp-block-code\"><code>&#91;root@myredhat74 ~]# mkdir -p \/var\/log\/mysql\/\n&#91;root@myredhat74 ~]# chown -R mysql:mysql \/var\/log\/mysql\n&#91;root@myredhat74 ~]# systemctl restart mysqld<\/code><\/pre>\n\n\n\n<p>Finally, we can check whether the Mcafee Audit library is auto-loaded.<\/p>\n<\/div><\/div>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<pre class=\"wp-block-code\"><code>&#91;root@myredhat74 ~]# mysql -uroot -p -hlocalhost\nEnter password:\nWelcome to the MySQL monitor.  Commands end with ; or \\g.\nYour MySQL connection id is 2\nServer version: 5.7.29 MySQL Community Server (GPL)\n\nCopyright (c) 2000, 2020, Oracle and\/or its affiliates. All rights reserved.\n\nOracle is a registered trademark of Oracle Corporation and\/or its\naffiliates. Other names may be trademarks of their respective\nowners.\n\nType 'help;' or '\\h' for help. Type '\\c' to clear the current input statement.\n\nmysql&gt; show plugins;\n+----------------------------+----------+--------------------+----------------------+---------+\n| Name                       | Status   | Type               | Library              | License |\n+----------------------------+----------+--------------------+----------------------+---------+\n| binlog                     | ACTIVE   | STORAGE ENGINE     | NULL                 | GPL     |\n| mysql_native_password      | ACTIVE   | AUTHENTICATION     | NULL                 | GPL     |\n| sha256_password            | ACTIVE   | AUTHENTICATION     | NULL                 | GPL     |\n| CSV                        | ACTIVE   | STORAGE ENGINE     | NULL                 | GPL     |\n| MEMORY                     | ACTIVE   | STORAGE ENGINE     | NULL                 | GPL     |\n| InnoDB                     | ACTIVE   | STORAGE ENGINE     | NULL                 | GPL     |\n| INNODB_TRX                 | ACTIVE   | INFORMATION SCHEMA | NULL                 | GPL     |\n| INNODB_LOCKS               | ACTIVE   | INFORMATION SCHEMA | NULL                 | GPL     |\n| INNODB_LOCK_WAITS          | ACTIVE   | INFORMATION SCHEMA | NULL                 | GPL     |\n| INNODB_CMP                 | ACTIVE   | INFORMATION SCHEMA | NULL                 | GPL     |\n| INNODB_CMP_RESET           | ACTIVE   | INFORMATION SCHEMA | NULL                 | GPL     |\n| INNODB_CMPMEM              | ACTIVE   | INFORMATION SCHEMA | NULL                 | GPL     |\n| INNODB_CMPMEM_RESET        | ACTIVE   | INFORMATION SCHEMA | NULL                 | GPL     |\n| INNODB_CMP_PER_INDEX       | ACTIVE   | INFORMATION SCHEMA | NULL                 | GPL     |\n| INNODB_CMP_PER_INDEX_RESET | ACTIVE   | INFORMATION SCHEMA | NULL                 | GPL     |\n| INNODB_BUFFER_PAGE         | ACTIVE   | INFORMATION SCHEMA | NULL                 | GPL     |\n| INNODB_BUFFER_PAGE_LRU     | ACTIVE   | INFORMATION SCHEMA | NULL                 | GPL     |\n| INNODB_BUFFER_POOL_STATS   | ACTIVE   | INFORMATION SCHEMA | NULL                 | GPL     |\n| INNODB_TEMP_TABLE_INFO     | ACTIVE   | INFORMATION SCHEMA | NULL                 | GPL     |\n| INNODB_METRICS             | ACTIVE   | INFORMATION SCHEMA | NULL                 | GPL     |\n| INNODB_FT_DEFAULT_STOPWORD | ACTIVE   | INFORMATION SCHEMA | NULL                 | GPL     |\n| INNODB_FT_DELETED          | ACTIVE   | INFORMATION SCHEMA | NULL                 | GPL     |\n| INNODB_FT_BEING_DELETED    | ACTIVE   | INFORMATION SCHEMA | NULL                 | GPL     |\n| INNODB_FT_CONFIG           | ACTIVE   | INFORMATION SCHEMA | NULL                 | GPL     |\n| INNODB_FT_INDEX_CACHE      | ACTIVE   | INFORMATION SCHEMA | NULL                 | GPL     |\n| INNODB_FT_INDEX_TABLE      | ACTIVE   | INFORMATION SCHEMA | NULL                 | GPL     |\n| INNODB_SYS_TABLES          | ACTIVE   | INFORMATION SCHEMA | NULL                 | GPL     |\n| INNODB_SYS_TABLESTATS      | ACTIVE   | INFORMATION SCHEMA | NULL                 | GPL     |\n| INNODB_SYS_INDEXES         | ACTIVE   | INFORMATION SCHEMA | NULL                 | GPL     |\n| INNODB_SYS_COLUMNS         | ACTIVE   | INFORMATION SCHEMA | NULL                 | GPL     |\n| INNODB_SYS_FIELDS          | ACTIVE   | INFORMATION SCHEMA | NULL                 | GPL     |\n| INNODB_SYS_FOREIGN         | ACTIVE   | INFORMATION SCHEMA | NULL                 | GPL     |\n| INNODB_SYS_FOREIGN_COLS    | ACTIVE   | INFORMATION SCHEMA | NULL                 | GPL     |\n| INNODB_SYS_TABLESPACES     | ACTIVE   | INFORMATION SCHEMA | NULL                 | GPL     |\n| INNODB_SYS_DATAFILES       | ACTIVE   | INFORMATION SCHEMA | NULL                 | GPL     |\n| INNODB_SYS_VIRTUAL         | ACTIVE   | INFORMATION SCHEMA | NULL                 | GPL     |\n| MyISAM                     | ACTIVE   | STORAGE ENGINE     | NULL                 | GPL     |\n| MRG_MYISAM                 | ACTIVE   | STORAGE ENGINE     | NULL                 | GPL     |\n| PERFORMANCE_SCHEMA         | ACTIVE   | STORAGE ENGINE     | NULL                 | GPL     |\n| ARCHIVE                    | ACTIVE   | STORAGE ENGINE     | NULL                 | GPL     |\n| BLACKHOLE                  | ACTIVE   | STORAGE ENGINE     | NULL                 | GPL     |\n| FEDERATED                  | DISABLED | STORAGE ENGINE     | NULL                 | GPL     |\n| partition                  | ACTIVE   | STORAGE ENGINE     | NULL                 | GPL     |\n| ngram                      | ACTIVE   | FTPARSER           | NULL                 | GPL     |\n| AUDIT                      | ACTIVE   | AUDIT              | libaudit_plugin.so   | GPL     |\n| SERVER_AUDIT               | ACTIVE   | AUDIT              | server_audit.so      | GPL     |\n| validate_password          | ACTIVE   | VALIDATE PASSWORD  | validate_password.so | GPL     |\n+----------------------------+----------+--------------------+----------------------+---------+\nmysql&gt; show global status like 'AUDIT_version';\n+---------------+-----------+\n| Variable_name | Value     |\n+---------------+-----------+\n| Audit_version | 1.1.7-913 |\n+---------------+-----------+\n1 row in set (0.00 sec)\n\n<\/code><\/pre>\n\n\n\n<p>If the library is not auto-loaded, we can enter MySQL console and install the plugin.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>mysql&gt; INSTALL PLUGIN AUDIT SONAME 'libaudit_plugin.so';\n<\/code><\/pre>\n<\/div><\/div>\n\n\n\n<p> Let&#8217;s check the final result using Splunk. <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2021\/12\/MySQL_community_audit_logging_for_mcafee_splunk_view.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"358\" src=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2021\/12\/MySQL_community_audit_logging_for_mcafee_splunk_view-1024x358.png\" alt=\"MySQL community audit logging for Mcafee using Splunk view\" class=\"wp-image-5012\" srcset=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2021\/12\/MySQL_community_audit_logging_for_mcafee_splunk_view-1024x358.png 1024w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2021\/12\/MySQL_community_audit_logging_for_mcafee_splunk_view-300x105.png 300w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2021\/12\/MySQL_community_audit_logging_for_mcafee_splunk_view-768x269.png 768w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2021\/12\/MySQL_community_audit_logging_for_mcafee_splunk_view-1536x537.png 1536w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2021\/12\/MySQL_community_audit_logging_for_mcafee_splunk_view-18x6.png 18w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2021\/12\/MySQL_community_audit_logging_for_mcafee_splunk_view-600x210.png 600w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2021\/12\/MySQL_community_audit_logging_for_mcafee_splunk_view.png 1872w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><figcaption class=\"wp-element-caption\">MySQL community audit logging for Mcafee using Splunk view<\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading has-text-align-left\" id=\"h-c-redhat-8-0-mysql-community-server-8-0-16-2\">C. <strong>Redhat 8.0 + MySQL community server 8.0.16-2<\/strong><\/h3>\n\n\n\n<h4 class=\"wp-block-heading has-text-align-left\" id=\"48--native-logging-using-general_log-settings-\"><strong>Native logging using <code>general_log<\/code> settings<\/strong><\/h4>\n\n\n\n<p id=\"h-enter-mysql-console-2\">Enter MySQL console and show current log settings:<\/p>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<pre class=\"wp-block-code\"><code>&#91;root@myredhat8 ~]# mysql -u root -p -h localhost\nEnter password:\nWelcome to the MySQL monitor.  Commands end with ; or \\g.\nYour MySQL connection id is 8\nServer version: 8.0.16 MySQL Community Server - GPL\n\nCopyright (c) 2000, 2019, Oracle and\/or its affiliates. All rights reserved.\n\nOracle is a registered trademark of Oracle Corporation and\/or its\naffiliates. Other names may be trademarks of their respective\nowners.\n\nType 'help;' or '\\h' for help. Type '\\c' to clear the current input statement.\n\nmysql&gt; SHOW VARIABLES LIKE \"general_log%\";\n+------------------+------------------------------+\n| Variable_name    | Value                        |\n+------------------+------------------------------+\n| general_log      | OFF                          |\n| general_log_file | \/var\/lib\/mysql\/myredhat8.log |\n+------------------+------------------------------+\n2 rows in set (0.01 sec)\n\nmysql&gt; SHOW VARIABLES LIKE \"log_output\";\n+---------------+-------+\n| Variable_name | Value |\n+---------------+-------+\n| log_output    | FILE  |\n+---------------+-------+\n1 row in set (0.00 sec)\n\nmysql&gt; SHOW VARIABLES LIKE \"log_warnings\";\nEmpty set (0.00 sec)\n\nmysql&gt;\n<\/code><\/pre>\n\n\n\n<p>While still in MySQL console, we can enable log settings at runtime.<\/p>\n<\/div><\/div>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<pre class=\"wp-block-code\"><code>mysql&gt; SET global general_log_file='\/var\/log\/mysql\/mysql_general.log';\nQuery OK, 0 rows affected (0.00 sec)\n\nmysql&gt; SET global general_log = on;\nQuery OK, 0 rows affected (0.01 sec)\n\nmysql&gt; SET global log_output = 'file';\nQuery OK, 0 rows affected (0.00 sec)\n<\/code><\/pre>\n\n\n\n<p>We will need to edit \/etc\/my.cnf to enable persistent log settings. The general_log settings will log all successful and failed attempts as well as queries.<\/p>\n<\/div><\/div>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<pre class=\"wp-block-code\"><code>&#91;mysqld]\ngeneral_log = on\ngeneral_log_file=\/var\/log\/mysql\/mysql_general.log<\/code><\/pre>\n<\/div><\/div>\n\n\n\n<p id=\"h-side-impact-disable-dns-lookups-to-log-ip-address-but-need-to-set-permissions-using-ip-addresses-rather-than-host-names-2\">It is possible to disable DNS lookups so that MySQL will log source IP addresses instead of hostname. However, you will need to grant permissions using IP addresses rather than a hostname.<\/p>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<pre class=\"wp-block-code\"><code>skip-name-resolve<\/code><\/pre>\n<\/div><\/div>\n\n\n\n<p>Finally, we will need to create a log directory and restart MySQL daemon.<\/p>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<pre class=\"wp-block-code\"><code>mkdir -p \/var\/log\/mysql\/\nchown -R mysql:mysql \/var\/log\/mysql\nsystemctl restart mysqld<\/code><\/pre>\n<\/div><\/div>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading has-text-align-left\" id=\"55-percona-audit-logging-plugin-audit_logso-settings\">Percona audit logging plugin (<code>audit_log.so<\/code>) settings<\/h4>\n\n\n\n<p>For Percona audit logging plugin, we will need to download the Percona binary file and then extract it.<\/p>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<pre class=\"wp-block-code\"><code>&#91;root@myredhat8 ~]# wget https:\/\/downloads.percona.com\/downloads\/Percona-Server-LATEST\/Percona-Server-8.0.16-7\/binary\/redhat\/7\/x86_64\/percona-server-server-8.0.16-7.1.el7.x86_64.rpm\n&#91;root@myredhat8 ~]# mkdir Percona-Server\n&#91;root@myredhat8 ~]# mv percona-server-server-8.0.16-7.1.el7.x86_64.rpm Percona-Server\/\n&#91;root@myredhat8 ~]# cd Percona-Server\/\n&#91;root@myredhat8 ~]# rpm2cpio percona-server-server-8.0.16-7.1.el7.x86_64.rpm | cpio -idmv<\/code><\/pre>\n\n\n\n<p>Enter MySQL console and check plugin directory, this directory is default to \/usr\/lib64\/mysql\/plugin\/ for rpm installation.<\/p>\n<\/div><\/div>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<pre class=\"wp-block-code\"><code>&#91;root@myredhat8 ~]# mysql -u root -p -h localhost\nEnter password:\nWelcome to the MySQL monitor.  Commands end with ; or \\g.\nYour MySQL connection id is 10\nServer version: 8.0.16 MySQL Community Server - GPL\n\nCopyright (c) 2000, 2019, Oracle and\/or its affiliates. All rights reserved.\n\nOracle is a registered trademark of Oracle Corporation and\/or its\naffiliates. Other names may be trademarks of their respective\nowners.\n\nType 'help;' or '\\h' for help. Type '\\c' to clear the current input statement.\n\nmysql&gt; SHOW GLOBAL VARIABLES LIKE 'plugin_dir';\n+---------------+--------------------------+\n| Variable_name | Value                    |\n+---------------+--------------------------+\n| plugin_dir    | \/usr\/lib64\/mysql\/plugin\/ |\n+---------------+--------------------------+\n1 row in set (0.00 sec)\n\nmysql&gt; <\/code><\/pre>\n\n\n\n<p>After confirming the correct plugin directory, we will need to copy the plugin library to MySQL plugin directory.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;root@myredhat8 ~]# cp .\/usr\/lib64\/mysql\/plugin\/audit_log.so \/usr\/lib64\/mysql\/plugin\/<\/code><\/pre>\n\n\n\n<p>Enter MySQL console again, and install the plugin.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;root@myredhat8 ~]# mysql -u root -p -h localhost\nEnter password:\nWelcome to the MySQL monitor.  Commands end with ; or \\g.\nYour MySQL connection id is 9\nServer version: 8.0.16 MySQL Community Server - GPL\n\nCopyright (c) 2000, 2019, Oracle and\/or its affiliates. All rights reserved.\n\nOracle is a registered trademark of Oracle Corporation and\/or its\naffiliates. Other names may be trademarks of their respective\nowners.\n\nType 'help;' or '\\h' for help. Type '\\c' to clear the current input statement.\n\n\nmysql&gt; INSTALL PLUGIN audit_log SONAME 'audit_log.so';\nQuery OK, 0 rows affected (0.02 sec)<\/code><\/pre>\n\n\n\n<p>Now, we can add log settings to [mysqld] section in my.cnf (or configuration file used by MySQL)<\/p>\n<\/div><\/div>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<pre class=\"wp-block-code\"><code>plugin-load = audit_log.so\naudit_log_file = \/var\/log\/mysql\/audit.log\naudit_log_format = CSV\naudit_log_policy = LOGINS\naudit_log_handler = FILE<\/code><\/pre>\n\n\n\n<p>Finally, we will need to create a log directory and restart MySQL daemon.<\/p>\n<\/div><\/div>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<pre class=\"wp-block-code\"><code>&#91;root@myredhat8 ~]# mkdir -p \/var\/log\/mysql\/\n&#91;root@myredhat8 ~]# chown -R mysql:mysql \/var\/log\/mysql\n&#91;root@myredhat8 ~]# systemctl restart mysqld<\/code><\/pre>\n<\/div><\/div>\n\n\n\n<p> Let&#8217;s check the final result using Splunk. <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2021\/12\/MySQL_community_audit_logging_for_percona_splunk_view.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"192\" src=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2021\/12\/MySQL_community_audit_logging_for_percona_splunk_view-1024x192.png\" alt=\"MySQL community audit logging for Percona using Splunk view\" class=\"wp-image-5013\" srcset=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2021\/12\/MySQL_community_audit_logging_for_percona_splunk_view-1024x192.png 1024w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2021\/12\/MySQL_community_audit_logging_for_percona_splunk_view-300x56.png 300w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2021\/12\/MySQL_community_audit_logging_for_percona_splunk_view-768x144.png 768w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2021\/12\/MySQL_community_audit_logging_for_percona_splunk_view-1536x289.png 1536w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2021\/12\/MySQL_community_audit_logging_for_percona_splunk_view-18x3.png 18w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2021\/12\/MySQL_community_audit_logging_for_percona_splunk_view-600x113.png 600w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2021\/12\/MySQL_community_audit_logging_for_percona_splunk_view.png 1878w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><figcaption class=\"wp-element-caption\">MySQL community audit logging for Percona using Splunk view<\/figcaption><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading has-text-align-left\" id=\"56--mcafee-audit-logging-plugin-libaudit_pluginso-\"><strong>Mcafee audit logging plugin (<code>libaudit_plugin.so<\/code>)<\/strong><\/h4>\n\n\n\n<p>For Mcafee audit logging plugin, we will need to download the Mcafee binary file and then extract it.  Check out the correct version you need here: <a href=\"https:\/\/github.com\/mcafee\/mysql-audit\/releases\">https:\/\/github.com\/mcafee\/mysql-audit\/releases<\/a>. <\/p>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<pre class=\"wp-block-code\"><code>&#91;root@myredhat8 ~]# wget https:\/\/bintray.com\/mcafee\/mysql-audit-plugin\/download_file?file_path=audit-plugin-mysql-8.0-1.1.7-913-linux-x86_64.zip -O audit-plugin-mysql-8.0-1.1.7-913-linux-x86_64.zip\n&#91;root@myredhat8 ~]# unzip audit-plugin-mysql-8.0-1.1.7-913-linux-x86_64.zip<\/code><\/pre>\n<\/div><\/div>\n\n\n\n<p>Check plugin dir, default \/usr\/lib64\/mysql\/plugin\/ for Enter MySQL console and check plugin directory, this directory is default to \/usr\/lib64\/mysql\/plugin\/ for rpm installation.<\/p>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<pre class=\"wp-block-code\"><code>&#91;root@myredhat8 ~]# mysql -u root -p -h localhost\nEnter password:\nWelcome to the MySQL monitor.  Commands end with ; or \\g.\nYour MySQL connection id is 10\nServer version: 8.0.16 MySQL Community Server - GPL\n\nCopyright (c) 2000, 2019, Oracle and\/or its affiliates. All rights reserved.\n\nOracle is a registered trademark of Oracle Corporation and\/or its\naffiliates. Other names may be trademarks of their respective\nowners.\n\nType 'help;' or '\\h' for help. Type '\\c' to clear the current input statement.\n\nmysql&gt; SHOW GLOBAL VARIABLES LIKE 'plugin_dir';\n+---------------+--------------------------+\n| Variable_name | Value                    |\n+---------------+--------------------------+\n| plugin_dir    | \/usr\/lib64\/mysql\/plugin\/ |\n+---------------+--------------------------+\n1 row in set (0.00 sec)\n\nmysql&gt; <\/code><\/pre>\n\n\n\n<p>After confirming the correct plugin directory, we will need to copy the plugin library to MySQL plugin directory.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;root@myredhat8 ~]# cp audit-plugin-mysql-8.0-1.1.7-913\/lib\/libaudit_plugin.so \/usr\/lib64\/mysql\/plugin\/\n<\/code><\/pre>\n\n\n\n<p>We also need an extra shell script to get the offset of MySQL binary file.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;root@myredhat8 ~]# wget https:\/\/raw.github.com\/mcafee\/mysql-audit\/master\/offset-extract\/offset-extract.sh\nchmod +x offset-extract.sh<\/code><\/pre>\n\n\n\n<p>Then, we can install gdb and run offset-extract.sh to retrieve the offset.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;root@myredhat8 ~]# yum -y install gdb\n&#91;root@myredhat8 ~]# .\/offset-extract.sh \/usr\/sbin\/mysqld\n\/\/offsets for: \/usr\/sbin\/mysqld (8.0.16)\n{\"8.0.16\",\"9d238d46151cd5f41fef859c5026f7a0\", 8360, 8408, 3912, 5352, 520, 0, 0, 32, 64, 160, 600, 8524, 4984, 4000, 4008, 4012, 6656, 1456, 40, 7616, 7656, 7640, 11416, 140, 664, 328},<\/code><\/pre>\n<\/div><\/div>\n\n\n\n<p> The output from offset-extract.sh is needed under <code>[mysqld]<\/code> section of <code>my.cnf<\/code>. <\/p>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<pre class=\"wp-block-code\"><code>plugin-load=AUDIT=libaudit_plugin.so\naudit_offsets = 8360, 8408, 3912, 5352, 520, 0, 0, 32, 64, 160, 600, 8524, 4984, 4000, 4008, 4012, 6656, 1456, 40, 7616, 7656, 7640, 11416, 140, 664, 328\naudit_json_file=1\naudit_json_log_file=\/var\/log\/mysql\/mysql-audit.json\naudit_record_cmds='connect,Failed Login,Quit'<\/code><\/pre>\n<\/div><\/div>\n\n\n\n<p id=\"h-the-following-is-needed-if-selinux-is-enabled-2\">if SELINUX is enabled, then you will need to configure SELINUX Policy as well.<\/p>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<pre class=\"wp-block-code\"><code>&#91;root@myredhat8 ~]# yum -y install policycoreutils-devel\n&#91;root@myredhat8 ~]# semanage fcontext -a -t textrel_shlib_t \n\/usr\/lib64\/mysql\/plugin\/libaudit_plugin.so\n&#91;root@myredhat8 ~]# restorecon -v \/usr\/lib64\/mysql\/plugin\/libaudit_plugin.so\n&#91;root@myredhat8 ~]# mkdir \/root\/mcafee-selinux-module\n&#91;root@myredhat8 ~]# cd \/root\/mcafee-selinux-module\n&#91;root@myredhat8 ~]# cat &lt;&lt;EOT &gt;&gt; mysql_libaudit.te\nmodule mysql_libaudit 1.0;\nrequire {\ntype mysqld_t;\nclass process execmem;\n}\n\n#============= mysqld_t ==============\nallow mysqld_t self:process execmem;\nEOT\n&#91;root@myredhat8 ~]# make -f \/usr\/share\/selinux\/devel\/Makefile\n&#91;root@myredhat8 ~]# semodule -i mysql_libaudit.pp\n&#91;root@myredhat8 ~]# cd \/root\/mcafee-selinux-module\n&#91;root@myredhat8 ~]# grep mysqld \/var\/log\/audit\/audit.log | grep -v lib_t | audit2allow -M mysql_libaudit\n&#91;root@myredhat8 ~]# semodule -i mysql_libaudit.pp\n&#91;root@myredhat8 ~]# cd \/root\n&#91;root@myredhat8 ~]# rm -rf \/root\/mcafee-selinux-module<\/code><\/pre>\n\n\n\n<p>Next, we will need to create a log directory and restart MySQL daemon.<\/p>\n<\/div><\/div>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<pre class=\"wp-block-code\"><code>&#91;root@myredhat8 ~]# mkdir -p \/var\/log\/mysql\/\n&#91;root@myredhat8 ~]# chown -R mysql:mysql \/var\/log\/mysql\n&#91;root@myredhat8 ~]# systemctl restart mysqld<\/code><\/pre>\n<\/div><\/div>\n\n\n\n<p>Finally, we can check whether the Mcafee Audit library is auto-loaded.<\/p>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<pre class=\"wp-block-code\"><code>&#91;root@myredhat8 ~]# mysql -u root -p -h localhost\nEnter password:\nWelcome to the MySQL monitor.  Commands end with ; or \\g.\nYour MySQL connection id is 11\nServer version: 8.0.16 MySQL Community Server - GPL\n\nCopyright (c) 2000, 2019, Oracle and\/or its affiliates. All rights reserved.\n\nOracle is a registered trademark of Oracle Corporation and\/or its\naffiliates. Other names may be trademarks of their respective\nowners.\n\nType 'help;' or '\\h' for help. Type '\\c' to clear the current input statement.\n\nmysql&gt; show plugins;\n+---------------------------------+----------+--------------------+--------------+---------+\n| Name                            | Status   | Type               | Library      | License |\n+---------------------------------+----------+--------------------+--------------+---------+\n| binlog                          | ACTIVE   | STORAGE ENGINE     | NULL         | GPL     |\n| mysql_native_password           | ACTIVE   | AUTHENTICATION     | NULL         | GPL     |\n| sha256_password                 | ACTIVE   | AUTHENTICATION     | NULL         | GPL     |\n| caching_sha2_password           | ACTIVE   | AUTHENTICATION     | NULL         | GPL     |\n| sha2_cache_cleaner              | ACTIVE   | AUDIT              | NULL         | GPL     |\n| CSV                             | ACTIVE   | STORAGE ENGINE     | NULL         | GPL     |\n| MEMORY                          | ACTIVE   | STORAGE ENGINE     | NULL         | GPL     |\n| InnoDB                          | ACTIVE   | STORAGE ENGINE     | NULL         | GPL     |\n| INNODB_TRX                      | ACTIVE   | INFORMATION SCHEMA | NULL         | GPL     |\n| INNODB_CMP                      | ACTIVE   | INFORMATION SCHEMA | NULL         | GPL     |\n| INNODB_CMP_RESET                | ACTIVE   | INFORMATION SCHEMA | NULL         | GPL     |\n| INNODB_CMPMEM                   | ACTIVE   | INFORMATION SCHEMA | NULL         | GPL     |\n| INNODB_CMPMEM_RESET             | ACTIVE   | INFORMATION SCHEMA | NULL         | GPL     |\n| INNODB_CMP_PER_INDEX            | ACTIVE   | INFORMATION SCHEMA | NULL         | GPL     |\n| INNODB_CMP_PER_INDEX_RESET      | ACTIVE   | INFORMATION SCHEMA | NULL         | GPL     |\n| INNODB_BUFFER_PAGE              | ACTIVE   | INFORMATION SCHEMA | NULL         | GPL     |\n| INNODB_BUFFER_PAGE_LRU          | ACTIVE   | INFORMATION SCHEMA | NULL         | GPL     |\n| INNODB_BUFFER_POOL_STATS        | ACTIVE   | INFORMATION SCHEMA | NULL         | GPL     |\n| INNODB_TEMP_TABLE_INFO          | ACTIVE   | INFORMATION SCHEMA | NULL         | GPL     |\n| INNODB_METRICS                  | ACTIVE   | INFORMATION SCHEMA | NULL         | GPL     |\n| INNODB_FT_DEFAULT_STOPWORD      | ACTIVE   | INFORMATION SCHEMA | NULL         | GPL     |\n| INNODB_FT_DELETED               | ACTIVE   | INFORMATION SCHEMA | NULL         | GPL     |\n| INNODB_FT_BEING_DELETED         | ACTIVE   | INFORMATION SCHEMA | NULL         | GPL     |\n| INNODB_FT_CONFIG                | ACTIVE   | INFORMATION SCHEMA | NULL         | GPL     |\n| INNODB_FT_INDEX_CACHE           | ACTIVE   | INFORMATION SCHEMA | NULL         | GPL     |\n| INNODB_FT_INDEX_TABLE           | ACTIVE   | INFORMATION SCHEMA | NULL         | GPL     |\n| INNODB_TABLES                   | ACTIVE   | INFORMATION SCHEMA | NULL         | GPL     |\n| INNODB_TABLESTATS               | ACTIVE   | INFORMATION SCHEMA | NULL         | GPL     |\n| INNODB_INDEXES                  | ACTIVE   | INFORMATION SCHEMA | NULL         | GPL     |\n| INNODB_TABLESPACES              | ACTIVE   | INFORMATION SCHEMA | NULL         | GPL     |\n| INNODB_COLUMNS                  | ACTIVE   | INFORMATION SCHEMA | NULL         | GPL     |\n| INNODB_VIRTUAL                  | ACTIVE   | INFORMATION SCHEMA | NULL         | GPL     |\n| INNODB_CACHED_INDEXES           | ACTIVE   | INFORMATION SCHEMA | NULL         | GPL     |\n| INNODB_SESSION_TEMP_TABLESPACES | ACTIVE   | INFORMATION SCHEMA | NULL         | GPL     |\n| MyISAM                          | ACTIVE   | STORAGE ENGINE     | NULL         | GPL     |\n| MRG_MYISAM                      | ACTIVE   | STORAGE ENGINE     | NULL         | GPL     |\n| PERFORMANCE_SCHEMA              | ACTIVE   | STORAGE ENGINE     | NULL         | GPL     |\n| TempTable                       | ACTIVE   | STORAGE ENGINE     | NULL         | GPL     |\n| ARCHIVE                         | ACTIVE   | STORAGE ENGINE     | NULL         | GPL     |\n| BLACKHOLE                       | ACTIVE   | STORAGE ENGINE     | NULL         | GPL     |\n| FEDERATED                       | DISABLED | STORAGE ENGINE     | NULL         | GPL     |\n| ngram                           | ACTIVE   | FTPARSER           | NULL         | GPL     |\n| mysqlx                          | ACTIVE   | DAEMON             | NULL         | GPL     |\n| mysqlx_cache_cleaner            | ACTIVE   | AUDIT              | NULL         | GPL     |\n|\n+---------------------------------+----------+--------------------+--------------+---------+\n44 rows in set (0.01 sec)\n\n<\/code><\/pre>\n\n\n\n<p>If the library is not auto-loaded, we can enter MySQL console and install the plugin.<\/p>\n<\/div><\/div>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<pre class=\"wp-block-code\"><code>mysql&gt; INSTALL PLUGIN AUDIT SONAME 'libaudit_plugin.so';\nQuery OK, 0 rows affected (1.25 sec)\n\nmysql&gt; show global status like 'AUDIT_version';\n+---------------+-----------+\n| Variable_name | Value     |\n+---------------+-----------+\n| Audit_version | 1.1.7-913 |\n+---------------+-----------+\n1 row in set (0.01 sec)\n\nmysql&gt;\n<\/code><\/pre>\n\n\n\n<p> Let&#8217;s check the final result using Splunk. <\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><a href=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2021\/12\/MySQL_community_audit_logging_for_mcafee_splunk_view.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"358\" src=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2021\/12\/MySQL_community_audit_logging_for_mcafee_splunk_view-1024x358.png\" alt=\"MySQL community audit logging for Mcafee using Splunk view\" class=\"wp-image-5012\" style=\"width:840px;height:293px\" srcset=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2021\/12\/MySQL_community_audit_logging_for_mcafee_splunk_view-1024x358.png 1024w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2021\/12\/MySQL_community_audit_logging_for_mcafee_splunk_view-300x105.png 300w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2021\/12\/MySQL_community_audit_logging_for_mcafee_splunk_view-768x269.png 768w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2021\/12\/MySQL_community_audit_logging_for_mcafee_splunk_view-1536x537.png 1536w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2021\/12\/MySQL_community_audit_logging_for_mcafee_splunk_view-18x6.png 18w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2021\/12\/MySQL_community_audit_logging_for_mcafee_splunk_view-600x210.png 600w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2021\/12\/MySQL_community_audit_logging_for_mcafee_splunk_view.png 1872w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><figcaption class=\"wp-element-caption\">MySQL community audit logging for Mcafee using Splunk view<\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"native-mysql-general-log-filtering-using-splunk\">Native MySQL general_log filtering using Splunk<\/h2>\n\n\n\n<p>Lastly, we will introduce our solution to filter and only send authentication-related logs to Splunk. In order to simplify things, you can make the below configurations on Splunk universal forwarder, Splunk Heavy Forwarder\/Indexer, and Search Head. In addition, you will also need <a href=\"https:\/\/splunkbase.splunk.com\/app\/2848\/\">MySQL Splunk app<\/a>, and ingest MySQL general log using the <code>sourcetype mysql:generallog:all<\/code>.<\/p>\n\n\n\n<p>Basically, the configuration will first change the sourcetype of authentication logs to mysql:generalQueryLog, and then drop other logs.<\/p>\n\n\n\n<p><code>props.conf<\/code><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;mysql:generallog:all]\n# Splunk magic 8 props\nSHOULD_LINEMERGE = false\nLINE_BREAKER = (&#91;\\r\\n]+)\nTIME_PREFIX = ^\nMAX_TIMESTAMP_LOOKAHEAD = 27\nTIME_FORMAT=%Y-%m-%dT%H:%M:%S.%6QZ\n# 700 is enough for authentication log\n# TRUNCATE = 700\n# For_Load_Balancing_On_UF\nEVENT_BREAKER_ENABLE = true\nEVENT_BREAKER = (&#91;\\r\\n]+)\n\nTRANSFORMS-mysql_generallog = set_mysql_generallog_auth_sourcetype,set_mysql_generallog_nonauth_null\n\n&#91;mysql:generalQueryLog]\nEVAL-action = case((Command=\"Connect\" AND like(Argument,\"%Access denied for user%\")), \"failure\", (Command=\"Query\" AND Argument==\"select @@version_comment limit 1\"), \"success\", true(), null)\nEVAL-src = client_host\nEVAL-src_ip = if(cidrmatch(\"0.0.0.0\/0\",client_host), client_host, null())\n<\/code><\/pre>\n\n\n\n<p><code>transforms.conf<\/code><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;set_mysql_generallog_auth_sourcetype]\nREGEX = (?:^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}.\\d{6}Z\\s+\\d+\\s+(?:Query\\s+select @@version_comment\\s+limit\\s+1|Connect\\s+.*?@.*))$\nDEST_KEY = MetaData:Sourcetype\nFORMAT = sourcetype::mysql:generalQueryLog\n\n&#91;set_mysql_generallog_nonauth_null]\nSOURCE_KEY = MetaData:Sourcetype\nREGEX = mysql:generallog:all\nDEST_KEY = queue\nFORMAT = nullQueue\n<\/code><\/pre>\n\n\n\n<p>Let&#8217;s check the final result:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2021\/12\/MySQL_community_audit_logging_for_generallog_splunk_view.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"406\" src=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2021\/12\/MySQL_community_audit_logging_for_generallog_splunk_view-1024x406.png\" alt=\"MySQL community audit logging for generallog using Splunk view\" class=\"wp-image-5025\" srcset=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2021\/12\/MySQL_community_audit_logging_for_generallog_splunk_view-1024x406.png 1024w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2021\/12\/MySQL_community_audit_logging_for_generallog_splunk_view-300x119.png 300w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2021\/12\/MySQL_community_audit_logging_for_generallog_splunk_view-768x305.png 768w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2021\/12\/MySQL_community_audit_logging_for_generallog_splunk_view-1536x609.png 1536w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2021\/12\/MySQL_community_audit_logging_for_generallog_splunk_view-18x7.png 18w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2021\/12\/MySQL_community_audit_logging_for_generallog_splunk_view-600x238.png 600w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2021\/12\/MySQL_community_audit_logging_for_generallog_splunk_view.png 1876w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><figcaption class=\"wp-element-caption\">MySQL community audit logging for generallog using Splunk view<\/figcaption><\/figure>\n\n\n\n<p>We have another post about MSSQL monitoring, feel free to visit <a href=\"https:\/\/cybersecthreat.com\/2020\/07\/08\/enable-mssql-authentication-log-to-eventlog\/\">here<\/a>.<\/p>\n\n\n\n<p>Reference:<\/p>\n\n\n\n<p><a href=\"https:\/\/mariadb.com\/kb\/en\/mariadb-audit-plugin-log-format\/\">https:\/\/mariadb.com\/kb\/en\/mariadb-audit-plugin-log-format\/<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/www.percona.com\/blog\/2020\/07\/22\/percona-audit-log-plugin-and-the-percona-monitoring-and-management-security-threat-tool\/\">https:\/\/www.percona.com\/blog\/2020\/07\/22\/percona-audit-log-plugin-and-the-percona-monitoring-and-management-security-threat-tool\/<\/a><\/p>\n<\/div><\/div>\n","protected":false},"excerpt":{"rendered":"<p>MySQL community edition authentication audit logging. Authentication audit is certainly an important part of continuous monitoring.<\/p>","protected":false},"author":2,"featured_media":5025,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_kad_blocks_custom_css":"","_kad_blocks_head_custom_js":"","_kad_blocks_body_custom_js":"","_kad_blocks_footer_custom_js":"","_uf_show_specific_survey":0,"_uf_disable_surveys":false,"_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"_kad_post_classname":"","footnotes":""},"categories":[42,37,71,23],"tags":[],"class_list":["post-4705","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blue-team","category-privileged-account-monitoring","category-soc","category-splunk"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.3 (Yoast SEO v27.4) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>MySQL community audit logging - CyberSecThreat<\/title>\n<meta name=\"description\" content=\"MySQL community edition authentication audit logging. Authentication audit is certainly an important part of continuous monitoring.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/cybersecthreat.com\/zh\/2021\/12\/09\/mysql-community-edition-audit-logging\/\" \/>\n<meta property=\"og:locale\" content=\"zh_TW\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"MySQL community audit logging\" \/>\n<meta property=\"og:description\" content=\"MySQL community edition authentication audit logging. Authentication audit is certainly an important part of continuous monitoring.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/cybersecthreat.com\/zh\/2021\/12\/09\/mysql-community-edition-audit-logging\/\" \/>\n<meta property=\"og:site_name\" content=\"CyberSecThreat\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cybersecthreat\" \/>\n<meta property=\"article:published_time\" content=\"2021-12-09T09:32:27+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-04-01T05:47:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2021\/12\/MySQL_community_audit_logging_for_generallog_splunk_view.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1876\" \/>\n\t<meta property=\"og:image:height\" content=\"744\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Kelvin Yip\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@cybersecthreat\" \/>\n<meta name=\"twitter:site\" content=\"@cybersecthreat\" \/>\n<meta name=\"twitter:label1\" content=\"\u4f5c\u8005:\" \/>\n\t<meta name=\"twitter:data1\" content=\"Kelvin Yip\" \/>\n\t<meta name=\"twitter:label2\" content=\"\u9810\u4f30\u95b1\u8b80\u6642\u9593\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 \u5206\u9418\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2021\\\/12\\\/09\\\/mysql-community-edition-audit-logging\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2021\\\/12\\\/09\\\/mysql-community-edition-audit-logging\\\/\"},\"author\":{\"name\":\"Kelvin Yip\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/#\\\/schema\\\/person\\\/4787dde06da74fa66cb5e92e481b0f98\"},\"headline\":\"MySQL community audit logging\",\"datePublished\":\"2021-12-09T09:32:27+00:00\",\"dateModified\":\"2024-04-01T05:47:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2021\\\/12\\\/09\\\/mysql-community-edition-audit-logging\\\/\"},\"wordCount\":1602,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2021\\\/12\\\/09\\\/mysql-community-edition-audit-logging\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/cybersecthreat.com\\\/wp-content\\\/uploads\\\/2021\\\/12\\\/MySQL_community_audit_logging_for_generallog_splunk_view.png\",\"articleSection\":[\"Blue Team\",\"Privileged Account Monitoring\",\"SOC\",\"Splunk\"],\"inLanguage\":\"zh-TW\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/cybersecthreat.com\\\/2021\\\/12\\\/09\\\/mysql-community-edition-audit-logging\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2021\\\/12\\\/09\\\/mysql-community-edition-audit-logging\\\/\",\"url\":\"https:\\\/\\\/cybersecthreat.com\\\/2021\\\/12\\\/09\\\/mysql-community-edition-audit-logging\\\/\",\"name\":\"MySQL community audit logging - CyberSecThreat\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2021\\\/12\\\/09\\\/mysql-community-edition-audit-logging\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2021\\\/12\\\/09\\\/mysql-community-edition-audit-logging\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/cybersecthreat.com\\\/wp-content\\\/uploads\\\/2021\\\/12\\\/MySQL_community_audit_logging_for_generallog_splunk_view.png\",\"datePublished\":\"2021-12-09T09:32:27+00:00\",\"dateModified\":\"2024-04-01T05:47:00+00:00\",\"description\":\"MySQL community edition authentication audit logging. Authentication audit is certainly an important part of continuous monitoring.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2021\\\/12\\\/09\\\/mysql-community-edition-audit-logging\\\/#breadcrumb\"},\"inLanguage\":\"zh-TW\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/cybersecthreat.com\\\/2021\\\/12\\\/09\\\/mysql-community-edition-audit-logging\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-TW\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2021\\\/12\\\/09\\\/mysql-community-edition-audit-logging\\\/#primaryimage\",\"url\":\"https:\\\/\\\/cybersecthreat.com\\\/wp-content\\\/uploads\\\/2021\\\/12\\\/MySQL_community_audit_logging_for_generallog_splunk_view.png\",\"contentUrl\":\"https:\\\/\\\/cybersecthreat.com\\\/wp-content\\\/uploads\\\/2021\\\/12\\\/MySQL_community_audit_logging_for_generallog_splunk_view.png\",\"width\":1876,\"height\":744,\"caption\":\"MySQL community audit logging for generallog using Splunk view\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2021\\\/12\\\/09\\\/mysql-community-edition-audit-logging\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blue Team\",\"item\":\"https:\\\/\\\/cybersecthreat.com\\\/category\\\/blue-team\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"MySQL community audit logging\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/#website\",\"url\":\"https:\\\/\\\/cybersecthreat.com\\\/\",\"name\":\"CyberSecThreat\",\"description\":\"CyberSecurity Solutions\",\"publisher\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/cybersecthreat.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"zh-TW\"},{\"@type\":[\"Organization\",\"Place\"],\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/#organization\",\"name\":\"CyberSecThreat Corporation Limited.\",\"alternateName\":\"CyberSecThreat\",\"url\":\"https:\\\/\\\/cybersecthreat.com\\\/\",\"logo\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2021\\\/12\\\/09\\\/mysql-community-edition-audit-logging\\\/#local-main-organization-logo\"},\"image\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2021\\\/12\\\/09\\\/mysql-community-edition-audit-logging\\\/#local-main-organization-logo\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/cybersecthreat\",\"https:\\\/\\\/x.com\\\/cybersecthreat\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/cybersecthreat-corporation-limited\"],\"description\":\"CyberSecThreat, headquartered in Taiwan, is a Cybersecurity solutions provider that offers cutting-edge Cybersecurity solutions including Cyber Threat Intelligence (CTI), Security Orchestration, Automation, and Response (SOAR), UBA\\\/UEBA, DFIR, and CyberSecurity consulting. CyberSecThreat was awarded as Top 10 Cyber Security Companies of 2022 in APAC CIO Outlook\u2019s Cyber Security Edition. We position ourselves as one of the most comprehensive players in the most advanced high-end marketplace with our highly customizable cybersecurity solutions. CyberSecThreat has been committed to contributing to the CyberSecurity industry and assisting our global clients to improve their CyberSecurity posture. With our global partners and experts, we can deliver a wide range of world-class services to our global clients including vCISO, SOC consulting, Splunk consulting, red team, blue team, and AppSec consulting. CyberSecThreat Research Lab, which is led by our founder Kelvin Yip, is a subdivision that focuses on researching Cyber Warfare, Cyber Influence Operation\\\/Cognitive Domain Warfare (including Disinformation, Propaganda, and psychological manipulation), the latest Cybersecurity trends, and threats that organizations face today as well as technology innovation. With decades of Cybersecurity and technology experience, our teams of experts carry out research and experiment, bringing it to the real world. When things come to the real world and production environment, it is more complicated than our imagination. Let us worry about it because this is our mission! Our vision: NextGen safe digital life, and our mission is to Transform Security Into Real World.\",\"legalName\":\"CyberSecThreat Corporation Limited.\",\"foundingDate\":\"2021-01-23\",\"address\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2021\\\/12\\\/09\\\/mysql-community-edition-audit-logging\\\/#local-main-place-address\"},\"geo\":{\"@type\":\"GeoCoordinates\",\"latitude\":\"25.0600452\",\"longitude\":\"121.4594381\"},\"telephone\":[\"(+886) 02 - 77527628\"],\"openingHoursSpecification\":[{\"@type\":\"OpeningHoursSpecification\",\"dayOfWeek\":[\"Monday\",\"Tuesday\",\"Wednesday\",\"Thursday\",\"Friday\",\"Saturday\",\"Sunday\"],\"opens\":\"09:00\",\"closes\":\"18:00\"}],\"email\":\"info@cybersecthreat.com\",\"areaServed\":\"Taiwan\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/#\\\/schema\\\/person\\\/4787dde06da74fa66cb5e92e481b0f98\",\"name\":\"Kelvin Yip\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-TW\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/91aef1abe820d485df4dc03c80c4bab5b129b723fea7002f20904634c1042d21?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/91aef1abe820d485df4dc03c80c4bab5b129b723fea7002f20904634c1042d21?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/91aef1abe820d485df4dc03c80c4bab5b129b723fea7002f20904634c1042d21?s=96&d=mm&r=g\",\"caption\":\"Kelvin Yip\"},\"sameAs\":[\"https:\\\/\\\/cybersecthreat.com\"],\"knowsAbout\":[\"CyberSecurity\"],\"knowsLanguage\":[\"English\",\"Chinese\"],\"jobTitle\":\"Founder, CEO\",\"url\":\"https:\\\/\\\/cybersecthreat.com\\\/zh\\\/author\\\/kelvinyip-m\\\/\"},{\"@type\":\"PostalAddress\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2021\\\/12\\\/09\\\/mysql-community-edition-audit-logging\\\/#local-main-place-address\",\"streetAddress\":\"9 F.-A6, No. 601, Siyuan Rd., Xinzhuang Dist., New Taipei City 242032, Taiwan (R.O.C.)\",\"addressLocality\":\"New Taipei City\",\"postalCode\":\"242032\",\"addressRegion\":\"Taiwan\",\"addressCountry\":\"TW\"},{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-TW\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2021\\\/12\\\/09\\\/mysql-community-edition-audit-logging\\\/#local-main-organization-logo\",\"url\":\"https:\\\/\\\/cybersecthreat.com\\\/wp-content\\\/uploads\\\/2023\\\/12\\\/CyberSecThreat_website-site-logo-_164x164-min.png\",\"contentUrl\":\"https:\\\/\\\/cybersecthreat.com\\\/wp-content\\\/uploads\\\/2023\\\/12\\\/CyberSecThreat_website-site-logo-_164x164-min.png\",\"width\":164,\"height\":164,\"caption\":\"CyberSecThreat Corporation Limited.\"}]}<\/script>\n<meta name=\"geo.placename\" content=\"New Taipei City\" \/>\n<meta name=\"geo.position\" content=\"25.0600452;121.4594381\" \/>\n<meta name=\"geo.region\" content=\"Taiwan\" \/>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"MySQL community audit logging - CyberSecThreat","description":"MySQL community edition authentication audit logging. Authentication audit is certainly an important part of continuous monitoring.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/cybersecthreat.com\/zh\/2021\/12\/09\/mysql-community-edition-audit-logging\/","og_locale":"zh_TW","og_type":"article","og_title":"MySQL community audit logging","og_description":"MySQL community edition authentication audit logging. Authentication audit is certainly an important part of continuous monitoring.","og_url":"https:\/\/cybersecthreat.com\/zh\/2021\/12\/09\/mysql-community-edition-audit-logging\/","og_site_name":"CyberSecThreat","article_publisher":"https:\/\/www.facebook.com\/cybersecthreat","article_published_time":"2021-12-09T09:32:27+00:00","article_modified_time":"2024-04-01T05:47:00+00:00","og_image":[{"width":1876,"height":744,"url":"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2021\/12\/MySQL_community_audit_logging_for_generallog_splunk_view.png","type":"image\/png"}],"author":"Kelvin Yip","twitter_card":"summary_large_image","twitter_creator":"@cybersecthreat","twitter_site":"@cybersecthreat","twitter_misc":{"\u4f5c\u8005:":"Kelvin Yip","\u9810\u4f30\u95b1\u8b80\u6642\u9593":"8 \u5206\u9418"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/cybersecthreat.com\/2021\/12\/09\/mysql-community-edition-audit-logging\/#article","isPartOf":{"@id":"https:\/\/cybersecthreat.com\/2021\/12\/09\/mysql-community-edition-audit-logging\/"},"author":{"name":"Kelvin Yip","@id":"https:\/\/cybersecthreat.com\/#\/schema\/person\/4787dde06da74fa66cb5e92e481b0f98"},"headline":"MySQL community audit logging","datePublished":"2021-12-09T09:32:27+00:00","dateModified":"2024-04-01T05:47:00+00:00","mainEntityOfPage":{"@id":"https:\/\/cybersecthreat.com\/2021\/12\/09\/mysql-community-edition-audit-logging\/"},"wordCount":1602,"commentCount":0,"publisher":{"@id":"https:\/\/cybersecthreat.com\/#organization"},"image":{"@id":"https:\/\/cybersecthreat.com\/2021\/12\/09\/mysql-community-edition-audit-logging\/#primaryimage"},"thumbnailUrl":"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2021\/12\/MySQL_community_audit_logging_for_generallog_splunk_view.png","articleSection":["Blue Team","Privileged Account Monitoring","SOC","Splunk"],"inLanguage":"zh-TW","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/cybersecthreat.com\/2021\/12\/09\/mysql-community-edition-audit-logging\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/cybersecthreat.com\/2021\/12\/09\/mysql-community-edition-audit-logging\/","url":"https:\/\/cybersecthreat.com\/2021\/12\/09\/mysql-community-edition-audit-logging\/","name":"MySQL community audit logging - CyberSecThreat","isPartOf":{"@id":"https:\/\/cybersecthreat.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/cybersecthreat.com\/2021\/12\/09\/mysql-community-edition-audit-logging\/#primaryimage"},"image":{"@id":"https:\/\/cybersecthreat.com\/2021\/12\/09\/mysql-community-edition-audit-logging\/#primaryimage"},"thumbnailUrl":"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2021\/12\/MySQL_community_audit_logging_for_generallog_splunk_view.png","datePublished":"2021-12-09T09:32:27+00:00","dateModified":"2024-04-01T05:47:00+00:00","description":"MySQL community edition authentication audit logging. Authentication audit is certainly an important part of continuous monitoring.","breadcrumb":{"@id":"https:\/\/cybersecthreat.com\/2021\/12\/09\/mysql-community-edition-audit-logging\/#breadcrumb"},"inLanguage":"zh-TW","potentialAction":[{"@type":"ReadAction","target":["https:\/\/cybersecthreat.com\/2021\/12\/09\/mysql-community-edition-audit-logging\/"]}]},{"@type":"ImageObject","inLanguage":"zh-TW","@id":"https:\/\/cybersecthreat.com\/2021\/12\/09\/mysql-community-edition-audit-logging\/#primaryimage","url":"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2021\/12\/MySQL_community_audit_logging_for_generallog_splunk_view.png","contentUrl":"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2021\/12\/MySQL_community_audit_logging_for_generallog_splunk_view.png","width":1876,"height":744,"caption":"MySQL community audit logging for generallog using Splunk view"},{"@type":"BreadcrumbList","@id":"https:\/\/cybersecthreat.com\/2021\/12\/09\/mysql-community-edition-audit-logging\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blue Team","item":"https:\/\/cybersecthreat.com\/category\/blue-team\/"},{"@type":"ListItem","position":2,"name":"MySQL community audit logging"}]},{"@type":"WebSite","@id":"https:\/\/cybersecthreat.com\/#website","url":"https:\/\/cybersecthreat.com\/","name":"\u5947\u8cc7\u5b89","description":"\u7db2\u8def\u5b89\u5168\u65b9\u6848","publisher":{"@id":"https:\/\/cybersecthreat.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/cybersecthreat.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"zh-TW"},{"@type":["Organization","Place"],"@id":"https:\/\/cybersecthreat.com\/#organization","name":"\u5947\u8cc7\u8a0a\u4fdd\u5b89\u53ca\u7db2\u7d61\u6709\u9650\u516c\u53f8","alternateName":"CyberSecThreat","url":"https:\/\/cybersecthreat.com\/","logo":{"@id":"https:\/\/cybersecthreat.com\/2021\/12\/09\/mysql-community-edition-audit-logging\/#local-main-organization-logo"},"image":{"@id":"https:\/\/cybersecthreat.com\/2021\/12\/09\/mysql-community-edition-audit-logging\/#local-main-organization-logo"},"sameAs":["https:\/\/www.facebook.com\/cybersecthreat","https:\/\/x.com\/cybersecthreat","https:\/\/www.linkedin.com\/company\/cybersecthreat-corporation-limited"],"description":"CyberSecThreat, headquartered in Taiwan, is a Cybersecurity solutions provider that offers cutting-edge Cybersecurity solutions including Cyber Threat Intelligence (CTI), Security Orchestration, Automation, and Response (SOAR), UBA\/UEBA, DFIR, and CyberSecurity consulting. CyberSecThreat was awarded as Top 10 Cyber Security Companies of 2022 in APAC CIO Outlook\u2019s Cyber Security Edition. We position ourselves as one of the most comprehensive players in the most advanced high-end marketplace with our highly customizable cybersecurity solutions. CyberSecThreat has been committed to contributing to the CyberSecurity industry and assisting our global clients to improve their CyberSecurity posture. With our global partners and experts, we can deliver a wide range of world-class services to our global clients including vCISO, SOC consulting, Splunk consulting, red team, blue team, and AppSec consulting. CyberSecThreat Research Lab, which is led by our founder Kelvin Yip, is a subdivision that focuses on researching Cyber Warfare, Cyber Influence Operation\/Cognitive Domain Warfare (including Disinformation, Propaganda, and psychological manipulation), the latest Cybersecurity trends, and threats that organizations face today as well as technology innovation. With decades of Cybersecurity and technology experience, our teams of experts carry out research and experiment, bringing it to the real world. When things come to the real world and production environment, it is more complicated than our imagination. Let us worry about it because this is our mission! Our vision: NextGen safe digital life, and our mission is to Transform Security Into Real World.","legalName":"CyberSecThreat Corporation Limited.","foundingDate":"2021-01-23","address":{"@id":"https:\/\/cybersecthreat.com\/2021\/12\/09\/mysql-community-edition-audit-logging\/#local-main-place-address"},"geo":{"@type":"GeoCoordinates","latitude":"25.0600452","longitude":"121.4594381"},"telephone":["(+886) 02 - 77527628"],"openingHoursSpecification":[{"@type":"OpeningHoursSpecification","dayOfWeek":["Monday","Tuesday","Wednesday","Thursday","Friday","Saturday","Sunday"],"opens":"09:00","closes":"18:00"}],"email":"info@cybersecthreat.com","areaServed":"Taiwan"},{"@type":"Person","@id":"https:\/\/cybersecthreat.com\/#\/schema\/person\/4787dde06da74fa66cb5e92e481b0f98","name":"Kelvin Yip","image":{"@type":"ImageObject","inLanguage":"zh-TW","@id":"https:\/\/secure.gravatar.com\/avatar\/91aef1abe820d485df4dc03c80c4bab5b129b723fea7002f20904634c1042d21?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/91aef1abe820d485df4dc03c80c4bab5b129b723fea7002f20904634c1042d21?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/91aef1abe820d485df4dc03c80c4bab5b129b723fea7002f20904634c1042d21?s=96&d=mm&r=g","caption":"Kelvin Yip"},"sameAs":["https:\/\/cybersecthreat.com"],"knowsAbout":["CyberSecurity"],"knowsLanguage":["English","Chinese"],"jobTitle":"Founder, CEO","url":"https:\/\/cybersecthreat.com\/zh\/author\/kelvinyip-m\/"},{"@type":"PostalAddress","@id":"https:\/\/cybersecthreat.com\/2021\/12\/09\/mysql-community-edition-audit-logging\/#local-main-place-address","streetAddress":"9 F.-A6, No. 601, Siyuan Rd., Xinzhuang Dist., New Taipei City 242032, Taiwan (R.O.C.)","addressLocality":"New Taipei City","postalCode":"242032","addressRegion":"Taiwan","addressCountry":"TW"},{"@type":"ImageObject","inLanguage":"zh-TW","@id":"https:\/\/cybersecthreat.com\/2021\/12\/09\/mysql-community-edition-audit-logging\/#local-main-organization-logo","url":"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2023\/12\/CyberSecThreat_website-site-logo-_164x164-min.png","contentUrl":"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2023\/12\/CyberSecThreat_website-site-logo-_164x164-min.png","width":164,"height":164,"caption":"CyberSecThreat Corporation Limited."}]},"geo.placename":"New Taipei City","geo.position":{"lat":"25.0600452","long":"121.4594381"},"geo.region":"Taiwan"},"taxonomy_info":{"category":[{"value":42,"label":"Blue Team"},{"value":37,"label":"Privileged Account Monitoring"},{"value":71,"label":"SOC"},{"value":23,"label":"Splunk"}]},"featured_image_src_large":["https:\/\/cybersecthreat.com\/wp-content\/uploads\/2021\/12\/MySQL_community_audit_logging_for_generallog_splunk_view-1024x406.png",1024,406,true],"author_info":{"display_name":"Kelvin Yip","author_link":"https:\/\/cybersecthreat.com\/zh\/author\/kelvinyip-m\/"},"comment_info":1,"category_info":[{"term_id":42,"name":"Blue Team","slug":"blue-team","term_group":0,"term_taxonomy_id":42,"taxonomy":"category","description":"","parent":0,"count":14,"filter":"raw","cat_ID":42,"category_count":14,"category_description":"","cat_name":"Blue Team","category_nicename":"blue-team","category_parent":0},{"term_id":37,"name":"Privileged Account Monitoring","slug":"privileged-account-monitoring","term_group":0,"term_taxonomy_id":37,"taxonomy":"category","description":"","parent":0,"count":2,"filter":"raw","cat_ID":37,"category_count":2,"category_description":"","cat_name":"Privileged Account Monitoring","category_nicename":"privileged-account-monitoring","category_parent":0},{"term_id":71,"name":"SOC","slug":"soc","term_group":0,"term_taxonomy_id":71,"taxonomy":"category","description":"","parent":0,"count":3,"filter":"raw","cat_ID":71,"category_count":3,"category_description":"","cat_name":"SOC","category_nicename":"soc","category_parent":0},{"term_id":23,"name":"Splunk","slug":"splunk","term_group":0,"term_taxonomy_id":23,"taxonomy":"category","description":"","parent":0,"count":10,"filter":"raw","cat_ID":23,"category_count":10,"category_description":"","cat_name":"Splunk","category_nicename":"splunk","category_parent":0}],"tag_info":false,"_links":{"self":[{"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/posts\/4705","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/comments?post=4705"}],"version-history":[{"count":0,"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/posts\/4705\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/media\/5025"}],"wp:attachment":[{"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/media?parent=4705"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/categories?post=4705"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/tags?post=4705"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}