MySQL 監査ログのローテション
MySQL Enterprise Auditで取得した監査ログをMySQL Utilitiesを利用して、
定期的にローテーション出来るかどうか確認してみました。

ログをローテーションした結果
audit

Audit Logのローテーションとしては、以下の2パターンがあります。

1) ログサイズによる自動ローテーション
sysvar_audit_log_rotate_on_size

If the audit_log_rotate_on_size value is greater than 0,
the audit log plugin closes and reopens its log file
if a write to the file causes its size to exceed this value.

2) mysqlutilitiesを利用したローテーション
MySQL Utilityを利用したローテーション

mysqluc> help utilities
Utility           Description
----------------  ---------------------------------------------------------
mysqlauditadmin   audit log maintenance utility
mysqlauditgrep    audit log search utility
mysqldbcompare    compare databases for consistency
mysqldbcopy       copy databases from one server to another
mysqldbexport     export metadata and data from databases
mysqldbimport     import metadata and data from files
mysqldiff         compare object definitions among objects where the
                  difference is how db1.obj1 differs from db2.obj2
mysqldiskusage    show disk usage for databases
mysqlfailover     automatic replication health monitoring and failover
mysqlfrm          show CREATE TABLE from .frm files
mysqlindexcheck   check for duplicate or redundant indexes
mysqlmetagrep     search metadata
mysqlprocgrep     search process information
mysqlreplicate    establish replication with a master
mysqlrpladmin     administration utility for MySQL replication
mysqlrplcheck     check replication
mysqlrplms        establish multi-source replication
mysqlrplshow      show slaves attached to a master
mysqlrplsync      replication synchronization checker utility
mysqlserverclone  start another instance of a running server
mysqlserverinfo   show server information
mysqluserclone    clone a MySQL user account to one or more new users

mysqluc>
mysqluc> help mysqlauditadmin
Usage: mysqlauditadmin.exe --server=user:pass@host:port --show-options

mysqlauditadmin - audit log maintenance utility

Options:
Option                     Description
-------------------------  ------------------------------------------------
--version                  show program's version number and exit
--help                     display this help message and exit
--license                  display program's license and exit
--server=SERVER            connection information for the server in the
                           form:
                           <user>[:<password>]@<host>[:<port>][:<socket>]
                           or <login-path>[:<port>][:<socket>] or <config-
                           path>[<&#91;group&#93;>].
--audit-log-name=LOG_NAME  full path and file name for the audit log file.
                           Used for stats and copy options.
--show-options             display the audit log system variables.
--remote-login=RLOGIN      user name and host to be used for remote login
                           for copying log files. Format:
                           <user>:<host_or_ip> Password will be prompted.
--file-stats               display the audit log file statistics.
--copy-to=COPY_LOCATION    the location to copy the audit log file
                           specified. The path must be locally accessible
                           for the current user.
--value=VALUE              value used to set variables based on the command
                           specified. See --help for list per command.
--ssl-ca=SSL_CA            The path to a file that contains a list of
                           trusted SSL CAs.
--ssl-cert=SSL_CERT        The name of the SSL certificate file to use for
                           establishing a secure connection.
--ssl-key=SSL_KEY          The name of the SSL key file to use for
                           establishing a secure connection.
-v, --verbose              control how much information is displayed. e.g.,
                           -v = verbose, -vv = more verbose, -vvv = debug
                           Available Commands: copy - copy the audit log to
                           a locally accessible path policy - set the audit
                           log policy Values = ALL, NONE, LOGINS, QUERIES,
                           DEFAULT rotate - perform audit log rotation
                           rotate_on_size - set the rotate log size limit
                           for auto rotation Values = 0, 4294967295

mysqluc> mysqlauditadmin --show-options --server=admin:password@192.168.56.113
WARNING: Using a password on the command line interface can be insecure.
#
# Audit Log Variables and Options
#
+------------------------------+---------------+
| Variable_name                | Value         |
+------------------------------+---------------+
| audit_log_buffer_size        | 1048576       |
| audit_log_connection_policy  | ALL           |
| audit_log_current_session    | ON            |
| audit_log_exclude_accounts   |               |
| audit_log_file               | audit.log     |
| audit_log_flush              | OFF           |
| audit_log_format             | OLD           |
| audit_log_include_accounts   |               |
| audit_log_policy             | ALL           |
| audit_log_rotate_on_size     | 0             |
| audit_log_statement_policy   | ALL           |
| audit_log_strategy           | ASYNCHRONOUS  |
+------------------------------+---------------+


mysqluc> mysqlauditadmin --show-options --server=admin:password@192.168.56.113 rotate
WARNING: Using a password on the command line interface can be insecure.
#
# Showing options before command.
#
# Audit Log Variables and Options
#
+------------------------------+---------------+
| Variable_name                | Value         |
+------------------------------+---------------+
| audit_log_buffer_size        | 1048576       |
| audit_log_connection_policy  | ALL           |
| audit_log_current_session    | ON            |
| audit_log_exclude_accounts   |               |
| audit_log_file               | audit.log     |
| audit_log_flush              | OFF           |
| audit_log_format             | OLD           |
| audit_log_include_accounts   |               |
| audit_log_policy             | ALL           |
| audit_log_rotate_on_size     | 0             |
| audit_log_statement_policy   | ALL           |
| audit_log_strategy           | ASYNCHRONOUS  |
+------------------------------+---------------+

#
# Executing ROTATE command.
#

#
# Showing options after command.
#
# Audit Log Variables and Options
#
+------------------------------+---------------+
| Variable_name                | Value         |
+------------------------------+---------------+
| audit_log_buffer_size        | 1048576       |
| audit_log_connection_policy  | ALL           |
| audit_log_current_session    | ON            |
| audit_log_exclude_accounts   |               |
| audit_log_file               | audit.log     |
| audit_log_flush              | OFF           |
| audit_log_format             | OLD           |
| audit_log_include_accounts   |               |
| audit_log_policy             | ALL           |
| audit_log_rotate_on_size     | 0             |
| audit_log_statement_policy   | ALL           |
| audit_log_strategy           | ASYNCHRONOUS  |
+------------------------------+---------------+


mysqluc>

ログが以下のようにローテーションされて、
古いファイルがaudit.log.xxxxx.xmlというファイル名になっています。


[root@misc data]# ls -l audit.*
-rw-rw----. 1 mysql mysql  4600  3月 13 22:13 audit.log
-rw-rw----. 1 mysql mysql 23048  3月 13 22:13 audit.log.14262524122629864.xml
[root@misc data]#

追加で、負荷をかけた状態でローテーションしてみました。こちらがWorkbenchで確認したログです。
workbench

Workbenchでログも確認してみました。mysqlslapからアクセスがある事が確認出来ます。
log

mysqlauditadminについては此方を参照下さい
http://dev.mysql.com/doc/mysql-utilities/1.3/en/mysqlauditadmin.html

https://docs.oracle.com/cd/E17952_01/mysql-utilities-1.3-en/mysqlauditadmin.html

補足;此方は、コマンドでログの中身をフィルターするUTILITYになります。
http://dev.mysql.com/doc/mysql-utilities/1.3/en/mysqlauditgrep.html

Enterprise Auditはこちらから30日間トライアルがダウンロード可能です。
https://edelivery.oracle.com/

MySQL Utiliries
http://thinkit.co.jp /story/2014/02/10/4814 

SYSLOG: This function is also nice to have. (Percona)
http://www.percona.com/doc/percona-server/5.6/management/audit_log_plugin.html

コメントを残す

メールアドレスが公開されることはありません。 * が付いている欄は必須項目です

Post Navigation