1MYSQLAUDITADMIN MySQL Utilities MYSQLAUDITADMIN
2
6 mysqlauditadmin - Maintain the audit log
7
9 mysqlauditadmin [OPTIONS]... mysqlauditadmin [OPTIONS]...
10 [COMMAND]mysqlauditadmin
11 l=user:pass@host:port
12 [OPTIONS]...
13 [COMMAND[--value=VALUE]]mysqlauditadmin
14 --file-stats
15 --audit-log-name=FULL_PATHmysqlauditadmin
16 copy
17 --audit-log-name=FULL_PATH
18 --copy-to=DESTINATION
19 [--remote-login=user:host]
20
22 This utility allow you to maintain the audit log[1], allowing you to
23 monitor the audit log file growth and control its rotation. Rotation
24 refers to the action of replacing the current audit log file by a new
25 one for continuous use, renaming (with a timestamp extension) and
26 copying the previously used audit log file to a defined location.
27 This utility allows you to view and modify a subset of audit log
29 control variables, display the audit log file status, perform on-demand
30 rotation of the log file, and copy files to other locations. These
31 features enable you to easily monitor the audit log file growth and
32 control its rotation (automatically based on the defined file size
33 threshold, or manually by a on-demand command).
34 The available actions include the following:
36 · copy
38 This command copies the audit log specified by --audit-log-name to
40 the destination path specified by --copy-to. The --remote-login
41 option can be used to copy log files from a remote location. Note:
42 the destination path must be locally accessible by the current
43 user.
44 · policy
46 The policy command is used to change the audit logging policy. The
48 accepted values are the following, which are set using the --value
49 option.
50 Note
52 The --server option is also required to execute this command.
53 Starting from MySQL server 5.6.20 and 5.7.5, the value is read
55 only for the audit_log_policy variable. Now the policy results
56 from the combination of two new variables:
57 audit_log_connection_policy and audit_log_statement_policy.
58 This change is supported starting from MySQL Utilities 1.5.2.
59 · ALL: log all events
61 · NONE: log nothing
63 · LOGINS: only log login events
65 · QUERIES: only log query events
67 · DEFAULT: sets the default log policy
69 · rotate_on_size
71 This command sets the file size threshold for automatic rotation of
73 the audit log (the audit_log_rotate_on_size variable). The value is
74 set using the --value option, and must be in the range (0,
75 4294967295). This command also requires the --server option to be
76 specified. Note: if the variable is set with a value that is not a
77 multiple of 4096, then it is truncated to the nearest multiple.
78 · rotate
80 This command is used to perform an on-demand audit log rotation,
82 and only requires the --server option to be passed. Note: this
83 command has no effect if the audit log file size is smaller than
84 4096, which is the minimum value allowed that is greater than 0 for
85 the audit_log_rotate_on_size variable).
86 OPTIONS.PP mysqlauditadmin accepts the following command-line options:
87 · --audit-log-name=<AUDIT_LOG_FILE>
89 Full path and file name for the audit log file. Used by the
91 --file-stats option, and the copy command.
92 · --copy-to=<COPY_DESTINATION>
94 The location to copy the specified audit log file. The path must be
96 locally accessible for the current user.
97 · --file-stats
99 Display the audit log file statistics.
101 · --help
103 Display a help message and exit.
105 · --license
107 Display license information and exit.
109 · --remote-login=<REMOTE_LOGIN>
111 User name and host to be used for the remote login, for copying log
113 files. It is defined using the following format: <user>:<host or
114 IP>. Usage will prompt for the password.
115 · --server=<SERVER>
117 Connection information for the server.
119 To connect to a server, it is necessary to specify connection
121 parameters such as user name, host name, password, and either a
122 port or socket. MySQL Utilities provides a number of ways to
123 provide this information. All of the methods require specifying
124 your choice via a command-line option such as --server, --master,
125 --slave, etc. The methods include the following in order of most
126 secure to least secure.
127 · Use login-paths from your .mylogin.cnf file (encrypted, not
129 visible). Example : <login-path>[:<port>][:<socket>]
130 · Use a configuration file (unencrypted, not visible) Note:
132 available in release-1.5.0. Example :
133 <configuration-file-path>[:<section>]
134 · Specify the data on the command-line (unencrypted, visible).
136 Example : <user>[:<passwd>]@<host>[:<port>][:<socket>]
137 · --show-options
140 Display the audit log system variables.
142 · --ssl-ca
144 The path to a file that contains a list of trusted SSL CAs.
146 · --ssl-cert
148 The name of the SSL certificate file to use for establishing a
150 secure connection.
151 · --ssl-cert
153 The name of the SSL key file to use for establishing a secure
155 connection.
156 · --ssl
158 Specifies if the server connection requires use of SSL. If an
160 encrypted connection cannot be established, the connection attempt
161 fails. Default setting is 0 (SSL not required).
162 · --value=<VALUE>
164 Value used to set variables based on the specified commands, such
166 as policy and rotate_on_size.
167 · --verbose, -v
169 Specify how much information to display. Use this option multiple
171 times to increase the amount of information. For example, -v =
172 verbose, -vv = more verbose, -vvv = debug.
173 · --version
175 Display version information and exit.
177 NOTES.PP This utility can only be applied to servers with the audit log
178 plugin enabled[2]. And the audit log plugin is available as of MySQL
179 Server versions 5.5.28 and 5.6.10.
180 This utility requires Python version 2.6 or higher, but does not
182 support Python 3.
183 The path to the MySQL client tools should be included in the PATH
185 environment variable in order to use the authentication mechanism with
186 login-paths. This will allow the utility to use the my_print_defaults
187 tools, which is required to read the login-path values from the login
188 configuration file (.mylogin.cnf). This feature exists as of MySQL
189 Server 5.6.6, see mysql_config_editor — MySQL Configuration Utility[3].
190 Changes to MySQL Enterprise Audit Log Plugin are not documented in this
192 documentation, so your output might be different than the examples
193 here. For example, a new (or removed) MySQL Enterprise Audit Log Plugin
194 option might affect the output. LIMITATIONS.PP The --remote-login
195 option is not supported on Microsoft Windows platforms. For Microsoft
196 Windows, use UNC paths and perform a local copy operation, omitting the
197 --remote-login option. EXAMPLES.PP To display the audit log system
198 variables, run the following command:
199 shell> mysqlauditadmin --show-options --server=root@localhost:3310
201 #
202 # Showing options after command.
203 #
204 # Audit Log Variables and Options
205 #
206 +------------------------------+---------------+
207 | Variable_name | Value |
208 +------------------------------+---------------+
209 | audit_log_buffer_size | 1048576 |
210 | audit_log_connection_policy | NONE |
211 | audit_log_current_session | ON |
212 | audit_log_exclude_accounts | |
213 | audit_log_file | audit.log |
214 | audit_log_flush | OFF |
215 | audit_log_format | OLD |
216 | audit_log_include_accounts | |
217 | audit_log_policy | ALL |
218 | audit_log_rotate_on_size | 0 |
219 | audit_log_statement_policy | ALL |
220 | audit_log_strategy | ASYNCHRONOUS |
221 +------------------------------+---------------+
222 To perform a (manual) rotation of the audit log file, use the following
224 command:
225 shell> mysqlauditadmin --server=root@localhost:3310 rotate
227 #
228 # Executing ROTATE command.
229 #
230 To display the audit log file statistics, run the following command:
232 shell> mysqlauditadmin --file-stats --audit-log-name=../SERVER/data/audit.log
234 +------------------------------+--------+---------------------------+---------------------------+
235 | File | Size | Created | Last Modified |
236 +------------------------------+--------+---------------------------+---------------------------+
237 | audit.log | 3258 | Wed Sep 26 11:07:43 2012 | Wed Sep 26 11:07:43 2012 |
238 | audit.log.13486539046497235 | 47317 | Wed Sep 26 11:05:04 2012 | Wed Sep 26 11:05:04 2012 |
239 +------------------------------+--------+---------------------------+---------------------------+
240 To change the audit log policy to log only query events, and show the
242 system variables before and after the execution of the policy command,
243 use the following command:
244 shell> mysqlauditadmin --show-options --server=root@localhost:3310 policy \
246 --value=QUERIES
247 #
248 # Showing options before command.
249 #
250 # Audit Log Variables and Options
251 #
252 +------------------------------+---------------+
253 | Variable_name | Value |
254 +------------------------------+---------------+
255 | audit_log_buffer_size | 1048576 |
256 | audit_log_connection_policy | ALL |
257 | audit_log_current_session | ON |
258 | audit_log_exclude_accounts | |
259 | audit_log_file | audit.log |
260 | audit_log_flush | OFF |
261 | audit_log_format | OLD |
262 | audit_log_include_accounts | |
263 | audit_log_policy | ALL |
264 | audit_log_rotate_on_size | 0 |
265 | audit_log_statement_policy | ALL |
266 | audit_log_strategy | ASYNCHRONOUS |
267 +------------------------------+---------------+
268 #
269 # Executing POLICY command.
270 #
271 #
272 # Showing options after command.
273 #
274 # Audit Log Variables and Options
275 #
276 +------------------------------+---------------+
277 | Variable_name | Value |
278 +------------------------------+---------------+
279 | audit_log_buffer_size | 1048576 |
280 | audit_log_connection_policy | NONE |
281 | audit_log_current_session | ON |
282 | audit_log_exclude_accounts | |
283 | audit_log_file | audit.log |
284 | audit_log_flush | OFF |
285 | audit_log_format | OLD |
286 | audit_log_include_accounts | |
287 | audit_log_policy | ALL |
288 | audit_log_rotate_on_size | 0 |
289 | audit_log_statement_policy | ALL |
290 | audit_log_strategy | ASYNCHRONOUS |
291 +------------------------------+---------------+
292 To change the audit log automatic file rotation size
294 (audit_log_rotate_on_size) to 32535, and show the system variables
295 before and after the execution of the rotate_on_size command, use the
296 following command. (Notice that the value set is actually 28672 because
297 the specified rotate_on_size value is truncated to a multiple of 4096):
298 shell> mysqlauditadmin --show-options --server=root@localhost:3310 rotate_on_size \
300 --value=32535
301 #
302 # Showing options before command.
303 #
304 # Audit Log Variables and Options
305 #
306 +------------------------------+---------------+
307 | Variable_name | Value |
308 +------------------------------+---------------+
309 | audit_log_buffer_size | 1048576 |
310 | audit_log_connection_policy | ALL |
311 | audit_log_current_session | ON |
312 | audit_log_exclude_accounts | |
313 | audit_log_file | audit.log |
314 | audit_log_flush | OFF |
315 | audit_log_format | OLD |
316 | audit_log_include_accounts | |
317 | audit_log_policy | ALL |
318 | audit_log_rotate_on_size | 0 |
319 | audit_log_statement_policy | ALL |
320 | audit_log_strategy | ASYNCHRONOUS |
321 +------------------------------+---------------+
322 #
323 # Executing POLICY command.
324 #
325 #
326 # Showing options after command.
327 #
328 # Audit Log Variables and Options
329 #
330 +------------------------------+---------------+
331 | Variable_name | Value |
332 +------------------------------+---------------+
333 | audit_log_buffer_size | 1048576 |
334 | audit_log_connection_policy | NONE |
335 | audit_log_current_session | ON |
336 | audit_log_exclude_accounts | |
337 | audit_log_file | audit.log |
338 | audit_log_flush | OFF |
339 | audit_log_format | OLD |
340 | audit_log_include_accounts | |
341 | audit_log_policy | ALL |
342 | audit_log_rotate_on_size | 28672 |
343 | audit_log_statement_policy | ALL |
344 | audit_log_strategy | ASYNCHRONOUS |
345 +------------------------------+---------------+
346 To perform a copy of a audit log file to another location, use the
348 following command:
349 shell> mysqlauditadmin --audit-log-name=../SERVER/data/audit.log.13486539046497235 \
351 copy --copy-to=/BACKUP/Audit_Logs
352 To copy a audit log file from a remote server/location to the current
354 location (user password will be prompted), use the following command:
355 shell> mysqlauditadmin --audit-log-name=audit.log.13486539046497235 \
357 copy --remote-login=user:host --copy-to=.
358 PERMISSIONS REQUIRED.PP The user must have permissions to read the
360 audit log on disk and write the file to the remove location.
361
363 Copyright © 2006, 2015, Oracle and/or its affiliates. All rights
364 reserved.
365 This documentation is free software; you can redistribute it and/or
367 modify it only under the terms of the GNU General Public License as
368 published by the Free Software Foundation; version 2 of the License.
369 This documentation is distributed in the hope that it will be useful,
371 but WITHOUT ANY WARRANTY; without even the implied warranty of
372 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
373 General Public License for more details.
374 You should have received a copy of the GNU General Public License along
376 with the program; if not, write to the Free Software Foundation, Inc.,
377 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA or see
378 http://www.gnu.org/licenses/.
379
382 1. audit log
383 http://dev.mysql.com/doc/refman/5.6/en/audit-log-plugin.html
384 2. audit log plugin enabled
386 http://dev.mysql.com/doc/refman/5.6/en/audit-log-plugin-installation.html
387 3. mysql_config_editor — MySQL Configuration Utility
389 http://dev.mysql.com/doc/refman/5.6/en/mysql-config-editor.html
390
392 For more information, please refer to the MySQL Utilities and Fabric
393 documentation, which is available online at
394 http://dev.mysql.com/doc/index-utils-fabric.html
395
397 Oracle Corporation (http://dev.mysql.com/).
398MySQL 1.5.6 09/15/2015 MYSQLAUDITADMIN