Add mysql server host name in audit_log details when writing to syslog

General

Escalation

General

Escalation

Description

When running multiple percona server instances on a single machine and writing audit_log to SYSLOG (audit_log_handler =SYSLOG) there is no way to identify/differentiate audit log entries for a particular instance.

Example:
Running 2 percona server instance on the machine with the percona audit log plugin and the following setting.

Instance1: 192.168.0.128:5721

[mysqld]
audit_log_handler =SYSLOG

Instance2: 192.168.0.128:8015

[mysqld]
audit_log_handler =SYSLOG

Connecting form remote host: 192.168.0.185

mysql -h 192.168.0.128 -u msandbox -p -P 5721
mysql> create database remote_host

mysql -h 192.168.0.128 -u msandbox -p -P 8017
mysql> create database remote_node

Percona server Host: 192.168.0.128
/var/log/syslog:

------ PS instance1  audit log entry in syslog---
Sep 6 18:15:32 lalit-ThinkPad-T480 percona-audit: <AUDIT_RECORD>#012 <NAME>Query</NAME>#012 <RECORD>13_1970-01-01T00:00:00</RECORD>#012 <TIMESTAMP>2019-09-06T12:45:32 UTC</TIMESTAMP>#012 <COMMAND_CLASS>create_db</COMMAND_CLASS>#012 <CONNECTION_ID>5</CONNECTION_ID>#012 <STATUS>0</STATUS>#012 <SQLTEXT>create database remote_host</SQLTEXT>#012 <USER>msandbox[msandbox] @ [192.168.0.185]</USER>#012 <HOST></HOST>#012 <OS_USER></OS_USER>#012 <IP>192.168.0.185</IP>#012 <DB></DB>#012</AUDIT_RECORD>

----PS instance2 audit log entry in syslog------
Sep 6 18:48:23 lalit-ThinkPad-T480 percona-audit: <AUDIT_RECORD>#012 <NAME>Query</NAME>#012 <RECORD>8_1970-01-01T00:00:00</RECORD>#012 <TIMESTAMP>2019-09-06T13:18:23Z</TIMESTAMP>#012 <COMMAND_CLASS>create_db</COMMAND_CLASS>#012 <CONNECTION_ID>9</CONNECTION_ID>#012 <STATUS>0</STATUS>#012 <SQLTEXT>create database remote_node</SQLTEXT>#012 <USER>msandbox[msandbox] @ [192.168.0.185]</USER>#012 <HOST></HOST>#012 <OS_USER></OS_USER>#012 <IP>192.168.0.185</IP>#012 <DB></DB>#012</AUDIT_RECORD>

looking at the audit_log entries in Syslog, we can't differentiate which audit log entry belongs to which percona server instance.

It would good to have percona server host information while writing audit log details in SYSLOG.

Similar settings/options are available in mariaDB audit plugin.

syslog_host	Host from which the syslog entry was received.
syslog_ident	For identifying a system log entry, including the MariaDB server.
syslog_info	For providing information for identifying a system log entry.
serverhost	The MariaDB server host name.

https://mariadb.com/kb/en/library/mariadb-audit-plugin-log-format/

Environment

None

AFFECTED CS IDs

265132

Smart Checklist

Activity

Show:

Oleksandr Kachan August 8, 2023 at 5:58 AM

Improved for the new audit_log_filter plugin - replaced audit_log_filter_syslog_ident sysvar with audit_log_filter_syslog_tag. This tag will be added as a prefix to actual syslog message. Server's syslog ident will be used for messages written by the plugin.

Oleksandr Kachan June 27, 2023 at 8:18 AM
Edited

As I can see the main issue here is conflicting audit_log_syslog_ident and syslog_ident for the server itself. This is going to be solved for the new audit plugin. There will be no way to set separate syslog ident for the plugin, it will use server's ident while writing to syslog. Instead there will be a audit_log_syslog{}_tag set for the plugin. This tag will be prepended to the actual message. Using this tag it will be possible to distinguish messages from different server instances.

Oleksandr Kachan June 13, 2023 at 1:18 PM

Thanks @Lalit Choudhary,

> audit_log_syslog_ident DOES NOT work on 5.7+ if you don't enable log-syslog

Here log-syslog is probably server system variable. There is one for MySQL 5.7, it was removed in 8.0.

Jeffrey Clark June 23, 2021 at 2:31 AM

plugin seems to ignore audit_log_syslog_facility also if log-syslog is not enabled.

Jeffrey Clark June 23, 2021 at 2:29 AM

After a bit more research, this is indeed a bug - but only in 5.7+

audit_log_syslog_ident DOES NOT work on 5.7+ if you don't enable log-syslog. It still sends to syslog, but the ident is always mysqld

Done

Details
Assignee
Oleksandr Kachan
Reporter
Lalit Choudhary
Labels
audit-log-pluginaudit-log-plugin-v2
Fix versions
8.0.34-26 (Q3 2023)
8.1.0-1 (Q3 2023)
Affects versions
5.6.x
5.7.x
8.0.x
Priority
Medium

Smart Checklist

Created September 6, 2019 at 1:32 PM

Updated March 6, 2024 at 11:51 AM

Resolved August 8, 2023 at 5:58 AM

Configure

Add mysql server host name in audit_log details when writing to syslog

Description

Environment

AFFECTED CS IDs

Smart Checklist

Activity

Oleksandr Kachan August 8, 2023 at 5:58 AM

Oleksandr Kachan June 27, 2023 at 8:18 AMEdited

Oleksandr Kachan June 13, 2023 at 1:18 PM

Jeffrey Clark June 23, 2021 at 2:31 AM

Jeffrey Clark June 23, 2021 at 2:29 AM

DetailsAssigneeOleksandr KachanOleksandr KachanReporterLalit ChoudharyLalit ChoudharyLabelsaudit-log-pluginaudit-log-plugin-v2Fix versions8.0.34-26 (Q3 2023)8.1.0-1 (Q3 2023)Affects versions5.6.x5.7.x8.0.xPriorityMedium

Details

Assignee

Reporter

Labels

Fix versions

Affects versions

Priority

Smart ChecklistOpen Smart Checklist

Smart Checklist

Oleksandr Kachan June 27, 2023 at 8:18 AM
Edited

Details
Assignee
Oleksandr Kachan
Reporter
Lalit Choudhary
Labels
audit-log-pluginaudit-log-plugin-v2
Fix versions
8.0.34-26 (Q3 2023)
8.1.0-1 (Q3 2023)
Affects versions
5.6.x
5.7.x
8.0.x
Priority
Medium

Smart Checklist