Skip to content

PS-10191 [DOCS] - Update Audit Log Filter installation instructions f… #573

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: 8.0
Choose a base branch
from
Open

PS-10191 [DOCS] - Update Audit Log Filter installation instructions f… #573

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
192 changes: 89 additions & 103 deletions docs/audit-log-filter-overview.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,13 +1,53 @@
# Audit Log Filter overview

The Audit Log Filter plugin allows you to monitor, log, and block a connection or query actively executed on the selected server.
The Audit Log Filter plugin provides comprehensive database auditing capabilities for Percona Server. The plugin allows you to monitor, log, and block connections or queries actively executed on the selected server.

## What is audit log filter?

The Audit Log Filter plugin enables you to:

| Issue | Description |
|:----------------------|:----------------------------------------------------------------------------------------------|
| Monitor database activity | Track all database connections, queries, and administrative actions |
| Comply with regulations | Meet compliance requirements for database auditing |
| Enhance security | Detect suspicious activities and unauthorized access attempts |
| Control access | Block specific queries or connections based on configurable rules |
| Generate reports | Create detailed audit trails for security analysis |

Enabling the plugin produces a log file that contains a record of server activity. The log file has information on connections and databases accessed by that connection.

The plugin uses the `mysql` system database to store filter and user account data. Set the [`audit_log_filter_database`](audit-log-filter-variables.md#audit_log_filter_database) variable at server startup to select a different database.
The plugin uses the `mysql` system database to store filter and user account data. Set the [`audit_log_filter_database`](audit-log-filter-variables.md#audit_log_filter_database) variable at server startup to select a different database. When you change the database, you must create the required tables in the new database and migrate any existing filter data.

The `AUDIT_ADMIN` privilege is required to enable users to manage the Audit Log Filter plugin.

## System requirements

* Percona Server version: 8.0.34-26 or later

* Storage engine: InnoDB (for audit tables)

* Privileges: SYSTEM_VARIABLES_ADMIN to configure the plugin

* Disk space: Sufficient space for audit log files

* Memory: Additional memory overhead for audit processing

## Basic configuration

The Audit Log Filter plugin uses several key configuration variables:

* Dynamic variables: Can be changed at runtime using `SET GLOBAL` without restarting the server

* Read-only variables: Can only be changed at server startup in the configuration file

* [`audit_log_filter_enable`](audit-log-filter-variables.md#audit_log_filter_enable): Enable or disable the audit filter engine (dynamic)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [linkspector] reported by reviewdog 🐶
Cannot reach audit-log-filter-variables.md#audit_log_filter_enable. Status: 404 Cannot find section: #audit_log_filter_enable in file: /home/runner/work/psmysql-docs/psmysql-docs/docs/audit-log-filter-variables.md.


* [`audit_log_filter_database`](audit-log-filter-variables.md#audit_log_filter_database): Database for storing filter definitions (read-only)

* [`audit_log_filter_mode`](audit-log-filter-variables.md#audit_log_filter_mode): Set to ALLOW (whitelist) or DENY (blacklist) (dynamic)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [linkspector] reported by reviewdog 🐶
Cannot reach audit-log-filter-variables.md#audit_log_filter_mode. Status: 404 Cannot find section: #audit_log_filter_mode in file: /home/runner/work/psmysql-docs/psmysql-docs/docs/audit-log-filter-variables.md.


* [`audit_log_filter_rotate_on_size`](audit-log-filter-variables.md#audit_log_filter_rotate_on_size): Log file rotation size limit (dynamic)

## Privileges

Define the privilege at runtime at the startup of the server. The associated Audit Log Filter privilege can be unavailable if the plugin is not enabled.
Expand All @@ -22,110 +62,56 @@ This privilege allows queries from a user account to always be executed. An `abo

## Audit Log Filter tables

The Audit Log Filter plugin uses `mysql` system database tables in the `InnoDB` storage engine. These tables store user account data and filter data. When you start the server, change the plugin's database with the `audit_log_filter_database` variable.
The Audit Log Filter plugin uses `mysql` system database tables in the `InnoDB` storage engine. These tables store user account data and filter data.

The `audit_log_filter` table stores the definitions of the filters and has the following column definitions:

<!DOCTYPE html>
<html>
<head>
<title>HTML Table Generator</title>
<style>
#demTable {
width:100%;
height:100%;
border:1px solid #b3adad;
border-collapse:collapse;
padding:5px;
}
#demTable th {
border:1px solid #b3adad;
padding:5px;
background: #f0f0f0;
color: #313030;
}
#demTable td {
border:1px solid #b3adad;
text-align:left;
padding:5px;
background: #ffffff;
color: #313030;
}
</style>
</head>
<body>
<table id="demTable">
<thead>
<tr>
<th><div style="color: #333333;background-color: #f5f5f5;font-family: Menlo, Monaco, 'Courier New', monospace;font-weight: normal;font-size: 14px;line-height: 21px;white-space: pre;">Column name</div></th>
<th><div style="color: #333333;background-color: #f5f5f5;font-family: Menlo, Monaco, 'Courier New', monospace;font-weight: normal;font-size: 14px;line-height: 21px;white-space: pre;">Description</div></th>
</tr>
</thead>
<tbody>
<tr>
<td>&nbsp;NAME</td>
<td>&nbsp;Name of the filter</td>
</tr>
<tr>
<td>&nbsp;FILTER</td>
<td>&nbsp;Definition of the filter linked to the name as a JSON value</td>
</tr>
</tbody>
</table>
</body>
</html>
| Column name | Description |
|:-----------:|:-----------:|
| NAME | Name of the filter |
| FILTER | Definition of the filter linked to the name as a JSON value |

The `audit_log_user` table stores account data and has the following column definitions:

<!DOCTYPE html>
<html>
<head>
<title>HTML Table Generator</title>
<style>
#demTable {
width:100%;
height:100%;
border:1px solid #b3adad;
border-collapse:collapse;
padding:5px;
}
#demTable th {
border:1px solid #b3adad;
padding:5px;
background: #f0f0f0;
color: #313030;
}
#demTable td {
border:1px solid #b3adad;
text-align:left;
padding:5px;
background: #ffffff;
color: #313030;
}
</style>
</head>
<body>
<table id="demTable">
<thead>
<tr>
<th><div style="color: #333333;background-color: #f5f5f5;font-family: Menlo, Monaco, 'Courier New', monospace;font-weight: normal;font-size: 14px;line-height: 21px;white-space: pre;">Column name</div></th>
<th><div style="color: #333333;background-color: #f5f5f5;font-family: Menlo, Monaco, 'Courier New', monospace;font-weight: normal;font-size: 14px;line-height: 21px;white-space: pre;">Description</div></th>
</tr>
</thead>
<tbody>
<tr>
<td>&nbsp;USER</td>
<td>&nbsp;The account name of the user</td>
</tr>
<tr>
<td>&nbsp;HOST</td>
<td>&nbsp;The account name of the host</td>
</tr>
<tr>
<td>&nbsp;FILTERNAME</td>
<td>&nbsp;The account filter name</td>
</tr>
</tbody>
</table>
</body>
</html>
| Column name | Description |
|:-----------:|:-----------:|
| USER | The account name of the user |
| HOST | The account name of the host |
| FILTERNAME | The account filter name |

## Log formats and output

The Audit Log Filter plugin supports multiple log formats:

* JSON format: Machine-readable format for automated processing

* XML (new): Human-readable format with structured data

* XML (old): Legacy XML format for backward compatibility

The plugin logs various types of events:

* Connection events: User logins, logouts, and connection failures

* Query events: SQL statements executed by users

* Administrative events: Server configuration changes

* Error events: Failed operations and security violations

## Security considerations

When implementing the Audit Log Filter plugin, consider these security aspects:

| Issue | Description |
|:--------------------|:----------------------------------------------------------------------------------------------|
| Performance impact | Audit logging adds overhead to database operations |
| Storage requirements | Audit logs can grow large; plan for log rotation and archival |
| Sensitive data | Configure filters to avoid logging sensitive information |
| Access control | Restrict access to audit log files and configuration |
| Backup strategy | Include audit logs in your backup and recovery procedures |
## References

[Install the Audit Log Filter](install-audit-log-filter.md)

[Audit Log Filter Variables & Functions](audit-log-filter-variables.md)
137 changes: 114 additions & 23 deletions docs/install-audit-log-filter.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,40 +1,131 @@
# Install the Audit Log Filter

The `plugin_dir` system variable defines the plugin library location. If needed, at server startup, set the `plugin_dir` variable.
## Installation script

When upgrading a MySQL installation, plugins are not automatically upgraded. You may need to manually load the plugin after the MySQL upgrade.
The recommended way to install the plugin is to use the `audit_log_filter_linux_install.sql` script, located in the share directory, which creates the required tables before installing the plugin.

In the `share` directory, locate the `audit_log_filter_linux_install.sql `script.
### Prerequisites

Implemented in 8.0.34, at the time you run the script, you can select the database used to store the JSON filter tables.
The `plugin_dir` system variable defines the plugin library location. When you need a custom location, set the `plugin_dir` variable at server startup.

* If the plugin is loaded, the installation script takes the database name from the `audit_log_filter_database` variable
* If the plugin is not loaded, but passes the `-D db_name` to the mysql client when the installation script runs, uses the `db_name`.
* If the plugin is not loaded and the `-D` option is not provided, the installation script creates the required tables in the default database name `mysql`.
### Database selection

You can also designate a different database with the `audit_log_filter_database` system variable. The database name cannot be NULL or exceed 64 characters. If the database name is invalid, the audit log filter tables are not found.
The script determines the target database using the following priority:

With 8.0.34 and higher, use this command:
1. When the plugin is already loaded, the script uses the database name from the `audit_log_filter_database` variable
2. When the plugin is not loaded, but you pass the `-D db_name` option to the mysql client when running the script, the script uses the specified `db_name`
3. When the plugin is not loaded and no `-D` option is provided, you must specify the `mysql` database when running the script

You can also designate a different database with the `audit_log_filter_database` system variable. The database name cannot be NULL or exceed 64 characters. When the database name is invalid, the audit log filter tables are not found.

```{.bash data-prompt="$"}
$ mysql -u -D database -p < audit_log_filter_linux_install.sql
### Install the component

To install the plugin using the script, you must specify the `mysql` database. You can do this in two ways:

Option 1: Run the script from the command line with the `-D mysql` option:

```bash
mysql -u root -p -D mysql < /path/to/mysql/share/audit_log_filter_linux_install.sql
```

Option 2: Connect to `mysql` database and run the script interactively:

```sql
mysql> use mysql;
mysql> source /path/to/mysql/share/audit_log_filter_linux_install.sql;
```

Replace `/path/to/mysql/share/` with the actual path to your MySQL installation's share directory.

### Verify installation

After you run the script, verify that the required tables are created:

```sql
mysql> show tables in mysql like 'aud%';
```

Expected output:

```
+------------------------+
| Tables_in_mysql (aud%) |
+------------------------+
| audit_log_filter |
| audit_log_user |
+------------------------+
2 rows in set (0.00 sec)
```

## Alternative: INSTALL PLUGIN method

You can also install the plugin using the `INSTALL PLUGIN` command, but this method does not create the required tables and will cause filter operations to fail.

### Verify plugin installation

Check that the plugin is properly installed:

```sql
mysql> SHOW PLUGINS LIKE 'audit_log_filter';
```

To verify the plugin installation, run the following command:
Expected output:

```{.bash data-prompt="mysql>"}
mysql> SELECT PLUGIN_NAME, PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS WHERE PLUGIN_NAME LIKE 'audit%';
```
+-------------------+----------+--------------------+
| Name | Status | Type |
+-------------------+----------+--------------------+
| audit_log_filter | ACTIVE | AUDIT |
+-------------------+----------+--------------------+
1 row in set (0.00 sec)
```

### Test filter functionality

Test that the audit log filter is working correctly:

```sql
mysql> SELECT audit_log_filter_set_filter('log_all', '{"filter": {"log": true}}');
```

Expected output:

```
+---------------------------------------------------------------------+
| audit_log_filter_set_filter('log_all', '{"filter": {"log": true}}') |
+---------------------------------------------------------------------+
| ERROR: Failed to check filtering rule name existence |
+---------------------------------------------------------------------+
1 row in set (0.00 sec)
```

!!! note

This error occurs when the plugin is installed without the required tables. Using the SQL script prevents this issue.

### Fix missing tables

When you have already installed the audit log plugin but are missing the required tables, you can run the `audit_log_filter_linux_install.sql` script to create the audit tables in the `mysql` database:

```bash
mysql -u root -p -D mysql < /path/to/mysql/share/audit_log_filter_linux_install.sql
```

Or interactively:

```sql
mysql> use mysql;
mysql> source /path/to/mysql/share/audit_log_filter_linux_install.sql;
```

This operation creates the missing tables without reinstalling the plugin.

## Additional information

For information about upgrading the audit log filter plugin, see the upgrade documentation.

??? example "Expected output"
## References

```text
+--------------------+---------------+
| PLUGIN_NAME | PLUGIN_STATUS |
+--------------------+---------------+
| audit_log_filter | ACTIVE |
+--------------------+---------------+
```
[Audit Log Filter Overview](audit-log-filter-overview.md)

After the installation, you can use the `--audit_log_filter` option when restarting the server. To prevent the server from not running the plugin use `--audit_log_filter` with either the `FORCE` or the `FORCE_PLUS_PERMANENT` values.
[Audit Log Filter Variables & Functions](audit-log-filter-variables.md)
Loading