Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: Red Hat Enterprise Linux, Fedora, CentOS
Posts: 134
Rep:
Logging all mysql command line operations
I am a SysAdmin for an online banking system that runs on Red Hat Enterprise Linux with a mysql backend. For audit purposes, we need to be able to log all operations (select, input, update, delete, etc.) that are performed in the mysql command line tool on a per user basis.
We want an audit trail for everything that happens in the database, so that when something goes wrong, we can easily tell who did it and what they did.
It needs to be logged in a way that is readable to non-technical internal management and external federal auditors.
I've looked around on the web, and I've not yet come across any plugin modules or native logging utilities for mysql to do this.
I'm hoping to get some responses here that might at least point me in the right direction.
See the ~/.mysql_history for each user. Most standard mysql client installs create this...
Then maybe manage these at each login time, driven by a custom root-level process that saves the file to a log or repository location, creating a blank one at each new login time.
You might also exploit the --debug option to the mysql client startup to have it write log files somewhere that you can process later..
To organize the data and make it readable by non-tech people you'll have to process the data.
Or simply turn on bin logging for MySQL. If you have a lot of queries and transactions going, these can grow rather fast but should pretty much a identical record of what was done on the database, data included. These logs are typically used for recovery as well.
Unfortunately neither bin logs or query logs report command by command what user did what action, as the OP is requesting. If several users have mysql client sessions, all their queries will appear together in binlogs or querylogs -- and you wouldn't be able to tell who executed which query.
Since ~/.mysql_history operates on a per-user basis.
Distribution: Red Hat Enterprise Linux, Fedora, CentOS
Posts: 134
Original Poster
Rep:
I don't want to use bin logging. For the amount of activity that our database sees, those logs would be too large to be useful for our internal auditors and management.
I'll have to see if our install is using mysql_history.
Distribution: Red Hat Enterprise Linux, Fedora, CentOS
Posts: 134
Original Poster
Rep:
Well, looks like ours is using the mysql_history, but as with a normal shell history, it does not include any time and date stamping. The date would be easy enough if we setup a logrotate job to archive the log daily, but the time that the command was done is still important to what we want to use it for.
but as with a normal shell history, it does not include any time and date stamping.
Soz for OT, but for shell logging you got three options: Bash shell logging patch (Bashv2, see honeynet), export HISTTIMEFORMAT (Bashv3 only) or using a shell wrapper like "Rootsh" (compatible, output to file or syslog). IIGC MySQL Forge shows there's an intention to do an audit plugin but apparently nobody picked it up (unassigned).
Unfortunately neither bin logs or query logs report command by command what user did what action, as the OP is requesting. If several users have mysql client sessions, all their queries will appear together in binlogs or querylogs -- and you wouldn't be able to tell who executed which query.
Since ~/.mysql_history operates on a per-user basis.
True but any user can simply just go and delete such file as well when they're done. Also like the OP mentioned, it provides no time stamp associated with each command/query.
Also, this would be hard to manage if the users have access to connect to the database remotely. At least with bin logging, you get the time stamps and you can at least narrow down who was logged in at any given time.
But I'd say, take the rootsh or bash shell logging approach like unspawn suggested. It still doesn't help when the users have access to delete such mysql_history in their home directories and or if they're given remote access which complicates getting such info from.
The general query log is a general record of what mysqld is doing. The server writes information to this log when clients connect or disconnect, and it logs each SQL statement received from clients. The general query log can be very useful when you suspect an error in a client and want to know exactly what the client sent to mysqld.
Edit: The General Query Log is also in older versions as well.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.