To agree with berndbausch.
Don't think it is the correct or maybe the easy way.
From this. "The auditd subsystem is an access monitoring and accounting for Linux developed and maintained by RedHat. It was designed to integrate pretty tightly with the kernel and watch for interesting system calls."
https://security.blogoverflow.com/20...ion-to-auditd/
Since you are asking about users issuing commands to mysql then I'd look at mysql audit methods.
It's always difficult to guess the correct answer.
Please consider that answers are sometimes wrong but they are offered for free and with good intent usually.