Skip to content

MariaDB Audit Plugin logging remotely to syslog

Syslog is widely used for logging. It allows distributed logging. Having MySQL/MariaDB audit data logged to a remote Syslog server is a strong guaranty regarding security of the audit data. PCI compliance requires separation of duties. The separation of duties between DBA profiles and a security officer is a way to guaranty that Audit data is tamper-proof from the DBA.

To set up the MariaDB Audit Plugin to log to remotely syslog is quite simple. First you install the MariaDB Audit Pluggin : You download the MariaDB audit plugin, you copy it to lib/plugin in your MySQL/MariaDB install directory and you activate it :

MariaDB [(none)]> INSTALL PLUGIN server_audit SONAME '';
MariaDB [test]> SET GLOBAL server_audit_output_type=SYSLOG;
MariaDB [test]> SET GLOBAL server_audit_events='CONNECT,QUERY ';
MariaDB [test]> SET GLOBAL server_audit_logging=on;

To have the audit logging data sent to a remote server you first need to configure the remote syslog server to accept request from the network(here on port 514) by editing /etc/rsyslog.conf

# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514

Restart the syslog daemon :

service syslog restart

To check that your syslog system accept data from a remote source we verify that it is listening on the configured 514 port :

[root@centos2 etc]# netstat -anp|grep 514
tcp        0      0       *                   LISTEN      11467/rsyslogd      
tcp        0      0 :::514                      :::*                        LISTEN      11467/rsyslogd      
udp        0      0       *                               11467/rsyslogd      
udp        0      0 :::514                      :::*                                    11467/rsyslogd

On the source server where your MariaDB / MySQL server produce audit entries you should configure syslog to push log entries to the remote system here You edit /etc/rsyslog.conf that way:

*.info;mail.none;authpriv.none;cron.none                @

And on the target system you now get the audit records tagged withe the originating system:

Sep 21 00:52:37 centos1 kernel: imklog 5.8.10, log source = /proc/kmsg started.
Sep 21 00:52:37 centos1 rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="1647" x-info=""] start
Sep 21 00:52:59 centos1 mysql-server_auditing:  centos1.localdomain,root,localhost,1,19,QUERY,test,'show tables',0
Sep 21 00:53:14 centos1 mysql-server_auditing:  centos1.localdomain,root,localhost,1,20,QUERY,test,'show tables',0

So this is quite simple to setup. Of course you can have multiple MariaDB/MySQL servers sending audit data to a single syslog server.

Leave a Reply

Your email address will not be published. Required fields are marked *