Syslog is widely used for logging. It allows distributed logging. Having MySQL/MariaDB audit data logged to a remote Syslog server is a strong guaranty regarding security of the audit data. PCI compliance requires separation of duties. The separation of duties between DBA profiles and a security officer is a way to guaranty that Audit data is tamper-proof from the DBA.
To set up the MariaDB Audit Plugin to log to remotely syslog is quite simple. First you install the MariaDB Audit Pluggin : You download the MariaDB audit plugin, you copy it to lib/plugin in your MySQL/MariaDB install directory and you activate it :
MariaDB [(none)]> INSTALL PLUGIN server_audit SONAME 'server_audit.so'; MariaDB [test]> SET GLOBAL server_audit_output_type=SYSLOG; MariaDB [test]> SET GLOBAL server_audit_events='CONNECT,QUERY '; MariaDB [test]> SET GLOBAL server_audit_logging=on;
To have the audit logging data sent to a remote server you first need to configure the remote syslog server to accept request from the network(here on port 514) by editing /etc/rsyslog.conf
# Provides UDP syslog reception $ModLoad imudp $UDPServerRun 514 # Provides TCP syslog reception $ModLoad imtcp $InputTCPServerRun 514
Restart the syslog daemon :
service syslog restart
To check that your syslog system accept data from a remote source we verify that it is listening on the configured 514 port :
[root@centos2 etc]# netstat -anp|grep 514 tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 11467/rsyslogd tcp 0 0 :::514 :::* LISTEN 11467/rsyslogd udp 0 0 0.0.0.0:514 0.0.0.0:* 11467/rsyslogd udp 0 0 :::514 :::* 11467/rsyslogd
On the source server where your MariaDB / MySQL server produce audit entries you should configure syslog to push log entries to the remote system here 192.168.56.11. You edit /etc/rsyslog.conf that way:
*.info;mail.none;authpriv.none;cron.none @192.168.56.11
And on the target system you now get the audit records tagged withe the originating system:
Sep 21 00:52:37 centos1 kernel: imklog 5.8.10, log source = /proc/kmsg started. Sep 21 00:52:37 centos1 rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="1647" x-info="http://www.rsyslog.com"] start Sep 21 00:52:59 centos1 mysql-server_auditing: centos1.localdomain,root,localhost,1,19,QUERY,test,'show tables',0 Sep 21 00:53:14 centos1 mysql-server_auditing: centos1.localdomain,root,localhost,1,20,QUERY,test,'show tables',0
So this is quite simple to setup. Of course you can have multiple MariaDB/MySQL servers sending audit data to a single syslog server.