Configuring receipt of events using the MariaDB Audit Plugin

KUMA allows auditing events using the MariaDB Audit Plugin. The plugin supports MySQL 5.7 and MariaDB. The audit plugin does not support MySQL 8. Detailed information about the plugin is available on the official MariaDB website.

We recommend using MariaDB Audit Plugin version 1.2 or later.

Configuring event receiving consists of the following steps:

1. Configuring the MariaDB Audit Plugin to send MySQL events and configuring the Syslog server to send events.
2. Configuring the MariaDB Audit Plugin to send MariaDB events and configuring the Syslog server to send events.
3. Creating a KUMA Collector for MySQL 5.7 and MariaDB Events.

   To receive MySQL 5.7 and MariaDB events using the MariaDB Audit Plugin, in the KUMA Collector Installation Wizard, at the Event parsing step, in the Normalizer field, select [OOTB] MariaDB Audit Plugin syslog.

4. Installing a collector in the KUMA network infrastructure.
5. Verifying receipt of MySQL and MariaDB events by the KUMA collector.

   To verify that the MySQL and MariaDB event source server is configured correctly, you can search for related events.

Configuring the MariaDB Audit Plugin to send MySQL events

The MariaDB Audit Plugin is supported for MySQL 5.7 versions up to 5.7.30 and is bundled with MariaDB.

To configure MySQL 5.7 event reporting using the MariaDB Audit Plugin:

1. Download the MariaDB distribution kit and extract it.

   You can download the MariaDB distribution kit from the official MariaDB website. The operating system of the MariaDB distribution must be the same as the operating system on which MySQL 5.7 is running.

2. Connect to MySQL 5.7 using an account with administrator rights by running the following command:

   mysql -u <username> -p

3. To get the directory where the MySQL 5.7 plugins are located, on the MySQL 5.7 command line, run the following command:

   SHOW GLOBAL VARIABLES LIKE 'plugin_dir'

4. In the directory obtained at step 3, copy the MariaDB Audit Plugin from <directory to which the distribution kit was extracted>/mariadb-server-<version>/lib/plugins/server_audit.so.
5. On the operating system command line, run the following command:

   chmod 755 <directory to which the distribution kit was extracted>server_audit.so

   For example:

   chmod 755 /usr/lib64/mysql/plugin/server_audit.so

6. On the MySQL 5.7 command line, run the following command:

   install plugin server_audit soname 'server_audit.so'

7. Create a backup copy of the /etc/mysql/mysql.conf.d/mysqld.cnf configuration file.
8. In the configuration file /etc/mysql/mysql.conf.d/mysqld.cnf, in the [mysqld] section, add the following lines:

   server_audit_logging=1

   server_audit_events=connect,table,query_ddl,query_dml,query_dcl

   server_audit_output_type=SYSLOG

   server_audit_syslog_facility=LOG_SYSLOG

   If you want to disable event export for certain audit event groups, remove some of the values from the server_audit_events setting. Descriptions of settings are available on the MariaDB Audit Plugin vendor's website.

9. Save changes to the configuration file.
10. Restart the MariaDB service by running one of the following commands:
    • systemctl restart mysqld for a system with systemd initialization.
    • service mysqld restart for a system with init initialization.

MariaDB Audit Plugin for MySQL 5.7 is configured. If necessary, you can run the following commands on the MySQL 5.7 command line:

• show plugins to check the list of current plugins.
• SHOW GLOBAL VARIABLES LIKE 'server_audit%' to check the current audit settings.

Configuring the MariaDB Audit Plugin to send MariaDB Events

The MariaDB Audit Plugin is included in the MariaDB distribution kit starting with versions 5.5.37 and 10.0.10.

To configure MariaDB event export using the MariaDB Audit Plugin:

1. Connect to MariaDB using an account with administrator rights by running the following command:

   mysql -u <username> -p

2. To check if the plugin is present in the directory where operating system plugins are located, run the following command on the MariaDB command line:

   SHOW GLOBAL VARIABLES LIKE 'plugin_dir'

3. On the operating system command line, run the following command:

   ll <directory obtained by the previous command> | grep server_audit.so

   If the command output is empty and the plugin is not present in the directory, you can either copy the MariaDB Audit Plugin to that directory or use a newer version of MariaDB.

4. On the MariaDB command line, run the following command:

   install plugin server_audit soname 'server_audit.so'

5. Create a backup copy of the /etc/mysql/my.cnf configuration file.
6. In the /etc/mysql/my.cnf configuration file, in the [mysqld] section, add the following lines:

   server_audit_logging=1

   server_audit_events=connect,table,query_ddl,query_dml,query_dcl

   server_audit_output_type=SYSLOG

   server_audit_syslog_facility=LOG_SYSLOG

   If you want to disable event export for certain audit event groups, remove some of the values from the server_audit_events setting. Descriptions of settings are available on the MariaDB Audit Plugin vendor's website.

7. Save changes to the configuration file.
8. Restart the MariaDB service by running one of the following commands:
   • systemctl restart mariadb for a system with systemd initialization.
   • service mariadb restart for a system with init initialization.

MariaDB Audit Plugin for MariaDB is configured. If necessary, you can run the following commands on the MariaDB command line:

• show plugins to check the list of current plugins.
• SHOW GLOBAL VARIABLES LIKE 'server_audit%' to check the current audit settings.

Configuring a Syslog server to send events

The rsyslog service is used to transmit events from the server to the collector.

To configure the sending of events from the server where MySQL or MariaDB is installed to the collector:

1. Before making any changes, create a backup copy of the /etc/rsyslog.conf configuration file.
2. To send events via UDP, add the following line to the /etc/rsyslog.conf configuration file:

   *.* @<IP address of the KUMA collector>:<port of the KUMA collector>

   For example:

   *.* @192.168.1.5:1514

   If you want to send events over TCP, the line should be as follows:

   *.* @@192.168.1.5:2514

   Save changes to the /etc/rsyslog.conf configuration file.

3. Restart the rsyslog service by executing the following command:

   sudo systemctl restart rsyslog.service