Link to the MariaDB audit plugin format:
https://mariadb.com/kb/en/mariadb/about-the-mariadb-audit-plugin/#audit-log-format
syslog format:
[timestamp][syslog_host][syslog_ident]:[syslog_info][serverhost],[username],[host],
[connectionid],[queryid],[operation],[database],[object],[retcode]
We're using syslog, since it allows us to easily forward the logs to our
central logging server for archiving.
And here's a small sample of log files:
May 23 14:40:00 mysql09a mysql-server_auditing:
mysql09a.local,root,MYSQLADM.local,725989,179577437,QUERY,,'DROP DATABASE
`ese_adherence_s`',0
May 24 10:22:21 mysql09a mysql-server_auditing:
mysql09a.local,ahc_shwb01_t,10.15.190.182,840046,210662172,QUERY,`ahc_shwb01_t`,'CREATE
TABLE `zipcodes` ( `zip` varchar(16) NOT NULL DEFAULT \'0\' COMMENT
\'Postal / ZIP code.\', `city` varchar(30) NOT NULL DEFAULT \'\' COMMENT
\'City.\', `state` varchar(30) NOT NULL DEFAULT \'\' COMMENT \'Province /
State.\', `latitude`',0
May 24 10:22:21 mysql09a mysql-server_auditing:
mysql09a.local,ahc_shwb01_t,10.15.190.182,840046,210662174,QUERY,`ahc_shwb01_t`,'/*!40000
ALTER TABLE `zipcodes` DISABLE KEYS */',0
May 24 11:51:30 mysql09a mysql-server_auditing:
mysql09a.local,ahc_shwb01_t,ahc-web29d.local,849705,0,CONNECT,ahc_shwb01_t,,0
May 24 11:51:30 mysql09a mysql-server_auditing:
mysql09a.local,ahc_shwb01_t,ahc-web29d.local,849705,0,DISCONNECT,ahc_shwb01_t,,0
May 24 12:01:12 mysql09a mysql-server_auditing:
mysql09a.local,,AHC-GSMPX11.local,850526,0,FAILED_CONNECT,,,1158
The 'mysql-server_auditing' is a user-configurable option (I took the
default).
I can provide a larger sample of logs if anyone wants.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
