Audit log issues when audit_log_handler=SYSLOG on Ubuntu
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
Percona Server moved to https://jira.percona.com/projects/PS | Status tracked in 5.7 | |||||
5.5 |
New
|
Undecided
|
Unassigned | |||
5.6 |
New
|
Undecided
|
Unassigned | |||
5.7 |
Triaged
|
High
|
Unassigned |
Bug Description
When audit log is set to log to syslog, by default, for some reason it starts to log user actions to /var/log/auth.log instead on /var/log/syslog. Only initial startup entry ends up in /var/log/syslog. Moreover, audit_log_
Tested on Ubuntu 14.04 and 16.04, with Percona Server 5.7.18 installed from Apt repo.
Examples:
mysql> show variables like '%audit%';
+------
| Variable_name | Value |
+------
| audit_log_
| audit_log_
| audit_log_
| audit_log_
| audit_log_file | audit.log |
| audit_log_flush | OFF |
| audit_log_format | OLD |
| audit_log_handler | SYSLOG |
| audit_log_
| audit_log_
| audit_log_
| audit_log_policy | ALL |
| audit_log_
| audit_log_rotations | 0 |
| audit_log_strategy | ASYNCHRONOUS |
| audit_log_
| audit_log_
| audit_log_
+------
18 rows in set (0.00 sec)
root@vagrant:~# tail /var/log/syslog
Aug 4 10:31:30 vagrant systemd[1]: Starting Percona Server...
Aug 4 10:31:30 vagrant percona-audit: {"audit_
root@vagrant:~# tail -1 /var/log/auth.log
Aug 4 10:41:18 vagrant mysqld[16176]: {"audit_
mysql> set global log_syslog=1;
Query OK, 0 rows affected (0.00 sec)
root@vagrant:~# tail -1 /var/log/syslog
Aug 4 11:43:18 vagrant mysqld[16931]: <AUDIT_RECORD#012 NAME="Query"#012 RECORD=
In the same configuration, logging works as expected on Centos:
mysql> show variables like '%syslog%';
+------
| Variable_name | Value |
+------
| audit_log_
| audit_log_
| audit_log_
| log_syslog | OFF |
| log_syslog_facility | daemon |
| log_syslog_
| log_syslog_tag | |
+------
7 rows in set (0.01 sec)
mysql> \! tail -2 /var/log/messages
Aug 4 11:23:06 vagrant-centos65 percona-audit: <AUDIT_RECORD#012 NAME="Query"#012 RECORD=
Aug 4 11:23:06 vagrant-centos65 percona-audit: <AUDIT_RECORD#012 NAME="Quit"#012 RECORD=
mysql> \! cat /etc/issue
CentOS release 6.5 (Final)
Kernel \r on an \m
tags: | added: audit |
Bug is not repeatable with tar.gz package and with self-compiled Percona Server, started with help of MTR:
./mtr --start --mysqld= --plugin- load=audit_ log.so --mysqld= --audit_ log_handler= SYSLOG --mysqld= --audit_ log_syslog_ ident=mysql- audit --mysqld= --audit_ log_format= JSON innodb &
Only packaged version is affected.