audit_record_cmds vs audit_record_objs

[srinathman]

when setting audit_record_cmds and audit_record_objs the commands no associated with specific objects (set_option,grant,drop ...) are also not logged.

Suggestion: audit_record_objs should only by applied only when there is/are object(s) associated.

[glicht]

Looks like the thing to do is to add support for empty set of objects as a special entry. For example we can have '{}' refer to the empty set.

[glicht]

I"ve done a commit to resolve this. It is now possible to specifyy '{}' as part of audit_record_objs. If '{}' is specified then also commands with an empty object set will be logged. This will be officially included in the 1.0.3 binary release.

[JackyShu]

Hi,
I'm trying to log both all DDL and DML on some tables (say tables with configuration data), but couldn't get audit_record_objs and audit_record_cmds work together (DML logged on tables that I didn't want). Do you have a sample available?

Just to illustrate, say I want to audit DROP table and UPDATE on test.abc table, if I set
set global audit_record_cmds='update,drop';
set global audit_record_objs='test.abc';

It won't log DROP table. Any ideas?

Thanks.

[glicht]

Please provide more details. Simple test would be to set both with values
such as:

set global audit_record_cmds="insert,update";
set global audit_record_objs="test.*";

Then do some inserts/updates on tables both in test.* and other dbs. You
should see only inserts/updates on tables from test.*.

On Wed, Jun 12, 2013 at 4:47 PM, JackyShu [email protected] wrote:

Hi,
I'm trying to log both all DDL and DML on some tables (say tables with
configuration data), but couldn't get audit_record_objs and
audit_record_cmds work together (DML logged on tables that I didn't want).
Do you have a sample available?

Thanks.

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/12#issuecomment-19326337
.

[JackyShu]

Hi Guy,

It works fine if there is only DML in audit_record_cmds. But Got problem when it has DDL as well.
Here is what I need: I want to audit DROP any table and UPDATE on test.abc table, so I set
set global audit_record_cmds='update,drop';
set global audit_record_objs='test.abc';

Looks drop only log when dropping test.abc. Is there a way to log to dropping any tables but also with update on test.abc enabled?

Thanks.

[glicht]

This is not supported. The way it works currently the logic is the same for
all cmds. Your best option is to probably log all "update,drop" and send
the audit log to a unix domain socket. Then process it with an external
process such as syslog-ng to filter out only what you want based upon some
regex matching.

On Wed, Jun 12, 2013 at 10:21 PM, JackyShu [email protected] wrote:

Hi Guy,

It works fine if there is only DML in audit_record_cmds. But Got problem
when it has DDL as well.
Here is what I need: I want to audit DROP any table and UPDATE on
test.abc table, so I set
set global audit_record_cmds='update,drop';
set global audit_record_objs='test.abc';

Looks drop only log when dropping test.abc. Is there a way to log to
dropping any tables but also with update on test.abc enabled?

Thanks.

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/12#issuecomment-19349034
.

[JackyShu]

Hi Guy,

Can I make a feature request on how to audit different commands on different objects? My understanding is that will be more like what people do on auditing.

Thanks.

[glicht]

A feature request is welcome. Not sure though, if it will be implemented
soon. It depends if more requests come in or if someone would want to
contribute some code on the subject.

On Fri, Jun 14, 2013 at 4:27 PM, JackyShu [email protected] wrote:

Hi Guy,

Can I make a feature request on how to audit different commands on
different objects? My understanding is that will be more like what people
do on auditing.

Thanks.

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/12#issuecomment-19456837
.