-
Notifications
You must be signed in to change notification settings - Fork 59
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Option to to log directly to a syslog server. #14
Comments
You can achieve this by using syslog-ng and reading incoming log messages from a socket with the no-parse option. For example: Configure syslog-ng to listen on a Unix socket and send the incoming messages to a log file:
Then configure the audit plugin to log to a Unix socket by setting:
Message will go through syslog-ng and arrive at the file /var/log/mysql-audit. In the same way you can change syslog-ng to send the messages to an external syslog deamon over the network. For example:
|
Thanks, do you know if it's possible to do the same using rsyslog ? |
Not too familiar with rsyslog so can't say if it possible or not. I would Guy
|
I just spent three hours upgrading syslog on a system to rsyslog, tweaking the config, creating a socket and pointing the audit-plugin to it. The plugin fails with the following message: Audit Plugin: unable to connect to socket: /tmp/audit.sock. err: Protocol wrong type for socket. audit socket handler disabled!! The is because rsyslog uses the datagram based socket file while (I assume) the audit plugin is expecting a stream-based socket. By default syslog-ng uses stream-based sockets (this is configurable). Unfortunately it appears that rsyslog does not have the ability to change from datagram to stream based. http://lists.adiscon.net/pipermail/rsyslog/2011-February/027988.html So it appears that you have to use syslog-ng to use the audit plugin with sockets. Hope that helps someone. |
You are correct. The AUDIT plugin is stream based. I guess this is a point for improvement, to support also other syslog daemons by using datagram based sockets. Thanks for the update. |
Finally I migrated to syslog-ng. |
Wondering if there is any work done on the datagram sockets? I've been taking a look at the audit codebase - as I am quite unfamiliar with C++ I'd be happier with a few more comments in the source code :-) I'm willing to work on adding the DGRAM sockets, but I'd like a bit of mentoring here... Anyone on IRC@freenode willing to give me a few pointers? |
Hi, No work has been done yet on this issue. I can help you out. I am not on IRC but you can post questions freely on this thread. In general the change isn't big. You need to change Audit_socket_handler to also support DGRAM sockets. I would go with adding support for DGRAM by checking if the socket name starts with the prefix: "dgram:". For example:
You will get this value from setting the option
|
Thanks, I've been digging around Audit_socket_handler quite a lot already; off for today - I'll get back to you tomorrow! |
Sheesh! That was a long "tomorrow", eh? My xubuntu updated MySQL to 5.5.29, took a while until I figured out how to extract the offsets (couldn't do that against the ubuntu packed binary) and the correct place to put them (32 vs. 64, heh). I now can even uninstall the plugin, this crashes the mysqld binary though! I'm doing the uninstall rather crudely (a quick hack) in the code though, might be my changes in there... Anyhow, wanted to let you know I'm still on the case! .p EDIT: I took a closer look at the segfault problem. What I did was simply comment out the if (!uninstall_plugin_enable) block on line 917-922 so every call to uninstall it should succeed. This however segfaults the server. From what I read and understand, commenting said block out should not cause such behavior. Any thoughts? |
Hi Halides, I suggest opening a new issue for the crash as it is not related to syslog. In the new issue please post the output seen in the mysql error log after the crash (hopefully it should contain a stack trace). |
Hi, just an update, created a socket handler for datagram also, quite straightforward. Writer has to wait until next week, though! |
Thanks for the update. Sent from my mobile device
|
Communicating with rsyslogd through a datagram socket is working, in the end it was really simple to get it going. I just tried a bit of this and that and by some wonder it started working without me really deeply knowing what's going on :-) Some criticism: the codebase is messy and uncommented - thus hard to read and understand. Adding to that my complete inexperience with the MySQL plugin system it took a lot longer time than it should to get the hang of things and I'm still quite baffled on how the system does what it does. I'll dive in deeper in the coming days, though. |
Thanks for the update. When ready feel free to post a pull request with your changes. Regarding the code base, I agree it needs some cleanup and better documentation. Not sure if there will be any changes soon, so just feel free to post any questions you have here. |
Hi, sorry for the sluggish updates, been quite ill for a long time. I fetched the current version and decided to start from the beginning and merge changes by hand - I did some refactoring of the codebase to make more sense of it for me and merging now would be a big mess. Are you open to receiving a refactored and re-styled codebase or would you rather I give you just the patch and you can see when you have time to clean it up yourself? Quick stuff I could clean up which ran into: a bunch of unused and/or redundant variables hanging around we could get rid of - the code is at times intended badly - bracing and commenting waste space which makes the codebase hard to read. What do you think? |
Hi, Hope you are feeling well. I think it is best to limit the refactoring and re-styling changes as it makes it hard to merge the changes. You can submit the patch as a pull request and then we can start reviewing it and see how complicated it is to get it in as part of the code base. |
+1, i'm generating 100mb of audit to a file per minute... and configuring rsyslogd to read AND configuring logrotate to rotate the logs fast enough is fairly challenging. |
Hi, |
Logstash -> elasticsearch -> Kibana
|
Thanks @ ruck. I found this https://github.com/danmandle/JSON2CSV but it does not work http://www.wesdeviers.net/the-mcafee-mysql-auditing-plugin |
you want logstash... On Thu, Mar 27, 2014 at 7:39 PM, greenlitdesign [email protected]:
|
For everyone still arriving at this issue looking for a syslog solution, I am aware of the limitations when trying to relay via rsyslog. I plan to review this in the next few weeks and see how the plugin can be improved to work with rsyslog too. For now my recommendation it to use syslog-ng. To help with setup, I've put together a blog post about configuring the plugin to work with syslog-ng: http://lichtman.io/mcafee-mysql-audit-plugin-logging-to-syslog-ng/ . |
any progress on this issue? :) |
No news yet. But I can say that this is on the todo list... Currently the way to go is to use syslog-ng as specified above. |
It would be nice to be able to send logs directly to a syslog server.
The text was updated successfully, but these errors were encountered: