File: audit.conf

package info (click to toggle)
syslog-ng 4.8.1-5
  • links: PTS, VCS
  • area: main
  • in suites: trixie
  • size: 20,440 kB
  • sloc: ansic: 177,631; python: 13,035; cpp: 11,611; makefile: 7,011; sh: 5,147; java: 3,651; xml: 3,344; yacc: 1,377; lex: 599; perl: 193; awk: 190; objc: 162
file content (70 lines) | stat: -rw-r--r-- 3,303 bytes parent folder | download | duplicates (3) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
 
#############################################################################
# Copyright (c) 2022 CC-IN2P3
# Copyright (c) 2022 Fabien Wernli
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License version 2 as published
# by the Free Software Foundation, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
#
# As an additional exemption you are allowed to compile & link against the
# OpenSSL libraries as published by the OpenSSL project. See the file
# COPYING for details.
#
#############################################################################

# Parse mysql/mariadb audit log
#
# See https://mariadb.com/kb/en/mariadb-audit-plugin/
# To enable mariadb/mysql audit logging follow instructions
# Make sure server_audit_output_type is set to 'syslog'
#
# Format is [timestamp][syslog_host][syslog_ident]:[syslog_info][serverhost],[username],[host],[connectionid],[queryid],[operation],[database],[object],[retcode]
# See https://mariadb.com/kb/en/mariadb-audit-plugin-log-format/
#
# Example logs:
# <190>Apr 13 14:43:13 mysql-server_auditing:  columnstore-1 eff8a68bcd7f,user1,172.18.0.1,32,394,QUERY,syslog_ng,'SELECT * FROM test WHERE 0=1',1146
# <190>Sep 14 17:46:51 centos mysql-server_auditing: columnstore-1 centos,root,localhost,11,117,QUERY,loans,'SELECT grade, AVG(loan_amnt) avg,FROM loanstats GROUP BY grade ORDER BY grade',0
# <190>Apr 29 13:56:36 mysql-server_auditing: docker eff8a68bcd7f,root,172.18.0.3,13,0,CONNECT,,,0
# <190>Apr 29 13:56:32 mysql-server_auditing: docker eff8a68bcd7f,root,172.18.0.3,12,0,FAILED_CONNECT,,,1045
# <190>Apr 29 13:56:16 mysql-server_auditing: docker eff8a68bcd7f,user1,172.18.0.3,11,58,QUERY,syslog_ng,'insert into test (date, host, program, message) VALUES(\'Apr 29 15:55:24\', \'locohost\', \'test-program\', \'foo fighters bar baz\')',0
#

block parser mariadb-audit-parser(prefix('.mariadb.') template("$MESSAGE")) {
    channel {
        parser {
            csv-parser(
                columns(
                    '`prefix`serverhost',
                    '`prefix`username',
                    '`prefix`host',
                    '`prefix`connectionid',
                    '`prefix`queryid',
                    '`prefix`operation',
                    '`prefix`database',
                    '`prefix`object',
                    '`prefix`retcode'
                ),
                delimiters(','),
                template(`template`),
                flags(
                    greedy,
                    drop-invalid,
                    escape-backslash
                ),
                quote-pairs("''")
            );
        };
        parser {
            regexp-parser(prefix(`prefix`) patterns('^\s*(?<syslog_info>\S*?)(?: )?(?<serverhost>\S+)$') template('${`prefix`serverhost}'));
        };
    };
};