Audit Plugin option settings Adding the MariaDB Audit Plugin Audit log format Viewing and downloading the MariaDB Audit Plugin log Modifying MariaDB Audit Plugin settings Removing the MariaDB Audit Plugin

MariaDB Audit Plugin support for MySQL

Amazon RDS offers an audit plugin for MySQL database instances based on the open source MariaDB Audit Plugin. For more information, see the Audit Plugin for MySQL Server GitHub repository.

Note

The audit plugin for MySQL is based on the MariaDB Audit Plugin. Throughout this article, we refer to it as MariaDB Audit Plugin.

The MariaDB Audit Plugin records database activity, including users logging on to the database and queries run against the database. The record of database activity is stored in a log file.

Note

Currently, the MariaDB Audit Plugin is only supported for the following RDS for MySQL versions:

MySQL 8.0.28 and higher 8.0 versions
All MySQL 5.7 versions

Audit Plugin option settings

Amazon RDS supports the following settings for the MariaDB Audit Plugin option.

Option setting	Valid values	Default value	Description
`SERVER_AUDIT_FILE_PATH`	`/rdsdbdata/log/audit/`	`/rdsdbdata/log/audit/`	The location of the log file. The log file contains the record of the activity specified in `SERVER_AUDIT_EVENTS`. For more information, see Viewing and listing database log files and MySQL database log files.
`SERVER_AUDIT_FILE_ROTATE_SIZE`	1–1000000000	1000000	The size in bytes that when reached, causes the file to rotate. For more information, see Overview of RDS for MySQL database logs.
`SERVER_AUDIT_FILE_ROTATIONS`	0–100	9	The number of log rotations to save when `server_audit_output_type=file`. If set to 0, then the log file never rotates. For more information, see Overview of RDS for MySQL database logs and Downloading a database log file.
`SERVER_AUDIT_EVENTS`	`CONNECT`, `QUERY`, `QUERY_DDL`, `QUERY_DML`, `QUERY_DML_NO_SELECT`, `QUERY_DCL`	`CONNECT`, `QUERY`	The types of activity to record in the log. Installing the MariaDB Audit Plugin is itself logged. `CONNECT`: Log successful and unsuccessful connections to the database, and disconnections from the database. `QUERY`: Log the text of all queries run against the database. `QUERY_DDL`: Similar to the `QUERY` event, but returns only data definition language (DDL) queries (`CREATE`, `ALTER`, and so on). `QUERY_DML`: Similar to the `QUERY` event, but returns only data manipulation language (DML) queries (`INSERT`, `UPDATE`, and so on, and also `SELECT`). `QUERY_DML_NO_SELECT`: Similar to the `QUERY_DML` event, but doesn't log `SELECT` queries. The `QUERY_DML_NO_SELECT` setting is supported only for RDS for MySQL 5.7.34 and higher 5.7 versions, and 8.0.25 and higher 8.0 versions. `QUERY_DCL`: Similar to the `QUERY` event, but returns only data control language (DCL) queries (`GRANT`, `REVOKE`, and so on). For MySQL, `TABLE` is not supported.
`SERVER_AUDIT_INCL_USERS`	Multiple comma-separated values	None	Include only activity from the specified users. By default, activity is recorded for all users. `SERVER_AUDIT_INCL_USERS` and `SERVER_AUDIT_EXCL_USERS` are mutually exclusive. If you add values to `SERVER_AUDIT_INCL_USERS`, make sure no values are added to `SERVER_AUDIT_EXCL_USERS`.
`SERVER_AUDIT_EXCL_USERS`	Multiple comma-separated values	None	Exclude activity from the specified users. By default, activity is recorded for all users. `SERVER_AUDIT_INCL_USERS` and `SERVER_AUDIT_EXCL_USERS` are mutually exclusive. If you add values to `SERVER_AUDIT_EXCL_USERS`, make sure no values are added to `SERVER_AUDIT_INCL_USERS`. The `rdsadmin` user queries the database every second to check the health of the database. Depending on your other settings, this activity can possibly cause the size of your log file to grow very large, very quickly. If you don't need to record this activity, add the `rdsadmin` user to the `SERVER_AUDIT_EXCL_USERS` list. Note `CONNECT` activity is always recorded for all users, even if the user is specified for this option setting.
`SERVER_AUDIT_LOGGING`	`ON`	`ON`	Logging is active. The only valid value is `ON`. Amazon RDS does not support deactivating logging. If you want to deactivate logging, remove the MariaDB Audit Plugin. For more information, see Removing the MariaDB Audit Plugin.
`SERVER_AUDIT_QUERY_LOG_LIMIT`	0–2147483647	1024	The limit on the length of the query string in a record.

Adding the MariaDB Audit Plugin

The general process for adding the MariaDB Audit Plugin to a DB instance is the following:

Create a new option group, or copy or modify an existing option group
Add the option to the option group
Associate the option group with the DB instance

After you add the MariaDB Audit Plugin, you don't need to restart your DB instance. As soon as the option group is active, auditing begins immediately.

Important

Adding the MariaDB Audit Plugin to a DB instance might cause an outage. We recommend adding the MariaDB Audit Plugin during a maintenance window or during a time of low database workload.

To add the MariaDB Audit Plugin

Determine the option group you want to use. You can create a new option group or use an existing option group. If you want to use an existing option group, skip to the next step. Otherwise, create a custom DB option group. Choose mysql for Engine, and choose 5.7 or 8.0 for Major engine version. For more information, see Creating an option group.
Add the MARIADB_AUDIT_PLUGIN option to the option group, and configure the option settings. For more information about adding options, see Adding an option to an option group. For more information about each setting, see Audit Plugin option settings.
Apply the option group to a new or existing DB instance.
- For a new DB instance, you apply the option group when you launch the instance. For more information, see Creating an Amazon RDS DB instance.
- For an existing DB instance, you apply the option group by modifying the instance and attaching the new option group. For more information, see Modifying an Amazon RDS DB instance.

Audit log format

Log files are represented as comma-separated variable (CSV) files in UTF-8 format.

Tip

Log file entries are not in sequential order. To order the entries, use the timestamp value. To see the latest events, you might have to review all log files. For more flexibility in sorting and searching the log data, turn on the setting to upload the audit logs to CloudWatch and view them using the CloudWatch interface.

To view audit data with more types of fields and with output in JSON format, you can also use the Database Activity Streams feature. For more information, see Monitoring Amazon RDS with Database Activity Streams.

The audit log files include the following comma-delimited information in rows, in the specified order:

Field	Description
timestamp	The `YYYYMMDD` followed by the `HH:MI:SS` (24-hour clock) for the logged event.
serverhost	The name of the instance that the event is logged for.
username	The connected user name of the user.
host	The host that the user connected from.
connectionid	The connection ID number for the logged operation.
queryid	The query ID number, which can be used for finding the relational table events and related queries. For `TABLE` events, multiple lines are added.
operation	The recorded action type. Possible values are: `CONNECT`, `QUERY`, `READ`, `WRITE`, `CREATE`, `ALTER`, `RENAME`, and `DROP`.
database	The active database, as set by the `USE` command.
object	For `QUERY` events, this value indicates the query that the database performed. For `TABLE` events, it indicates the table name.
retcode	The return code of the logged operation.
connection_type	The security state of the connection to the server. Possible values are: `0` – Undefined `1` – TCP/IP `2` – Socket `3` – Named pipe `4` – SSL/TLS `5` – Shared memory This field is included only for RDS for MySQL version 5.7.34 and higher 5.7 versions, and all 8.0 versions.

Viewing and downloading the MariaDB Audit Plugin log

After you enable the MariaDB Audit Plugin, you access the results in the log files the same way you access any other text-based log files. The audit log files are located at /rdsdbdata/log/audit/. For information about viewing the log file in the console, see Viewing and listing database log files. For information about downloading the log file, see Downloading a database log file.

Modifying MariaDB Audit Plugin settings

After you enable the MariaDB Audit Plugin, you can modify the settings. For more information about how to modify option settings, see Modifying an option setting. For more information about each setting, see Audit Plugin option settings.

Removing the MariaDB Audit Plugin

Amazon RDS doesn't support turning off logging in the MariaDB Audit Plugin. However, you can remove the plugin from a DB instance. When you remove the MariaDB Audit Plugin, the DB instance is restarted automatically to stop auditing.

To remove the MariaDB Audit Plugin from a DB instance, do one of the following:

Remove the MariaDB Audit Plugin option from the option group it belongs to. This change affects all DB instances that use the option group. For more information, see Removing an option from an option group
Modify the DB instance and specify a different option group that doesn't include the plugin. This change affects a single DB instance. You can specify the default (empty) option group, or a different custom option group. For more information, see Modifying an Amazon RDS DB instance.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Options for MySQL

memcached