Movatterモバイル変換

• NAME

  The filter name.

• FILTER

  The filter definition associated with the filter name. Definitions are stored asJSON values.

• USER

  The user name part of an account. For an accountuser1@localhost, theUSER part isuser1.

• HOST

  The host name part of an account. For an accountuser1@localhost, theHOST part islocalhost.

• FILTERNAME

  The name of the filter assigned to the account. The filter name associates the account with a filter defined in theaudit_log_filter table.

• audit_log_encryption_password_get([keyring_id])

  This function fetches an audit log encryption password from the MySQL keyring, which must be enabled or an error occurs. Any keyring component or plugin can be used; for instructions, seeSection 8.4.5, “The MySQL Keyring”.

  With no argument, the function retrieves the current encryption password as a binary string. An argument may be given to specify which audit log encryption password to retrieve. The argument must be the keyring ID of the current password or an archived password.

  For additional information about audit log encryption, seeEncrypting Audit Log Files.

  Arguments:

  keyring_id: This optional argument indicates the keyring ID of the password to retrieve. The maximum permitted length is 766 bytes. If omitted, the function retrieves the current password.

  Return value:

  The password string for success (up to 766 bytes), orNULL and an error for failure.

  Example:

  Retrieve the current password:

  mysql> SELECT audit_log_encryption_password_get();+-------------------------------------+| audit_log_encryption_password_get() |+-------------------------------------+| secret                              |+-------------------------------------+

  To retrieve a password by ID, you can determine which audit log keyring IDs exist by querying the Performance Schemakeyring_keys table:

  mysql> SELECT KEY_ID FROM performance_schema.keyring_keys       WHERE KEY_ID LIKE 'audit_log%'       ORDER BY KEY_ID;+-----------------------------+| KEY_ID                      |+-----------------------------+| audit_log-20190415T152248-1 || audit_log-20190415T153507-1 || audit_log-20190416T125122-1 || audit_log-20190416T141608-1 |+-----------------------------+mysql> SELECT audit_log_encryption_password_get('audit_log-20190416T125122-1');+------------------------------------------------------------------+| audit_log_encryption_password_get('audit_log-20190416T125122-1') |+------------------------------------------------------------------+| segreto                                                          |+------------------------------------------------------------------+

• audit_log_encryption_password_set(password)

  Sets the current audit log encryption password to the argument and stores the password in the MySQL keyring. The password is stored as autf8mb4 string. Previously, the password was stored in binary form.

  If encryption is enabled, this function performs a log file rotation operation that renames the current log file, and begins a new log file encrypted with the password. The keyring must be enabled or an error occurs. Any keyring component or plugin can be used; for instructions, seeSection 8.4.5, “The MySQL Keyring”.

  For additional information about audit log encryption, seeEncrypting Audit Log Files.

  Arguments:

  password: The password string. The maximum permitted length is 766 bytes.

  Return value:

  1 for success, 0 for failure.

  Example:

  mysql> SELECT audit_log_encryption_password_set(password);+---------------------------------------------+| audit_log_encryption_password_set(password) |+---------------------------------------------+| 1                                           |+---------------------------------------------+

• audit_log_filter_flush()

  Calling any of the other filtering functions affects operational audit log filtering immediately and updates the audit log tables. If instead you modify the contents of those tables directly using statements such asINSERT,UPDATE, andDELETE, the changes do not affect filtering immediately. To flush your changes and make them operational, callaudit_log_filter_flush().

  Warning

  audit_log_filter_flush() should be used only after modifying the audit tables directly, to force reloading all filters. Otherwise, this function should be avoided. It is, in effect, a simplified version of unloading and reloading theaudit_log plugin withUNINSTALL PLUGIN plusINSTALL PLUGIN.

  audit_log_filter_flush() affects all current sessions and detaches them from their previous filters. Current sessions are no longer logged unless they disconnect and reconnect, or execute a change-user operation.

  If this function fails, an error message is returned and the audit log is disabled until the next successful call toaudit_log_filter_flush().

  Arguments:

  None.

  Return value:

  A string that indicates whether the operation succeeded.OK indicates success.ERROR:message indicates failure.

  Example:

  mysql> SELECT audit_log_filter_flush();+--------------------------+| audit_log_filter_flush() |+--------------------------+| OK                       |+--------------------------+

• audit_log_filter_remove_filter(filter_name)

  Given a filter name, removes the filter from the current set of filters. It is not an error for the filter not to exist.

  If a removed filter is assigned to any user accounts, those users stop being filtered (they are removed from theaudit_log_user table). Termination of filtering includes any current sessions for those users: They are detached from the filter and no longer logged.

  Arguments:

  • filter_name: A string that specifies the filter name.

  Return value:

  A string that indicates whether the operation succeeded.OK indicates success.ERROR:message indicates failure.

  Example:

  mysql> SELECT audit_log_filter_remove_filter('SomeFilter');+----------------------------------------------+| audit_log_filter_remove_filter('SomeFilter') |+----------------------------------------------+| OK                                           |+----------------------------------------------+

• audit_log_filter_remove_user(user_name)

  Given a user account name, cause the user to be no longer assigned to a filter. It is not an error if the user has no filter assigned. Filtering of current sessions for the user remains unaffected. New connections for the user are filtered using the default account filter if there is one, and are not logged otherwise.

  If the name is%, the function removes the default account filter that is used for any user account that has no explicitly assigned filter.

  Arguments:

  • user_name: The user account name as a string inuser_name@host_name format, or% to represent the default account.

  Return value:

  A string that indicates whether the operation succeeded.OK indicates success.ERROR:message indicates failure.

  Example:

  mysql> SELECT audit_log_filter_remove_user('user1@localhost');+-------------------------------------------------+| audit_log_filter_remove_user('user1@localhost') |+-------------------------------------------------+| OK                                              |+-------------------------------------------------+

• audit_log_filter_set_filter(filter_name,definition)

  Given a filter name and definition, adds the filter to the current set of filters. If the filter already exists and is used by any current sessions, those sessions are detached from the filter and are no longer logged. This occurs because the new filter definition has a new filter ID that differs from its previous ID.

  Arguments:

  • filter_name: A string that specifies the filter name.

  • definition: AJSON value that specifies the filter definition.

  Return value:

  A string that indicates whether the operation succeeded.OK indicates success.ERROR:message indicates failure.

  Example:

  mysql> SET @f = '{ "filter": { "log": false } }';mysql> SELECT audit_log_filter_set_filter('SomeFilter', @f);+-----------------------------------------------+| audit_log_filter_set_filter('SomeFilter', @f) |+-----------------------------------------------+| OK                                            |+-----------------------------------------------+

• audit_log_filter_set_user(user_name,filter_name)

  Given a user account name and a filter name, assigns the filter to the user. A user can be assigned only one filter, so if the user was already assigned a filter, the assignment is replaced. Filtering of current sessions for the user remains unaffected. New connections are filtered using the new filter.

  As a special case, the name% represents the default account. The filter is used for connections from any user account that has no explicitly assigned filter.

  Arguments:

  • user_name: The user account name as a string inuser_name@host_name format, or% to represent the default account.

  • filter_name: A string that specifies the filter name.

  Return value:

  A string that indicates whether the operation succeeded.OK indicates success.ERROR:message indicates failure.

  Example:

  mysql> SELECT audit_log_filter_set_user('user1@localhost', 'SomeFilter');+------------------------------------------------------------+| audit_log_filter_set_user('user1@localhost', 'SomeFilter') |+------------------------------------------------------------+| OK                                                         |+------------------------------------------------------------+

• audit_log_read([arg])

  Reads the audit log and returns aJSON string result. If the audit log format is notJSON, an error occurs.

  With no argument or aJSON hash argument,audit_log_read() reads events from the audit log and returns aJSON string containing an array of audit events. Items in the hash argument influence how reading occurs, as described later. Each element in the returned array is an event represented as aJSON hash, with the exception that the last element may be aJSONnull value to indicate no following events are available to read.

  With an argument consisting of aJSONnull value,audit_log_read() closes the current read sequence.

  For additional details about the audit log-reading process, seeSection 8.4.6.6, “Reading Audit Log Files”.

  Arguments:

  To obtain a bookmark for the most recently written event, callaudit_log_read_bookmark().

  arg: The argument is optional. If omitted, the function reads events from the current position. If present, the argument can be aJSONnull value to close the read sequence, or aJSON hash. Within a hash argument, items are optional and control aspects of the read operation such as the position at which to begin reading or how many events to read. The following items are significant (other items are ignored):

  • start: The position within the audit log of the first event to read. The position is given as a timestamp and the read starts from the first event that occurs on or after the timestamp value. Thestart item has this format, wherevalue is a literal timestamp value:

    "start": { "timestamp": "value" }

  • timestamp,id: The position within the audit log of the first event to read. Thetimestamp andid items together comprise a bookmark that uniquely identify a particular event. If anaudit_log_read() argument includes either item, it must include both to completely specify a position or an error occurs.

  • max_array_length: The maximum number of events to read from the log. If this item is omitted, the default is to read to the end of the log or until the read buffer is full, whichever comes first.

  To specify a starting position toaudit_log_read(), pass a hash argument that includes either astart item or a bookmark consisting oftimestamp andid items. If a hash argument includes both astart item and a bookmark, an error occurs.

  If a hash argument specifies no starting position, reading continues from the current position.

  If a timestamp value includes no time part, a time part of00:00:00 is assumed.

  Return value:

  If the call succeeds, the return value is aJSON string containing an array of audit events, or aJSONnull value if that was passed as the argument to close the read sequence. If the call fails, the return value isNULL and an error occurs.

  Example:

  mysql> SELECT audit_log_read(audit_log_read_bookmark());+-----------------------------------------------------------------------+| audit_log_read(audit_log_read_bookmark())                             |+-----------------------------------------------------------------------+| [ {"timestamp":"2020-05-18 22:41:24","id":0,"class":"connection", ... |+-----------------------------------------------------------------------+mysql> SELECT audit_log_read('null');+------------------------+| audit_log_read('null') |+------------------------+| null                   |+------------------------+

  Notes:

  Prior to MySQL 9.4, string return values could be binaryJSON strings. For information about converting such values to nonbinary strings, seeSection 8.4.6.6, “Reading Audit Log Files”.

• audit_log_read_bookmark()

  Returns aJSON string representing a bookmark for the most recently written audit log event. If the audit log format is notJSON, an error occurs.

  The bookmark is aJSON hash withtimestamp andid items that uniquely identify the position of an event within the audit log. It is suitable for passing toaudit_log_read() to indicate to that function the position at which to begin reading.

  For additional details about the audit log-reading process, seeSection 8.4.6.6, “Reading Audit Log Files”.

  Arguments:

  None.

  Return value:

  AJSON string containing a bookmark for success, orNULL and an error for failure.

  Example:

  mysql> SELECT audit_log_read_bookmark();+-------------------------------------------------+| audit_log_read_bookmark()                       |+-------------------------------------------------+| { "timestamp": "2019-10-03 21:03:44", "id": 0 } |+-------------------------------------------------+

  Notes:

  Prior to MySQL 9.4, string return values could be binaryJSON strings. For information about converting such values to nonbinary strings, seeSection 8.4.6.6, “Reading Audit Log Files”.

• audit_log_rotate()

  Arguments:

  None.

  Return value:

  The renamed file name.

  Example:

  mysql> SELECT audit_log_rotate();

  Usingaudit_log_rotate() requires theAUDIT_ADMIN privilege.

Table 8.44 Audit Log Option and Variable Reference

• --audit-log[=value]

  Command-Line Format	--audit-log[=value]
  Type	Enumeration
  Default Value	ON
  Valid Values	ON OFF FORCE FORCE_PLUS_PERMANENT

  This option controls how the server loads theaudit_log plugin at startup. It is available only if the plugin has been previously registered withINSTALL PLUGIN or is loaded with--plugin-load or--plugin-load-add. SeeSection 8.4.6.2, “Installing or Uninstalling MySQL Enterprise Audit”.

  The option value should be one of those available for plugin-loading options, as described inSection 7.6.1, “Installing and Uninstalling Plugins”. For example,--audit-log=FORCE_PLUS_PERMANENT tells the server to load the plugin and prevent it from being removed while the server is running.

• audit_log_buffer_size

  Command-Line Format	--audit-log-buffer-size=#
  System Variable	audit_log_buffer_size
  Scope	Global
  Dynamic	No
  SET_VAR Hint Applies	No
  Type	Integer
  Default Value	1048576
  Minimum Value	4096
  Maximum Value (64-bit platforms)	18446744073709547520
  Maximum Value (32-bit platforms)	4294967295
  Unit	bytes
  Block Size	4096

  When the audit log plugin writes events to the log asynchronously, it uses a buffer to store event contents prior to writing them. This variable controls the size of that buffer, in bytes. The server adjusts the value to a multiple of 4096. The plugin uses a single buffer, which it allocates when it initializes and removes when it terminates. The plugin allocates this buffer only if logging is asynchronous.

• audit_log_compression

  Command-Line Format	--audit-log-compression=value
  System Variable	audit_log_compression
  Scope	Global
  Dynamic	No
  SET_VAR Hint Applies	No
  Type	Enumeration
  Default Value	NONE
  Valid Values	NONE GZIP

  The type of compression for the audit log file. Permitted values areNONE (no compression; the default) andGZIP (GNU Zip compression). For more information, seeCompressing Audit Log Files.

• audit_log_connection_policy

  Command-Line Format	--audit-log-connection-policy=value
  Deprecated	Yes
  System Variable	audit_log_connection_policy
  Scope	Global
  Dynamic	Yes
  SET_VAR Hint Applies	No
  Type	Enumeration
  Default Value	ALL
  Valid Values	ALL ERRORS NONE

  Note

  This deprecated variable applies only to legacy mode audit log filtering (seeSection 8.4.6.10, “Legacy Mode Audit Log Filtering”).

  The policy controlling how the audit log plugin writes connection events to its log file. The following table shows the permitted values.

  Value	Description
  ALL	Log all connection events
  ERRORS	Log only failed connection events
  NONE	Do not log connection events

  Note

  At server startup, any explicit value given foraudit_log_connection_policy may be overridden ifaudit_log_policy is also specified, as described inSection 8.4.6.5, “Configuring Audit Logging Characteristics”.

• audit_log_current_session

  System Variable	audit_log_current_session
  Scope	Global, Session
  Dynamic	No
  SET_VAR Hint Applies	No
  Type	Boolean
  Default Value	depends on filtering policy

  Whether audit logging is enabled for the current session. The session value of this variable is read only. It is set when the session begins based on the values of theaudit_log_include_accounts andaudit_log_exclude_accounts system variables. The audit log plugin uses the session value to determine whether to audit events for the session. (There is a global value, but the plugin does not use it.)

• audit_log_database

  Command-Line Format	--audit-log-database=value
  System Variable	audit_log_database
  Scope	Global
  Dynamic	No
  SET_VAR Hint Applies	No
  Type	String
  Default Value	mysql

  Specifies which database theaudit_log plugin uses to find its tables. This variable is read only. For more information, seeSection 8.4.6.2, “Installing or Uninstalling MySQL Enterprise Audit”).

• audit_log_disable

  Command-Line Format	--audit-log-disable[={OFF|ON}]
  System Variable	audit_log_disable
  Scope	Global
  Dynamic	Yes
  SET_VAR Hint Applies	No
  Type	Boolean
  Default Value	OFF

  Permits disabling audit logging for all connecting and connected sessions. In addition to theSYSTEM_VARIABLES_ADMIN privilege, disabling audit logging requires theAUDIT_ADMIN privilege. SeeSection 8.4.6.9, “Disabling Audit Logging”.

• audit_log_encryption

  Command-Line Format	--audit-log-encryption=value
  System Variable	audit_log_encryption
  Scope	Global
  Dynamic	No
  SET_VAR Hint Applies	No
  Type	Enumeration
  Default Value	NONE
  Valid Values	NONE AES

  The type of encryption for the audit log file. Permitted values areNONE (no encryption; the default) andAES (AES-256-CBC cipher encryption). For more information, seeEncrypting Audit Log Files.

• audit_log_exclude_accounts

  Command-Line Format	--audit-log-exclude-accounts=value
  Deprecated	Yes
  System Variable	audit_log_exclude_accounts
  Scope	Global
  Dynamic	Yes
  SET_VAR Hint Applies	No
  Type	String
  Default Value	NULL

  Note

  This deprecated variable applies only to legacy mode audit log filtering (seeSection 8.4.6.10, “Legacy Mode Audit Log Filtering”).

  The accounts for which events should not be logged. The value should beNULL or a string containing a list of one or more comma-separated account names. For more information, seeSection 8.4.6.7, “Audit Log Filtering”.

  Modifications toaudit_log_exclude_accounts affect only connections created subsequent to the modification, not existing connections.

• audit_log_file

  Command-Line Format	--audit-log-file=file_name
  System Variable	audit_log_file
  Scope	Global
  Dynamic	No
  SET_VAR Hint Applies	No
  Type	File name
  Default Value	audit.log

  The base name and suffix of the file to which the audit log plugin writes events. The default value isaudit.log, regardless of logging format. To have the name suffix correspond to the format, set the name explicitly, choosing a different suffix (for example,audit.xml for XML format,audit.json for JSON format).

  If the value ofaudit_log_file is a relative path name, the plugin interprets it relative to the data directory. If the value is a full path name, the plugin uses the value as is. A full path name may be useful if it is desirable to locate audit files on a separate file system or directory. For security reasons, write the audit log file to a directory accessible only to the MySQL server and to users with a legitimate reason to view the log.

  For details about how the audit log plugin interprets theaudit_log_file value and the rules for file renaming that occurs at plugin initialization and termination, seeNaming Conventions for Audit Log Files.

  The audit log plugin uses the directory containing the audit log file (determined from theaudit_log_file value) as the location to search for readable audit log files. From these log files and the current file, the plugin constructs a list of the ones that are subject to use with the audit log bookmarking and reading functions. SeeSection 8.4.6.6, “Reading Audit Log Files”.

• audit_log_filter_id

  System Variable	audit_log_filter_id
  Scope	Global, Session
  Dynamic	No
  SET_VAR Hint Applies	No
  Type	Integer
  Default Value	1
  Minimum Value	0
  Maximum Value	4294967295

  The session value of this variable indicates the internally maintained ID of the audit filter for the current session. A value of 0 means that the session has no filter assigned.

• audit_log_flush

  System Variable	audit_log_flush
  Scope	Global
  Dynamic	Yes
  SET_VAR Hint Applies	No
  Type	Boolean
  Default Value	OFF

  Note

  Theaudit_log_flush variable is deprecated; expect support for it to be removed in a future version of MySQL. It is superseded by theaudit_log_rotate() function.

  Ifaudit_log_rotate_on_size is 0, automatic audit log file rotation is disabled and rotation occurs only when performed manually. In that case, enablingaudit_log_flush by setting it to 1 orON causes the audit log plugin to close and reopen its log file to flush it. (The variable value remainsOFF so that you need not disable it explicitly before enabling it again to perform another flush.) For more information, seeSection 8.4.6.5, “Configuring Audit Logging Characteristics”.

• audit_log_flush_interval_seconds

  Command-Line Format	--audit-log-flush-interval-seconds[=value]
  System Variable	audit_log_flush_interval_seconds
  Scope	Global
  Dynamic	No
  SET_VAR Hint Applies	No
  Type	Unsigned Long
  Default Value	0
  Maximum Value (Windows)	4294967295
  Maximum Value (Other)	18446744073709551615
  Unit	seconds

  This system variable depends on thescheduler component, which must be installed and enabled (seeSection 7.5.5, “Scheduler Component”). To check the status of the component:

  SHOW VARIABLES LIKE 'component_scheduler%';+-----------------------------+-------+| Variable_name               | Value |+-----------------------------+-------|| component_scheduler.enabled | On    |+-----------------------------+-------+

  Whenaudit_log_flush_interval_seconds has a value of zero (the default), no automatic refresh of the privileges occurs, even if thescheduler component is enabled (ON).

  Values between0 and60 (1 to 59) are not acknowledged; instead, these values adjust to60 automatically and the server emits a warning. Values greater than60 define the number of seconds thescheduler component waits from startup, or from the beginning of the previous execution, until it attempts to schedule another execution.

  To persist this global system variable to themysqld-auto.cnf file without setting the global variable runtime value, precede the variable name by thePERSIST_ONLY keyword or the@@PERSIST_ONLY. qualifier.

• audit_log_format

  Command-Line Format	--audit-log-format=value
  System Variable	audit_log_format
  Scope	Global
  Dynamic	No
  SET_VAR Hint Applies	No
  Type	Enumeration
  Default Value	NEW
  Valid Values	OLD NEW JSON

  The audit log file format. Permitted values areOLD (old-style XML),NEW (new-style XML; the default), andJSON. For details about each format, seeSection 8.4.6.4, “Audit Log File Formats”.

• audit_log_format_unix_timestamp

  Command-Line Format	--audit-log-format-unix-timestamp[={OFF|ON}]
  System Variable	audit_log_format_unix_timestamp
  Scope	Global
  Dynamic	Yes
  SET_VAR Hint Applies	No
  Type	Boolean
  Default Value	OFF

  This variable applies only for JSON-format audit log output. When that is true, enabling this variable causes each log file record to include atime field. The field value is an integer that represents the UNIX timestamp value indicating the date and time when the audit event was generated.

  Changing the value of this variable at runtime causes log file rotation so that, for a given JSON-format log file, all records in the file either do or do not include thetime field.

  Setting the runtime value ofaudit_log_format_unix_timestamp requires theAUDIT_ADMIN privilege, in addition to theSYSTEM_VARIABLES_ADMIN privilege (or the deprecatedSUPER privilege) normally required to set a global system variable runtime value.

• audit_log_include_accounts

  Command-Line Format	--audit-log-include-accounts=value
  Deprecated	Yes
  System Variable	audit_log_include_accounts
  Scope	Global
  Dynamic	Yes
  SET_VAR Hint Applies	No
  Type	String
  Default Value	NULL

  Note

  This deprecated variable applies only to legacy mode audit log filtering (seeSection 8.4.6.10, “Legacy Mode Audit Log Filtering”).

  The accounts for which events should be logged. The value should beNULL or a string containing a list of one or more comma-separated account names. For more information, seeSection 8.4.6.7, “Audit Log Filtering”.

  Modifications toaudit_log_include_accounts affect only connections created subsequent to the modification, not existing connections.

• audit_log_max_size

  Command-Line Format	--audit-log-max-size=#
  System Variable	audit_log_max_size
  Scope	Global
  Dynamic	Yes
  SET_VAR Hint Applies	No
  Type	Integer
  Default Value	0
  Minimum Value	0
  Maximum Value (Windows)	4294967295
  Maximum Value (Other)	18446744073709551615
  Unit	bytes
  Block Size	4096

  audit_log_max_size pertains to audit log file pruning, which is supported for JSON-format log files only. It controls pruning based on combined log file size:

  • A value of 0 (the default) disables size-based pruning. No size limit is enforced.

  • A value greater than 0 enables size-based pruning. The value is the combined size above which audit log files become subject to pruning.

  If you setaudit_log_max_size to a value that is not a multiple of 4096, it is truncated to the nearest multiple. In particular, setting it to a value less than 4096 sets it to 0 and no size-based pruning occurs.

  If bothaudit_log_max_size andaudit_log_rotate_on_size are greater than 0,audit_log_max_size should be more than 7 times the value ofaudit_log_rotate_on_size. Otherwise, a warning is written to the server error log because in this case the“granularity” of size-based pruning may be insufficient to prevent removal of all or most rotated log files each time it occurs.

  Note

  Settingaudit_log_max_size by itself is not sufficient to cause log file pruning to occur because the pruning algorithm usesaudit_log_rotate_on_size,audit_log_max_size, andaudit_log_prune_seconds in conjunction. For details, seeSpace Management of Audit Log Files.

• audit_log_password_history_keep_days

  Command-Line Format	--audit-log-password-history-keep-days=#
  System Variable	audit_log_password_history_keep_days
  Scope	Global
  Dynamic	Yes
  SET_VAR Hint Applies	No
  Type	Integer
  Default Value	0
  Minimum Value	0
  Maximum Value	4294967295
  Unit	days

  The audit log plugin implements log file encryption using encryption passwords stored in the MySQL keyring (seeEncrypting Audit Log Files). The plugin also implements password history, which includes password archiving and expiration (removal).

  When the audit log plugin creates a new encryption password, it archives the previous password, if one exists, for later use. Theaudit_log_password_history_keep_days variable controls automatic removal of expired archived passwords. Its value indicates the number of days after which archived audit log encryption passwords are removed. The default of 0 disables password expiration: the password retention period is forever.

  New audit log encryption passwords are created under these circumstances:

  • During plugin initialization, if the plugin finds that log file encryption is enabled, it checks whether the keyring contains an audit log encryption password. If not, the plugin automatically generates a random initial encryption password.

  • When theaudit_log_encryption_password_set() function is called to set a specific password.

  In each case, the plugin stores the new password in the key ring and uses it to encrypt new log files.

  Removal of expired audit log encryption passwords occurs under these circumstances:

  • During plugin initialization.

  • When theaudit_log_encryption_password_set() function is called.

  • When the runtime value ofaudit_log_password_history_keep_days is changed from its current value to a value greater than 0. Runtime value changes occur forSET statements that use theGLOBAL orPERSIST keyword, but not thePERSIST_ONLY keyword.PERSIST_ONLY writes the variable setting tomysqld-auto.cnf, but has no effect on the runtime value.

  When password removal occurs, the current value ofaudit_log_password_history_keep_days determines which passwords to remove:

  • If the value is 0, the plugin removes no passwords.

  • If the value isN > 0, the plugin removes passwords more thanN days old.

  Note

  Take care not to expire old passwords that are still needed to read archived encrypted log files.

  If you normally leave password expiration disabled (that is,audit_log_password_history_keep_days has a value of 0), it is possible to perform an on-demand cleanup operation by temporarily assigning the variable a value greater than zero. For example, to expire passwords older than 365 days, do this:

  SET GLOBAL audit_log_password_history_keep_days = 365;SET GLOBAL audit_log_password_history_keep_days = 0;

  Setting the runtime value ofaudit_log_password_history_keep_days requires theAUDIT_ADMIN privilege, in addition to theSYSTEM_VARIABLES_ADMIN privilege (or the deprecatedSUPER privilege) normally required to set a global system variable runtime value.

• audit_log_policy

  Command-Line Format	--audit-log-policy=value
  Deprecated	Yes
  System Variable	audit_log_policy
  Scope	Global
  Dynamic	No
  SET_VAR Hint Applies	No
  Type	Enumeration
  Default Value	ALL
  Valid Values	ALL LOGINS QUERIES NONE

  Note

  This deprecated variable applies only to legacy mode audit log filtering (seeSection 8.4.6.10, “Legacy Mode Audit Log Filtering”).

  The policy controlling how the audit log plugin writes events to its log file. The following table shows the permitted values.

  Value	Description
  ALL	Log all events
  LOGINS	Log only login events
  QUERIES	Log only query events
  NONE	Log nothing (disable the audit stream)

  audit_log_policy can be set only at server startup. At runtime, it is a read-only variable. Two other system variables,audit_log_connection_policy andaudit_log_statement_policy, provide finer control over logging policy and can be set either at startup or at runtime. If you useaudit_log_policy at startup instead of the other two variables, the server uses its value to set those variables. For more information about the policy variables and their interaction, seeSection 8.4.6.5, “Configuring Audit Logging Characteristics”.

• audit_log_prune_seconds

  Command-Line Format	--audit-log-prune-seconds=#
  System Variable	audit_log_prune_seconds
  Scope	Global
  Dynamic	Yes
  SET_VAR Hint Applies	No
  Type	Integer
  Default Value	0
  Minimum Value	0
  Maximum Value (Windows)	4294967295
  Maximum Value (Other)	18446744073709551615
  Unit	bytes

  audit_log_prune_seconds pertains to audit log file pruning, which is supported for JSON-format log files only. It controls pruning based on log file age:

  • A value of 0 (the default) disables age-based pruning. No age limit is enforced.

  • A value greater than 0 enables age-based pruning. The value is the number of seconds after which audit log files become subject to pruning.

  Note

  Settingaudit_log_prune_seconds by itself is not sufficient to cause log file pruning to occur because the pruning algorithm usesaudit_log_rotate_on_size,audit_log_max_size, andaudit_log_prune_seconds in conjunction. For details, seeSpace Management of Audit Log Files.

• audit_log_read_buffer_size

  Command-Line Format	--audit-log-read-buffer-size=#
  System Variable	audit_log_read_buffer_size
  Scope	Global, Session
  Dynamic	Yes
  SET_VAR Hint Applies	No
  Type	Integer
  Default Value	32768
  Minimum Value	32768
  Maximum Value	4194304
  Unit	bytes

  The buffer size for reading from the audit log file, in bytes. Theaudit_log_read() function reads no more than this many bytes. Log file reading is supported only for JSON log format. For more information, seeSection 8.4.6.6, “Reading Audit Log Files”.

  This variable has a default of 32KB and can be set at runtime. Each client should set its session value ofaudit_log_read_buffer_size appropriately for its use ofaudit_log_read().

• audit_log_rotate_on_size

  Command-Line Format	--audit-log-rotate-on-size=#
  System Variable	audit_log_rotate_on_size
  Scope	Global
  Dynamic	Yes
  SET_VAR Hint Applies	No
  Type	Integer
  Default Value	0
  Minimum Value	0
  Maximum Value	18446744073709551615
  Unit	bytes
  Block Size	4096

  Ifaudit_log_rotate_on_size is 0, the audit log plugin does not perform automatic size-based log file rotation. If rotation is to occur, you must perform it manually; seeManual Audit Log File Rotation.

  Ifaudit_log_rotate_on_size is greater than 0, automatic size-based log file rotation occurs. Whenever a write to the log file causes its size to exceed theaudit_log_rotate_on_size value, the audit log plugin renames the current log file and opens a new current log file using the original name.

  If you setaudit_log_rotate_on_size to a value that is not a multiple of 4096, it is truncated to the nearest multiple. In particular, setting it to a value less than 4096 sets it to 0 and no rotation occurs, except manually.

  Note

  audit_log_rotate_on_size controls whether audit log file rotation occurs. It can also be used in conjunction withaudit_log_max_size andaudit_log_prune_seconds to configure pruning of rotated JSON-format log files. For details, seeSpace Management of Audit Log Files.

• audit_log_statement_policy

  Command-Line Format	--audit-log-statement-policy=value
  Deprecated	Yes
  System Variable	audit_log_statement_policy
  Scope	Global
  Dynamic	Yes
  SET_VAR Hint Applies	No
  Type	Enumeration
  Default Value	ALL
  Valid Values	ALL ERRORS NONE

  Note

  This deprecated variable applies only to legacy mode audit log filtering (seeSection 8.4.6.10, “Legacy Mode Audit Log Filtering”).

  The policy controlling how the audit log plugin writes statement events to its log file. The following table shows the permitted values.

  Value	Description
  ALL	Log all statement events
  ERRORS	Log only failed statement events
  NONE	Do not log statement events

  Note

  At server startup, any explicit value given foraudit_log_statement_policy may be overridden ifaudit_log_policy is also specified, as described inSection 8.4.6.5, “Configuring Audit Logging Characteristics”.

• audit_log_strategy

  Command-Line Format	--audit-log-strategy=value
  System Variable	audit_log_strategy
  Scope	Global
  Dynamic	No
  SET_VAR Hint Applies	No
  Type	Enumeration
  Default Value	ASYNCHRONOUS
  Valid Values	ASYNCHRONOUS PERFORMANCE SEMISYNCHRONOUS SYNCHRONOUS

  The logging method used by the audit log plugin. These strategy values are permitted:

  • ASYNCHRONOUS: Log asynchronously. Wait for space in the output buffer.

  • PERFORMANCE: Log asynchronously. Drop requests for which there is insufficient space in the output buffer.

  • SEMISYNCHRONOUS: Log synchronously. Permit caching by the operating system.

  • SYNCHRONOUS: Log synchronously. Callsync() after each request.

• Audit_log_current_size

  The size of the current audit log file. The value increases when an event is written to the log and is reset to 0 when the log is rotated.

• Audit_log_direct_writes

  When the audit log plugin writes events to the JSON-format audit log, it uses a buffer to store event contents prior to writing them. If the query length is greater than the size of the buffer, then the plugin writes the event directly to the log, bypassing the buffer. This variable shows the number of direct writes. The plugin determines the count based on the current write strategy in use (seeaudit_log_strategy).

  Table 8.45 Write-Strategy Effect on the Direct Write Count

  Write Strategy	Description
  ASYNCHRONOUS	Incremented if the event size does not fit into the internal buffer (audit_log_buffer_size server system variable).
  PERFORMANCE	Not incremented. The plugin discards events larger than internal buffer.
  SEMISYNCHRONOUS	Always incremented.
  SYNCHRONOUS	Always incremented.

  
  

• Audit_log_event_max_drop_size

  The size of the largest dropped event in performance logging mode. For a description of logging modes, seeSection 8.4.6.5, “Configuring Audit Logging Characteristics”.

• Audit_log_events

  The number of events handled by the audit log plugin, whether or not they were written to the log based on filtering policy (seeSection 8.4.6.5, “Configuring Audit Logging Characteristics”).

• Audit_log_events_filtered

  The number of events handled by the audit log plugin that were filtered (not written to the log) based on filtering policy (seeSection 8.4.6.5, “Configuring Audit Logging Characteristics”).

• Audit_log_events_lost

  The number of events lost in performance logging mode because an event was larger than the available audit log buffer space. This value may be useful for assessing how to setaudit_log_buffer_size to size the buffer for performance mode. For a description of logging modes, seeSection 8.4.6.5, “Configuring Audit Logging Characteristics”.

• Audit_log_events_written

  The number of events written to the audit log.

• Audit_log_total_size

  The total size of events written to all audit log files. UnlikeAudit_log_current_size, the value ofAudit_log_total_size increases even when the log is rotated.

• Audit_log_write_waits

  The number of times an event had to wait for space in the audit log buffer in asynchronous logging mode. For a description of logging modes, seeSection 8.4.6.5, “Configuring Audit Logging Characteristics”.