Bug #71838 mysqlauditgrep does not support new audit log format
Submitted: 26 Feb 2014 9:22 Modified: 21 May 2014 3:26
Reporter: Daniël van Eeden (OCA) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Utilities Severity:S2 (Serious)
Version:1.3.6 OS:Any
Assigned to:
Tags: auditlog

[26 Feb 2014 9:22] Daniël van Eeden
Description:
mysqlauditgrep

$ mysqlauditgrep --users=root audit.log
ERROR: Malformed XML - Cannot parse log file: 'audit.log'
Invalid XML element: ' <AUDIT_RECORD>   <TIMESTAMP>2014-02-26T09:07:16 UTC</TIMESTAMP>  <RECORD_ID>1_2014-02-26T09:07:15</RECORD_ID>  <NAME>Connect</NAME>  <CONNECTION_ID>4</CONNECTION_ID>  <STATUS>0</STATUS>  <STATUS_CODE>0</STATUS_CODE>  <USER>root</USER>  <OS_LOGIN/>\n'

$ mysqlauditgrep --event-type=Connect audit.log
ERROR: Malformed XML - Cannot parse log file: 'audit.log'
Invalid XML element: ' <AUDIT_RECORD>   <TIMESTAMP>2014-02-26T09:07:16 UTC</TIMESTAMP>  <RECORD_ID>1_2014-02-26T09:07:15</RECORD_ID>  <NAME>Connect</NAME>  <CONNECTION_ID>4</CONNECTION_ID>  <STATUS>0</STATUS>  <STATUS_CODE>0</STATUS_CODE>  <USER>root</USER>  <OS_LOGIN/>\n'

How to repeat:
Add to mysqld section of my.cnf:
plugin-load=audit_log.so
audit_log_format=NEW

MySQL version: 5.6.16-enterprise-commercial-advanced-log

Suggested fix:
Support the new audit log format 

or 

- clearly document that this is not supported
- give a clear error that this format is not supported.
[26 Feb 2014 10:40] Daniël van Eeden
Test log file:
==================================
<?xml version="1.0" encoding="UTF-8"?>
<AUDIT>
<AUDIT_RECORD>
  <TIMESTAMP>2014-02-26T09:27:28 UTC</TIMESTAMP>
  <RECORD_ID>1_2014-02-26T09:27:27</RECORD_ID>
  <NAME>Connect</NAME>
  <CONNECTION_ID>4</CONNECTION_ID>
  <STATUS>0</STATUS>
  <STATUS_CODE>0</STATUS_CODE>
  <USER>root</USER>
  <OS_LOGIN/>
  <HOST>localhost</HOST>
  <IP/>
  <COMMAND_CLASS>connect</COMMAND_CLASS>
  <PRIV_USER>root</PRIV_USER>
  <PROXY_USER/>
  <DB>mysql</DB>
</AUDIT_RECORD>
</AUDIT>
==================================
[26 Feb 2014 17:57] Umesh Shastry
Hello Daniel,

Thank you for the bug report.
Verified as described.

Thanks,
Umesh
[26 Feb 2014 20:08] Daniël van Eeden
The unit tests only seem to run against test data in the old format:
./mysql-test/std_data/audit.log.13488316109086370
./mysql-test/std_data/audit.log.invalid
[27 Feb 2014 6:56] Daniël van Eeden
Add auditlog tag
[12 May 2014 14:42] Chuck Bell
Fixed in release-1.4.3
[21 May 2014 3:26] Philip Olson
Fixed as of the upcoming MySQL Utilities 1.4.3 release, and here's the changelog entry:

The "mysqlauditgrep" utility did not support changes made to the audit log
format in the "NEW" format. Both "NEW" and "OLD" formats are now
supported. 

The "audit_log_format" option defaults to "OLD" in MySQL server 5.6, 
and "NEW" in MySQL server 5.7.

Thank you for the bug report.