Description:
Hello,
I would like to integrate MySQL Enterprise Audit plugin with McAfee Enterprise Security Manager platform.
There is McAfee audit plugin dedicated to MySQL - https://github.com/mcafee/mysql-audit , but I would like to replace it with native mysql audit plugin. All is fine, except one thing: line separator.
In MySQL there is comma in JSON format (,) at the end every line, and I would like to eliminate this comma.
(I know about standard RFC259 - https://tools.ietf.org/html/rfc8259#section-2)
Here is fragment of McAfee plugin audit log:
{"msg-type":"header","date":"1516106085665","audit-version":"1.1.4-725","audit-protocol-version":"1.0","hostname":"xxxxxxxx","mysql-version":"5.7.16-enterprise-commercial-advanced-log","mysql-program":"/xxx/mysqld","mysql-socket":"/xxx/mysql.sock","mysql-port":"xxxx","server_pid":"xxxx"}
{"msg-type":"activity","date":"1520155073894","thread-id":"211922","query-id":"7420675","user":"xxxxxxxxxx","priv_user":"xxxxxxxxxx","ip":"xx.xx.xx.xx","host":"xx.xx.xx.xx","client_port":"","rows":"5","cmd":"select","objects":[{"db":"xxxxxx","name":"xxxxxxxx","obj_type":"TABLE"}],"query":"SELECT xxxx FROM xxxxxxxx WHERE xxx"}
{"msg-type":"activity","date":"1520155073895","thread-id":"211922","query-id":"7420676","user":"xxxxxxxxxx","priv_user":"xxxxxxxxxx","ip":"xx.xx.xx.xx","host":"xx.xx.xx.xx","client_port":"xxxxx","rows":"18","cmd":"select","objects":[{"db":"xxxxxx","name":"xxxxxxxxxxx","obj_type":"TABLE"}],"query":"SELECT xxxxxx FROM xxxxxxxxxxx WHERE xxxxxxx"}
{"msg-type":"activity","date":"1520155073905","thread-id":"211922","query-id":"7420677","user":"xxxxxxxxxx","priv_user":"xxxxxxxxxx","ip":"xx.xx.xx.xx","host":"xx.xx.xx.xx","client_port":"xxxxx","rows":"1","cmd":"select","objects":[{"db":"xxxxxxxxx","name":"xxxxxxxxxxxxx","obj_type":"TABLE"}],"query":"SELECT * FROM xxxxxx"}
{"msg-type":"activity","date":"1520155073908","thread-id":"211922","query-id":"7420678","user":"xxxxxxxxxx","priv_user":"xxxxxxxxxx","ip":"xx.xx.xx.xx","host":"xx.xx.xx.xx","client_port":"xxxxx","rows":"1","cmd":"Quit","query":"Quit"}
{"msg-type":"activity","date":"1520155176950","thread-id":"211923","query-id":"7420684","user":"event_scheduler","priv_user":"","ip":"","host":"","rows":"1","cmd":"select","query":"SELECT xxxxxxxxxx FROM xxxxxxx"}
{"msg-type":"activity","date":"1520155176950","thread-id":"211923","query-id":"7420685","user":"event_scheduler","priv_user":"","ip":"","host":"","rows":"1","cmd":"select","query":"SELECT xxxxxxxxxx FROM xxxxxxx WHERE xxxxxxxx"}
{"msg-type":"activity","date":"1520155176953","thread-id":"211923","query-id":"7420687","user":"event_scheduler","priv_user":"","ip":"","host":"","rows":"1","cmd":"update","query":"UPDATE xxxxxxxxxx SET xxxxxx"}
{"msg-type":"activity","date":"1520155176953","thread-id":"211923","query-id":"7420679","user":"event_scheduler","priv_user":"","ip":"","host":"","cmd":"call_procedure","query":"CALL xxxxxxxx"}
Using additional tool like parser, or removing characters has no sense, as it will be more complicated as using McAfee plugin.
I don't know pretty well McAfee solution, but seems there is difference in saving log. In McAfee audit plugin, every line is different object, and I don't see [ character, which means it's not a table.
Regards
Christopher.
How to repeat:
It's just simple installation of audit plugin and setting format to JSON
Suggested fix:
It could be additional variable 'JSON array log' = TRUE/FALSE (true default)
