Mysql – Is it possible to log thesql queries from other hosts in general log

logMySQL

I'm having a task to figure out what are the hosts that are still running scripts that accessing our database directly so we can prevent that from happening(we only want our web app to access the database but nothing else). I just learnt that enabling general_log would give me a nice table of access log. My problem is that the table grows too fast and easily lost control.

For my specific use case, my question would be: is there a mysql feature to make general_log only record database access from other hosts so general_log could record less data? I know it's pretty unlikely to happen, so my last option is to periodically delete the records that are local access. But this might cause performance issue. Do you think it makes sense to do that? Is there a better way to do it? Thanks.

Best Answer

You may use the mcaffee audit plugin https://github.com/mcafee/mysql-audit/wiki/Installation there you can filter hosts in logging.

You could also refuse all hosts specifying a mysql User with an appropriate Host. ('user'@'allowedHostIpRange').

GOOD NEWS

You could use the general log as a table you can query

Step 01) Add this to /etc/my.cnf

[mysqld] 
log
log-output=TABLE

Step 02) service mysql restart

OK mysqld is not recording every query in the table mysql.general_log. Problem: look at the initial layout of mysql.general_log:

mysql> show create table mysql.general_log\G 
*************************** 1. row *************************** 
       Table: general_log 
Create Table: CREATE TABLE `general_log` ( 
  `event_time` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP, 
  `user_host` mediumtext NOT NULL, 
  `thread_id` int(11) NOT NULL, 
  `server_id` int(10) unsigned NOT NULL, 
  `command_type` varchar(64) NOT NULL, 
  `argument` mediumtext NOT NULL 
) ENGINE=CSV DEFAULT CHARSET=utf8 COMMENT='General log' 
1 row in set (0.09 sec)

What good is a the general log as a CSV table

Step 03) Make mysql.general_log a MyISAM table and index it

 SET @old_log_state = @@global.general_log; 
 SET GLOBAL general_log = 'OFF'; 
 ALTER TABLE mysql.general_log ENGINE = MyISAM; 
 ALTER TABLE mysql.general_log ADD INDEX (event_time); 
 SET GLOBAL general_log = @old_log_state;

Now it looks like this:

mysql> show create table general_log\G
*************************** 1. row ***************************
       Table: general_log
Create Table: CREATE TABLE `general_log` (
  `event_time` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
  `user_host` mediumtext NOT NULL,
  `thread_id` int(11) NOT NULL,
  `server_id` int(10) unsigned NOT NULL,
  `command_type` varchar(64) NOT NULL,
  `argument` mediumtext NOT NULL,
  KEY `event_time` (`event_time`)
) ENGINE=MyISAM DEFAULT CHARSET=utf8 COMMENT='General log'
1 row in set (0.00 sec)

mysql>

THe user and host values are appended together in the user_host fields.

How do you rotate out the general log?

Here is an example of how to blank out mysql.general_log:

SET @old_log_state = @@global.general_log; 
SET GLOBAL general_log = 'OFF'; 
CREATE TABLE mysql.general_log_new LIKE mysql.general_log; 
DROP TABLE mysql.general_log; 
ALTER TABLE mysql.general_log_new RENAME mysql.general_log; 
SET GLOBAL general_log = @old_log_state;

Here is an example of how to keep the last 3 days of entries:

SET @old_log_state = @@global.general_log; 
SET GLOBAL general_log = 'OFF'; 
CREATE TABLE mysql.general_log_new LIKE mysql.general_log; 
INSERT INTO mysql.general_log_new 
SELECT * FROM mysql.general_log WHERE event_time > NOW() - INTERVAL 3 DAY; 
DROP TABLE mysql.general_log; 
ALTER TABLE mysql.general_log_new RENAME mysql.general_log; 
SET GLOBAL general_log = @old_log_state;

BAD NEWS

Anything you have collected in the text file version of the general log will not come for the ride. You can collect new entries going forward.

Mysql – How to properly secure MySQL database

I normally do not endorse any one specific product, but in this case I will make an exception.

I have personally evaluated a product called Gazzang. It can encrypt data in such a way that when transported to another server, the data is unreadable unless the encryption key is copied and verified on that external server. I have tried this and copied /var/lib/mysql on another server that did not have the encryption key. The only SQL command that worked with the database encrypted is SHOW DATABASES;. Nothing else worked.

There are some hoops to jump through to get an entire /var/lib/mysql folder encrypted. Once done, you never have to worry about data encryption. Perhaps you could start like this:

Installation MySQL on a DB Server
Apply Gazzang's ezncrypt program against the empty /var/lib/mysql
Load a mysqldump into it

The beautiful part of my evaluation was that the MySQL data was fully accessible by standard DB Connections. Gazzang does not shield normal access protocols. You must take up responsibility for securing passwords:

June 6, 2012 : Limiting database security
Feb 17, 2012 : MySQL : Why are there "test" entries in mysql.db?
Feb 17, 2012 : What is the mysql.db table used for?
Jan 19, 2012 : MySQL error: Access denied for user 'a'@'localhost' (using password: YES)
Sep 28, 2011 : Weird MySQL Users Been Created (eg. bug115166_10073) and not by me
Sep 11, 2011 : Is this a normal set of MySQL privileges?

EPILOGUE

As for the physical data itself, this worked during the 30-day evaluation. Please evaluate it for yourself. I will leave it to you to investigate production case studies on Gazzang.

UPDATE 2015-09-29 12:26 EDT

Cloudera purchased and deprecated Gazzang.

Cloudera Data Encryption is still available.

Best Answer

Related Solutions

MySQL General Log – How to Enable and Use

GOOD NEWS

BAD NEWS

Mysql – How to properly secure MySQL database

EPILOGUE

UPDATE 2015-09-29 12:26 EDT

Related Question