MySQL/MariaDB Audit Integration
Overview
This integration collects database authentication events, query audit logs, privilege changes, and schema modifications from MySQL and MariaDB servers. Database audit logging is a legal requirement under ISMS-P section 2.5.4 (personal data access records).
Supported versions: MySQL 8.x, MariaDB 10.x/11.x
Prerequisites
- A KYRA MDR Collector installed and running (Installation Guide)
- MySQL/MariaDB administrative access
- Network connectivity from the database server to the collector on port 514
Configuration
MariaDB: Server Audit Plugin (Recommended)
INSTALL SONAME 'server_audit';SET GLOBAL server_audit_logging = ON;SET GLOBAL server_audit_events = 'CONNECT,QUERY_DDL,QUERY_DML';SET GLOBAL server_audit_output_type = 'SYSLOG';SET GLOBAL server_audit_syslog_facility = LOG_LOCAL6;MySQL Enterprise: Audit Plugin
INSTALL PLUGIN audit_log SONAME 'audit_log.so';SET GLOBAL audit_log_policy = 'ALL';SET GLOBAL audit_log_handler = 'SYSLOG';MySQL Community: Error Log via Syslog
# my.cnflog_error = syslogFor full query auditing on MySQL Community, enable the general query log (note: performance impact in production):
SET GLOBAL general_log = 'ON';SET GLOBAL log_output = 'TABLE';Collected Log Types
| Log Type | Security Use | Priority |
|---|---|---|
| Authentication success/failure | Brute force detection | High |
| DDL queries (CREATE, ALTER, DROP) | Schema change monitoring | High |
| DML queries (SELECT, INSERT, UPDATE, DELETE) | Data access auditing (ISMS-P) | High |
| Privilege changes (GRANT, CREATE USER) | Privilege escalation detection | Critical |
| Connection events | Access pattern monitoring | Medium |
| Slow queries | Performance anomaly detection | Low |
Troubleshooting
No Audit Logs
- Verify the audit plugin is installed:
SHOW PLUGINS; - Confirm
server_audit_loggingisON - Check that syslog output is configured and rsyslog is forwarding to the collector
MariaDB vs MySQL
- MariaDB
server_auditplugin is free and included by default - MySQL Community Edition does not include the audit plugin; use general_log or upgrade to Enterprise
For additional help, contact kyra@seekerslab.com.