Mysql – thesql logging activity from specific user or ip

auditloggingmonitoringMySQLwireshark

I have mysql server.

The server is accessed by my application, and by external auditor (person using mysql workbench).
The auditor has specific user and password and dedicated IP and it is granted only for select privileges.

I need to log the activities from the auditor.

I have read similar questions here on serverfault, but I did not saw any acceptable answers that it is possible to do sql logging by the sql server only for a specific user.

But is it possible and how, to log the network packages from the auditors IP, but only the text (the queries), not the complete packages ?

Any other solutions how can I monitor what the auditor was doing on the server ?

Best Answer

But is it possible and how, to log the network packages from the auditors IP, but only the text (the queries), not the complete packages?

Yes, it is possible:

tcpdump -s0 -i eth0 src host auditors.ip and dst port 3306 -w mysql.pcap

then you can filter only the MySQL queries by running:

while read stream; do \
tshark -qz follow,tcp,ascii,$stream -r mysql.pcap; done \
< <(tshark -R "mysql" -T fields -e tcp.stream -r mysql.pcap | sort | uniq)

Related Solutions

Debian MySQL User – What is the debian-sys-maint MySQL User?

What is debian-sys-maint used for?

One major thing it is used for is telling the server to roll the logs. It needs at least the reload and shutdown privilege.

See the file /etc/logrotate.d/mysql-server

It is used by the /etc/init.d/mysql script to get the status of the server. It is used to gracefully shutdown/reload the server.

Here is the quote from the README.Debian

* MYSQL WON'T START OR STOP?:
=============================
You may never ever delete the special mysql user "debian-sys-maint". This user
together with the credentials in /etc/mysql/debian.cnf are used by the init
scripts to stop the server as they would require knowledge of the mysql root
users password else.

What is the easiest way to restore it after I've lost it?

The best plan is to simply not lose it. If you really lose the password, reset it, using another account. If you have lost all admin privileges on the mysql server follow the guides to reset the root password, then repair the debian-sys-maint.

You could use a command like this to build a SQL file that you can use later to recreate the account.

mysqldump --complete-insert --extended-insert=0 -u root -p mysql | grep 'debian-sys-maint' > debian_user.sql

Is the password in /etc/mysql/debian.cnf already hashed

The password is not hashed/encrypted when installed, but new versions of mysql now have a way to encrypt the credentials (see: https://serverfault.com/a/750363).

MySQL enabling the query log for the root user only

There aren't any options to control such granularity. The general query log is either on or off. The binary log can include or exclude particular databases, but that's all.

Possibly the best you can do to obtain this information is to parse the log files retroactively with tools like mysqlsla or mysql-log-filter. Beware though, as you might already be, that the general query log can be a cause of I/O contention in production environments.

Best Answer

Related Solutions

Debian MySQL User – What is the debian-sys-maint MySQL User?

MySQL enabling the query log for the root user only

Related Topic