背景：
當資料業務上或者其他的特殊情況時可能會進行審計，以便知道資料庫當時所做的操作，今天給大家帶來percona的審計外掛

Percona Audit Log Plugin提供對特定伺服器上執行的連線和查詢活動的監視和記錄。 有關活動的資訊將儲存在XML日誌檔案中，其中每個事件將具有其NAME欄位，其自己的唯一RECORD_ID欄位和TIMESTAMP欄位。 此實現是MySQL Enterprise Audit Log Plugin的替代審計日誌外掛生成以下事件的日誌：Audit - Audit事件表示審計日誌記錄已開始或已完成。 記錄開始時NAME欄位為Audit，日誌記錄完成時為NoAudit。 審計記錄還包括伺服器版本和命令列引數。

<AUDIT_RECORD
"NAME"="Audit"
"RECORD"="1_2014-04-29T09:29:40"
"TIMESTAMP"="2014-04-29T09:29:40 UTC"
"MYSQL_VERSION"="5.6.17-65.0-655.trusty"
"STARTUP_OPTIONS"="--basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib/mysql/plugin --user=mysql --log-error=/var/log/mysql/error.log --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/run/mysqld/mysqld.sock --port=3306"
"OS_VERSION"="x86_64-debian-linux-gnu",
/>
Connect/Disconnect - Connect record event will have NAME field Connect when user logged in or login failed, or Quit when connection is closed. Additional fields for this event are CONNECTION_ID, STATUS, USER, PRIV_USER, OS_LOGIN, PROXY_USER, HOST, and IP. STATUS will be 0 for successful logins and non-zero for failed logins.
Example of the Disconnect event:

<AUDIT_RECORD
"NAME"="Quit"
"RECORD"="24_2014-04-29T09:29:40"
"TIMESTAMP"="2014-04-29T10:20:13 UTC"
"CONNECTION_ID"="49"
"STATUS"="0"
"USER"=""
"PRIV_USER"=""
"OS_LOGIN"=""
"PROXY_USER"=""
"HOST"=""
"IP"=""
"DB"=""
/>

1,安裝：

稽核日誌外掛隨Percona Server一起提供，但預設情況下不會安裝。要啟用該外掛，您必須執行以下命令

INSTALL PLUGIN audit_log SONAME 'audit_log.so';

驗證外掛是否安裝成功

SHOW PLUGINS;

+--------------------------------+----------+--------------------+--------------+---------+
| Name | Status | Type | Library | License |
+--------------------------------+----------+--------------------+--------------+---------+
...
| audit_log | ACTIVE | AUDIT | audit_log.so | GPL |
+--------------------------------+----------+--------------------+--------------+---------+

2，日誌格式：

稽核日誌外掛支援四種日誌格式：OLD，NEW，JSON和CSV。 OLD和NEW格式基於XML，前者將日誌記錄屬性輸出為XML屬性，後者輸出為XML標記。 記錄的資訊在所有四種格式中都是相同的。 日誌格式選擇由audit_log_format變數控制。

<AUDIT_RECORD>
<NAME>Quit</NAME>
<RECORD>10902_2014-04-28T11:02:54</RECORD>
<TIMESTAMP>2014-04-28T11:02:59 UTC</TIMESTAMP>
<CONNECTION_ID>36</CONNECTION_ID>
<STATUS>0</STATUS>
<USER></USER>
<PRIV_USER></PRIV_USER>
<OS_LOGIN></OS_LOGIN>
<PROXY_USER></PROXY_USER>
<HOST></HOST>
<IP></IP>
<DB></DB>
</AUDIT_RECORD>

3，實戰：
以下示例顯示新增將受監控的使用者

mysql> SET GLOBAL audit_log_include_accounts = '[email protected],[email protected]';
Query OK, 0 rows affected (0.00 sec)
If you you try to add users to both include and exclude lists server will show you the following error:

mysql> SET GLOBAL audit_log_exclude_accounts = '[email protected],[email protected]';
ERROR 1231 (42000): Variable 'audit_log_exclude_accounts' can't be set to the value of '[email protected],[email protected]'
To switch from filtering by included user list to the excluded one or back, first set the currently active filtering variable to NULL:

mysql> SET GLOBAL audit_log_include_accounts = NULL;
Query OK, 0 rows affected (0.00 sec)

mysql> SET GLOBAL audit_log_exclude_accounts = '[email protected],[email protected]';
Query OK, 0 rows affected (0.00 sec)

mysql> SET GLOBAL audit_log_exclude_accounts = "'user'@'host'";
Query OK, 0 rows affected (0.00 sec)

mysql> SET GLOBAL audit_log_exclude_accounts = '''user''@''host''';
Query OK, 0 rows affected (0.00 sec)

mysql> SET GLOBAL audit_log_exclude_accounts = '\'user\'@\'host\'';
Query OK, 0 rows affected (0.00 sec)
To see what users are currently in the on the list you can run:

mysql> SELECT @@audit_log_exclude_accounts;
+------------------------------+
| @@audit_log_exclude_accounts |
+------------------------------+
| 'user'@'host' |
+------------------------------+
1 row in set (0.00 sec)

--備註：監控的使用者名稱必須和mysql.user裡使用者名稱一致，不然不生效

<AUDIT_RECORD
NAME="Connect"
RECORD="4971917_2016-08-22T09:09:10"
TIMESTAMP="2016-08-22T09:12:21 UTC"
CONNECTION_ID="6"
STATUS="0"
USER="user1" ;; this is a 'user' part of account in 5.7
PRIV_USER="user1"
OS_LOGIN=""
PROXY_USER=""
HOST="localhost" ;; this is a 'host' part of account in 5.7
IP=""
DB=""
/>

過渡掉user1(排除user1)

SET GLOBAL audit_log_exclude_accounts = '[email protected]%';

總結：
1，資料庫審計是一個非常實用和重要的功能
2，一般情況下不會開啟這個功能，因為對效能消耗比較大
3，percona提供了這個功能，原生的Mysql社群版是沒有的，只有企業版才有