1. Background
With MySQL 5.7 reaching end-of-life (EOL), many users are upgrading to MySQL 8.0. In earlier community editions of MySQL 5.7, the MariaDB audit plugin could be adapted through source code adjustments to cover most mainstream versions. However, starting with MySQL 8.0, the MariaDB plugin is no longer compatible (or MySQL 8.0 is no longer compatible with MariaDB), necessitating a community-version audit plugin solution.
Percona initially stated that its audit plugin was designed for Percona Server and not tested or adapted for Oracle MySQL. However, in July 2024, Percona published a community article verifying that the audit plugin supports MySQL 8.0 and provided a demonstration.
This article validates the compatibility of the Percona audit plugin with MySQL 8.0 and checks for any potential issues.
2. Environment Information
- Operating System: CentOS Linux release 7.5.1804
- Database: MySQL 8.0.37 Community Edition
- Plugin Version: Extracted from Percona Server 8.0.37
3. Plugin Installation
Extract the audit plugin audit_log.so from the Percona installation package.
mkdir -p Percona-Server-8.0.37-29-Linux.x86_64.glibc2.17/lib/plugin/
tar -xvf Percona-Server-8.0.37-29-Linux.x86_64.glibc2.17.tar.gz --wildcards --no-anchored '*audit_log.so*'
ls -al Percona-Server-8.0.37-29-Linux.x86_64.glibc2.17/lib/plugin/audit_log.so
Copy audit_log.so to the MySQL plugin directory and adjust permissions.
cp /usr/local/Percona-Server-8.0.37-29-Linux.x86_64.glibc2.17/lib/plugin/audit_log.so /usr/local/mysql/lib/plugin/
chown mysql:mysql /usr/local/mysql/lib/plugin/audit_log.so
Install the plugin in MySQL.
INSTALL PLUGIN audit_log SONAME 'audit_log.so';
SELECT * FROM mysql.plugin;
SELECT PLUGIN_NAME, PLUGIN_STATUS, PLUGIN_TYPE FROM INFORMATION_SCHEMA.PLUGINS WHERE PLUGIN_NAME = 'audit_log';
4. Plugin Usage
After installation, over 10 new parameters related to auditing are added.
SHOW GLOBAL VARIABLES LIKE 'audit%';
Key parameters include:
audit_log_buffer_size: Buffer size for audit logs (in bytes).audit_log_exclude_accounts: Specifies user accounts excluded from auditing.audit_log_file: Path and filename for the audit log.audit_log_format: Audit log format (e.g., JSON).audit_log_policy: Core auditing policy (e.g., LOGINS for login-related events).
Sample Audit Log Entry (JSON Format):
{
"audit_record": {
"name": "Connect",
"record": "2_2025-09-05T07:01:54",
"timestamp": "2025-09-05T07:04:44Z",
"connection_id": "8",
"status": 0,
"user": "root",
"priv_user": "root",
"os_login": "",
"proxy_user": "",
"host": "localhost",
"ip": "",
"db": ""
}
}
5. Key Parameter Usage
5.1 audit_log_policy
Supports four modes: ALL, LOGINS, QUERIES, and NONE.
Example:
SET GLOBAL audit_log_policy = 'QUERIES';
5.2 audit_log_format
Supports OLD, NEW, CSV, and JSON formats.
5.3 audit_log_exclude_accounts
Excludes specific users from auditing.
Example:
SET GLOBAL audit_log_exclude_accounts = "'orchestrator'@'10%','test'@'%'";
5.4 audit_log_include_commands
Specifies which command types to audit. The plugin supports 159 command types.
Example:
SET GLOBAL audit_log_include_commands = 'begin';
5.5 audit_log_exclude_databases
Excludes specific databases from auditing.
Example:
SET GLOBAL audit_log_exclude_databases = 'mysql','test_%';
6. Conclusion
The Percona audit plugin works correctly with MySQL 8.0.37 Community Edition. Key features validated include:
audit_log_policy: Supports four auditing modes.audit_log_format: Supports four log formats.audit_log_exclude_accounts: Excludes specific users from auditing.audit_log_include_commands: Supports auditing for 159 command types.audit_log_exclude_databases: Excludes specific databases from auditing.
%20(2048%20x%201000%20%E5%83%8F%E7%B4%A0)%20(3).png)
%20(2048%20x%201000%20%E5%83%8F%E7%B4%A0)%20(2).png)
