MySQL Forums
Forum List  »  Security

Re: MySQL Audit Excluding delete logs on one table
Posted by: Marek Szymczak
Date: October 11, 2018 02:26AM

Hi Krzysiek,
excluding logs of the queries that contain "WHERE" clause is not possible.

What I could propose is to define a filter that does following:
1. Wait for the event that signals deletion from the 'c' table.
2. Set a new filter that does not log general/status filter.
3. Set a previous filter that does the process from the beginning.

'{ "filter": { "id": "main",
"class": [ { "name": "table_access",
"event": { "name": "delete",
"log": false,
"filter" : { "class" : { "name" : "general",
"event": { "name": "status",
"log": false,
"filter": { "ref": "main" } } },
"activate" : { "field": { "name": "table_name.str",
"value": "c" } } } } },
{ "name": "general",
"event": { "name": "status",
"log": { "field": { "name": "general_sql_command.str",
"value": "delete" } } } } ] } }'

The filter may look complex, but I will try to describe how it works:

1. Audit Log plugin logs table_access events that signal table read, insert, delete and update. SELECT * FROM `a`,`b`,`c` statement will generate three table_access/read events. Eventually general/status event will appear at the end. What we do in the filter is we wait for the table_access/delete event.
2. When the table_access/read is generated we replace the filter with a new filter (if the table name condition is met) that just waits for general/status event, which is not logged. The purpose of handling this event is not to log general/status event.
3. Additionally we set the old filter ("filter": { "ref": "main" }) that restarts the process of handling events.

I hope that will satisfy your needs for a while.

Marek Szymczak
MySQL Software Engineer

Options: ReplyQuote


Subject
Views
Written By
Posted
Re: MySQL Audit Excluding delete logs on one table
392
October 11, 2018 02:26AM


Sorry, you can't reply to this topic. It has been closed.

Content reproduced on this site is the property of the respective copyright holders. It is not reviewed in advance by Oracle and does not necessarily represent the opinion of Oracle or any other party.