BestHub
Sign in
Information Security 11 min read

How to Build a Lightweight MySQL/MariaDB Audit Log Platform with LogAnalyzer

This guide explains how to set up a lightweight database audit log platform using MariaDB's audit plugin, Rsyslog, and the LogAnalyzer web interface, covering environment preparation, plugin installation, syslog forwarding, MySQL schema creation, and LogAnalyzer configuration for real‑time monitoring and compliance reporting.

dbaplus Community
dbaplus Community
dbaplus Community
How to Build a Lightweight MySQL/MariaDB Audit Log Platform with LogAnalyzer

The Database Audit Log Platform (DB Audit) records user actions on MySQL/MariaDB databases in real time, providing fine‑grained compliance auditing and instant risk alerts. It enables DBAs to generate post‑incident reports, trace incidents, and efficiently query audit data through a searchable interface.

Technical Options

Two approaches are possible:

Option 1: Deploy a network‑side tap that captures TCP packets from the database server and processes them in data‑collection, processing, and security‑detection modules.

Option 2 (chosen): Use MariaDB’s built‑in Audit Plugin, forward its syslog output via Rsyslog to a dedicated MySQL database, and visualize the logs with LogAnalyzer.

In MariaDB 10.6, the audit plugin can send logs to Rsyslog, which can then store them in a MySQL database for later analysis.

DB Audit architecture diagram
DB Audit architecture diagram

Deployment Steps

Environment Overview

Install the MariaDB Audit Plugin on the primary MySQL/MariaDB server.

Configure Rsyslog on the primary server to use the ommysql module.

Prepare a dedicated MySQL server to store syslog audit data.

Set up a LAMP stack and deploy the LogAnalyzer web UI on the same host as the syslog MySQL server.

Step‑by‑step Configuration

1. Copy server_audit.so to the plugin directory on each database node and load the plugin:

MySQL> INSTALL PLUGIN server_audit SONAME 'server_audit.so';

2. Set the audit plugin to output to syslog:

MySQL> SET GLOBAL server_audit_output_type = syslog;

3. Configure the syslog facility to filter only audit logs:

MySQL> SET GLOBAL server_audit_syslog_facility = LOG_LOCAL6;

4. Restrict logged events to DDL and DML (exclude SELECT) to reduce noise:

MySQL> SET GLOBAL server_audit_events = 'QUERY_DDL,QUERY_DML_NO_SELECT';

5. Enable audit logging: MySQL> SET GLOBAL server_audit_logging = 1; 6. Install the Rsyslog MySQL driver on the primary server: Shell> yum install rsyslog-mysql -y 7. Create a MySQL user for Rsyslog on the dedicated syslog database:

MySQL> GRANT ALL ON Syslog.* TO 'rsyslog'@'localhost' IDENTIFIED BY 'rsyslogpass';
MySQL> GRANT ALL ON Syslog.* TO 'rsyslog'@'%' IDENTIFIED BY 'rsyslogpass';

8. Create the syslog database and tables using the provided script:

Shell> rpm -ql rsyslog-mysql
/usr/share/doc/rsyslog-8.24.0/mysql-createDB.sql
Shell> mysql -h127.0.0.1 -ursyslog -prsyslogpass < /usr/share/doc/rsyslog-8.24.0/mysql-createDB.sql

9. Configure Rsyslog to forward audit logs to the MySQL database. Edit /etc/rsyslog.conf and load the required modules:

# MODULES
$ModLoad imudp           # load UDP module
$UDPServerRun 514       # listen on UDP 514
$ModLoad imtcp           # load TCP module
$InputTCPServerRun 514   # listen on TCP 514
$ModLoad ommysql          # load MySQL output module

10. Add a rule to send the selected facility (local6) to the syslog MySQL server:

# RULES
$ActionOmmysqlServerPort 3306
local6.* :ommysql:192.168.198.239,Syslog,rsyslog,rsyslogpass

11. Restart Rsyslog to apply changes: Shell> systemctl restart rsyslog At this point, any DDL/DML operations on the primary MySQL/MariaDB instance are logged to the Syslog database’s SystemEvents table.

Install and Configure LogAnalyzer

12. Install the web stack and LogAnalyzer:

Shell> yum -y install httpd php php-mysql php-gd
Shell> systemctl start httpd.service
Shell> cd /var/www/html/
Shell> wget https://download.adiscon.com/loganalyzer/loganalyzer-4.1.12.tar.gz
Shell> tar zxvf loganalyzer-4.1.12.tar.gz
Shell> mv loganalyzer-4.1.12 loganalyzer
Shell> touch loganalyzer-4.1.12/src/config.php
Shell> chmod 755 loganalyzer-4.1.12/src/config.php

13. Open a browser and run the LogAnalyzer installer (e.g., http://your_ip/loganalyzer/src/install.php) and configure the data source:

Source type: MySQL Native

View: Syslog Fields

Table type: MonitorWare

Database host: 127.0.0.1

Database name: Syslog

Table name: SystemEvents

User: rsyslog

Password: the password set earlier

Complete the wizard to finish LogAnalyzer setup. The web UI now provides searchable, real‑time audit reports, allowing administrators to monitor database activity, detect violations, and trace incidents.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

mysqlDatabase SecurityauditrsyslogMariaDBLogAnalyzer
dbaplus Community
Written by

dbaplus Community

Enterprise-level professional community for Database, BigData, and AIOps. Daily original articles, weekly online tech talks, monthly offline salons, and quarterly XCOPS&DAMS conferences—delivered by industry experts.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment