MariaDB Connector
Connect DB Audit to your MariaDB databases for comprehensive activity monitoring, query auditing, and compliance reporting. Native integration with MariaDB's built-in audit plugin.
Zero Agent Architecture
No software to install on your database servers
Server Audit Plugin
Leverages MariaDB's free audit plugin
<1% Performance Impact
Lightweight read-only collection
What You Can Monitor
Real-Time Query Monitoring
Capture every SQL query executed against your MariaDB database with microsecond precision timestamps.
User Activity Tracking
Track all user sessions, login attempts, privilege escalations, and GRANT/REVOKE operations.
Schema Change Detection
Detect and alert on DDL operations including CREATE, ALTER, DROP, and RENAME statements.
Data Access Patterns
Analyze query patterns to identify unusual data access or potential data exfiltration.
Requirements
Configuration Reference
Basic Connection
| Field | Type | Required | Description |
|---|---|---|---|
name | string | Yes | A unique name to identify this connection |
host | string | Yes | MariaDB server hostname or IP address |
port | number | Yes | MariaDB server port |
database_name | string | Yes | Name of the database to connect to |
username | string | Yes | Database username for authentication |
password | password | Yes | Database password (stored encrypted) |
SSL/TLS Configuration
| Field | Type | Default | Description |
|---|---|---|---|
ssl_mode | select | PREFERRED | SSL connection mode |
ssl_ca | string | - | CA certificate for server verification |
ssl_cert | string | - | Client certificate for mutual TLS |
ssl_key | password | - | Client private key (stored encrypted) |
Log Collection
| Field | Type | Default | Description |
|---|---|---|---|
log_collection_type | select | native_audit | Method for collecting audit logs |
polling_interval | number | 5 | Seconds between log collection polls |
batch_size | number | 100 | Maximum events per batch |
min_query_duration_ms | number | 0 | Minimum query duration to capture (ms) |
Log Collection Methods
DB Audit supports multiple methods for collecting audit logs from MariaDB. The MariaDB Server Audit Plugin is free and included with MariaDB, unlike MySQL's enterprise-only audit features.
MariaDB Audit Plugin
RecommendedDirect integration with the MariaDB Audit Plugin for comprehensive query logging and event capture.
CloudWatch Logs
Collect MariaDB logs from AWS CloudWatch for RDS MariaDB instances.
Create Audit User
Create a dedicated read-only user for DB Audit. This user only needs access to system tables—never grant write permissions.
-- Create a dedicated audit user with minimal privileges
CREATE USER 'dbaudit_reader'@'%' IDENTIFIED BY 'your_secure_password';
-- Grant read access to information_schema for query monitoring
GRANT SELECT ON information_schema.* TO 'dbaudit_reader'@'%';
-- Grant PROCESS privilege to see all running queries
GRANT PROCESS ON *.* TO 'dbaudit_reader'@'%';
-- Grant SELECT on mysql system tables for user/privilege auditing
GRANT SELECT ON mysql.user TO 'dbaudit_reader'@'%';
GRANT SELECT ON mysql.db TO 'dbaudit_reader'@'%';
GRANT SELECT ON mysql.global_priv TO 'dbaudit_reader'@'%';
-- Apply the changes
FLUSH PRIVILEGES;Use a strong, unique password and store it in environment variables or a secrets manager. Never commit credentials to version control.
Enable Server Audit Plugin
MariaDB includes a free, powerful audit plugin. Enable it to capture all database activity for comprehensive auditing.
-- Install MariaDB Audit Plugin (included by default in MariaDB)
INSTALL SONAME 'server_audit';
-- Enable the audit plugin
SET GLOBAL server_audit_logging = ON;
-- Configure what to audit (QUERY_DML, QUERY_DDL, CONNECT, QUERY_DCL)
SET GLOBAL server_audit_events = 'CONNECT,QUERY,TABLE';
-- Log to file (DB Audit will read from here)
SET GLOBAL server_audit_output_type = 'file';
SET GLOBAL server_audit_file_path = '/var/log/mariadb/server_audit.log';
SET GLOBAL server_audit_file_rotate_size = 1000000;
SET GLOBAL server_audit_file_rotations = 9;
-- Optional: Exclude specific users from audit
SET GLOBAL server_audit_excl_users = 'replication_user';
-- Make settings persistent in /etc/my.cnf.d/server.cnf
-- [mariadb]
-- server_audit_logging = ON
-- server_audit_events = CONNECT,QUERY,TABLE
-- server_audit_output_type = file
-- server_audit_file_path = /var/log/mariadb/server_audit.logUnlike MySQL's enterprise-only audit log plugin, MariaDB's server audit plugin is free and open source, providing the same powerful auditing capabilities at no additional cost.
Configure SSL (Recommended)
For production deployments, always use SSL/TLS encryption. DB Audit supports all MariaDB SSL modes including certificate-based authentication.
# Generate client certificate for MariaDB
openssl genrsa -out client-key.pem 2048
openssl req -new -key client-key.pem -out client-csr.pem
openssl x509 -req -in client-csr.pem -CA ca.pem -CAkey ca-key.pem \
-CAcreateserial -out client-cert.pem -days 365
# Set correct permissions
chmod 600 client-key.pem
# MariaDB server configuration (/etc/my.cnf.d/server.cnf)
[mariadb]
ssl-ca=/etc/mysql/certs/ca.pem
ssl-cert=/etc/mysql/certs/server-cert.pem
ssl-key=/etc/mysql/certs/server-key.pem
require_secure_transport=ON
# Require SSL for audit user
ALTER USER 'dbaudit_reader'@'%' REQUIRE SSL;Configure DB Audit Collector
Add your MariaDB connection to the DB Audit configuration file. Store sensitive credentials in environment variables.
databases:
- name: production-mariadb
type: mariadb
host: db.example.com
port: 3306
database: your_database
username: dbaudit_reader
password: ${MARIADB_PASSWORD}
# SSL Configuration (recommended for production)
ssl: true
ssl_mode: VERIFY_IDENTITY
ssl_ca: /etc/dbaudit/certs/ca.pem
ssl_cert: /etc/dbaudit/certs/client-cert.pem
ssl_key: /etc/dbaudit/certs/client-key.pem
# Connection settings
connect_timeout: 10
read_timeout: 30
# Monitoring options
options:
track_queries: true
track_connections: true
track_ddl: true
track_dml: true
track_errors: true
sample_rate: 1.0 # 100% of queriesTest Connection
Verify your configuration before deploying. The collector includes built-in connection testing.
# Test connection with mariadb client
mariadb -h db.example.com -u dbaudit_reader -p -e "SELECT VERSION();"
# Test with SSL
mariadb -h db.example.com -u dbaudit_reader -p \
--ssl-ca=ca.pem \
--ssl-cert=client-cert.pem \
--ssl-key=client-key.pem \
-e "SHOW STATUS LIKE 'Ssl_cipher';"
# Verify audit plugin is active
mariadb -u root -p -e "SHOW GLOBAL STATUS LIKE 'server_audit%';"
# Verify DB Audit collector can connect
dbaudit-collector test-connections --config /etc/dbaudit/config.yamlAWS RDS MariaDB & CloudWatch
Managed MariaDB with CloudWatch Logs Integration
Amazon RDS for MariaDB uses the same Server Audit Plugin as self-managed MariaDB. Configure auditing through an option group and publish logs to CloudWatch for centralized management and DB Audit integration.
RDS MariaDB uses the native MARIADB_AUDIT_PLUGIN, providing the same comprehensive auditing
capabilities as self-managed installations. Configuration is done through RDS option groups instead of SQL commands.
Available CloudWatch Log Types
| Log Type | Log Group | Description |
|---|---|---|
audit | /aws/rds/instance/<id>/audit | Server Audit Plugin logs (Primary for DB Audit) |
error | /aws/rds/instance/<id>/error | Error log with startup, shutdown, and error messages |
general | /aws/rds/instance/<id>/general | General query log (high volume, use cautiously) |
slowquery | /aws/rds/instance/<id>/slowquery | Slow query log for performance analysis |
1. Create Option Group with Audit Plugin
Create a custom option group and add the MARIADB_AUDIT_PLUGIN with your desired settings.
# Create a custom option group with MariaDB Audit Plugin
aws rds create-option-group \
--option-group-name mariadb-audit-options \
--engine-name mariadb \
--major-engine-version 10.6 \
--option-group-description "MariaDB option group with audit plugin"
# Add the MariaDB Audit Plugin to the option group
aws rds add-option-to-option-group \
--option-group-name mariadb-audit-options \
--options "OptionName=MARIADB_AUDIT_PLUGIN,OptionSettings=[\
{Name=SERVER_AUDIT_LOGGING,Value=ON},\
{Name=SERVER_AUDIT_EVENTS,Value=CONNECT,QUERY,TABLE},\
{Name=SERVER_AUDIT_INCL_USERS,Value=},\
{Name=SERVER_AUDIT_EXCL_USERS,Value=rdsadmin}]"
# Apply the option group to your RDS instance
aws rds modify-db-instance \
--db-instance-identifier my-mariadb-instance \
--option-group-name mariadb-audit-options \
--apply-immediately SERVER_AUDIT_EVENTS can include: CONNECT, QUERY,
TABLE, QUERY_DDL, QUERY_DML, QUERY_DCL.
Exclude rdsadmin to filter AWS internal operations.
2. Enable CloudWatch Logs Export
Configure your RDS instance to publish audit logs to CloudWatch Logs.
# Enable CloudWatch Logs export for MariaDB
aws rds modify-db-instance \
--db-instance-identifier my-mariadb-instance \
--cloudwatch-logs-export-configuration '{"EnableLogTypes":["audit","error","slowquery"]}'
# Create a new RDS MariaDB instance with CloudWatch logging enabled
aws rds create-db-instance \
--db-instance-identifier my-mariadb-instance \
--db-instance-class db.t3.medium \
--engine mariadb \
--engine-version 10.6.14 \
--master-username admin \
--manage-master-user-password \
--allocated-storage 100 \
--option-group-name mariadb-audit-options \
--cloudwatch-logs-export-configuration '["audit","error","slowquery"]'
# Disable audit log publishing (if needed)
aws rds modify-db-instance \
--db-instance-identifier my-mariadb-instance \
--cloudwatch-logs-export-configuration '{"DisableLogTypes":["audit"]}'CloudWatch Log Group Structure
Audit logs are published to: /aws/rds/instance/<instance-id>/audit
Recommended exports: audit, error, slowquery
3. Verify Audit Plugin Settings
Connect to your RDS MariaDB instance and verify the audit plugin is active and configured correctly.
-- Verify the audit plugin is loaded and active
SHOW PLUGINS WHERE Name = 'SERVER_AUDIT';
-- Check current audit settings
SHOW GLOBAL VARIABLES LIKE 'server_audit%';
-- Expected output for properly configured RDS:
-- server_audit_logging | ON
-- server_audit_events | CONNECT,QUERY,TABLE
-- server_audit_excl_users | rdsadmin
-- server_audit_output_type | file
-- View audit status
SHOW GLOBAL STATUS LIKE 'server_audit%';
-- Check which users are being audited
SELECT @@server_audit_incl_users AS included_users,
@@server_audit_excl_users AS excluded_users;4. Configure IAM Permissions
Grant DB Audit permission to read CloudWatch Logs and RDS log files.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:GetLogEvents",
"logs:FilterLogEvents"
],
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/rds/instance/*/audit:*",
"arn:aws:logs:*:*:log-group:/aws/rds/instance/*/error:*",
"arn:aws:logs:*:*:log-group:/aws/rds/instance/*/slowquery:*"
]
},
{
"Effect": "Allow",
"Action": [
"rds:DescribeDBInstances",
"rds:DescribeDBLogFiles",
"rds:DownloadDBLogFilePortion"
],
"Resource": "*"
}
]
}If running DB Audit on EC2 or ECS, attach an IAM role instead of using access keys. This is more secure and handles credential rotation automatically.
5. Configure DB Audit for RDS MariaDB
Configure DB Audit to collect logs from CloudWatch.
# DB Audit configuration for RDS MariaDB via CloudWatch
databases:
- name: production-rds-mariadb
type: mariadb
# RDS endpoint
host: my-mariadb-instance.xxxx.us-east-1.rds.amazonaws.com
port: 3306
database: your_database
username: dbaudit_reader
password: ${RDS_MARIADB_PASSWORD}
# SSL is enabled by default for RDS
ssl: true
ssl_mode: VERIFY_IDENTITY
options:
# Use CloudWatch as the log source
log_source: cloudwatch
# CloudWatch configuration
cloudwatch:
region: us-east-1
log_group: /aws/rds/instance/my-mariadb-instance/audit
# AWS credentials (use IAM role if running on EC2/ECS)
# access_key_id: ${AWS_ACCESS_KEY_ID}
# secret_access_key: ${AWS_SECRET_ACCESS_KEY}
# Or use IAM role (recommended)
use_iam_role: true
# Polling interval for CloudWatch logs
polling_interval: 306. Query Audit Logs in CloudWatch
Use CloudWatch Logs Insights to analyze audit data directly in the AWS Console.
# View audit logs in CloudWatch Logs Insights
# Log group: /aws/rds/instance/<instance-id>/audit
# Query for failed login attempts
fields @timestamp, @message
| filter @message like /FAILED_CONNECT|Access denied/
| sort @timestamp desc
| limit 100
# Query for DDL operations
fields @timestamp, @message
| filter @message like /CREATE|DROP|ALTER|TRUNCATE/
| sort @timestamp desc
| limit 100
# Query for specific user activity
fields @timestamp, @message
| filter @message like /,dbaudit_reader,/
| sort @timestamp desc
| limit 50
# Query for queries on specific tables
fields @timestamp, @message
| filter @message like /customers|orders|payments/
| sort @timestamp desc
| limit 100RDS Audit Log Retention
RDS Instance Storage
Audit logs are retained on the RDS instance until they reach the configured rotation size or are pushed to CloudWatch.
CloudWatch Logs
Configure retention in CloudWatch (1 day to 10 years). Set based on your compliance requirements.
CloudWatch Logs can incur significant costs at high volumes. Consider using
SERVER_AUDIT_EXCL_USERS to exclude service accounts
and filter specific audit events to reduce log volume.
Compliance Support
DB Audit's MariaDB connector helps you meet audit requirements for major compliance frameworks.
Troubleshooting
Connection refused
Check that MariaDB is accepting connections on the configured host and port. Verify bind-address in server.cnf allows connections from the collector's IP address.
Access denied for user
Verify the username and password are correct. Check that the user was created with the correct host pattern (e.g., 'user'@'%' for any host).
Audit plugin not loading
Verify server_audit.so exists in the plugin directory. Check SHOW PLUGINS output and server error log for details.
SSL connection error
If the server requires SSL, ensure ssl: true is set in your configuration and the correct certificates are provided. Verify certificate permissions are set to 600.
Ready to Audit Your MariaDB Database?
Start monitoring your MariaDB databases in minutes. No agents to install on your database servers.