MySQL Connector
Connect DB Audit to your MySQL databases for comprehensive activity monitoring, query auditing, and compliance reporting. Zero performance impact with our lightweight collector.
Zero Agent Architecture
No software to install on your database servers
performance_schema
Leverages built-in MySQL instrumentation
<1% Performance Impact
Lightweight read-only collection
What You Can Monitor
Real-Time Query Monitoring
Capture every SQL query executed against your MySQL database with microsecond precision timestamps.
User Activity Tracking
Track all user sessions, login attempts, privilege escalations, and GRANT/REVOKE operations.
Schema Change Detection
Detect and alert on DDL operations including CREATE, ALTER, DROP, and RENAME statements.
Data Access Patterns
Analyze query patterns to identify unusual data access or potential data exfiltration.
Requirements
Configuration Reference
Basic Connection
| Field | Type | Required | Description |
|---|---|---|---|
name | string | Yes | A unique name to identify this connection |
host | string | Yes | MySQL server hostname or IP address |
port | number | Yes | MySQL server port |
database_name | string | Yes | Name of the database to connect to |
username | string | Yes | Database username for authentication |
password | password | Yes | Database password (stored encrypted) |
SSL/TLS Configuration
| Field | Type | Default | Description |
|---|---|---|---|
ssl_mode | select | PREFERRED | SSL connection mode |
ssl_ca | string | - | CA certificate for server verification |
ssl_cert | string | - | Client certificate for mutual TLS |
ssl_key | password | - | Client private key (stored encrypted) |
Log Collection
| Field | Type | Default | Description |
|---|---|---|---|
log_collection_type | select | native_audit | Method for collecting audit logs |
polling_interval | number | 5 | Seconds between log collection polls |
batch_size | number | 100 | Maximum events per batch |
min_query_duration_ms | number | 0 | Minimum query duration to capture (ms) |
Log Collection Methods
DB Audit supports multiple methods for collecting audit logs from MySQL.
Native Audit (performance_schema)
RecommendedDirect integration with MySQL performance_schema and audit log plugins for comprehensive query logging.
CloudWatch Logs
Collect MySQL logs from AWS CloudWatch for RDS and Aurora MySQL instances.
Create Audit User
Create a dedicated read-only user for DB Audit. This user only needs access to performance_schema and system tables—never grant write permissions.
-- Create a dedicated audit user with minimal privileges
CREATE USER 'dbaudit_reader'@'%' IDENTIFIED BY 'your_secure_password';
-- Grant read access to performance_schema for query monitoring
GRANT SELECT ON performance_schema.* TO 'dbaudit_reader'@'%';
-- Grant PROCESS privilege to see all running queries
GRANT PROCESS ON *.* TO 'dbaudit_reader'@'%';
-- Grant SELECT on mysql system tables for user/privilege auditing
GRANT SELECT ON mysql.user TO 'dbaudit_reader'@'%';
GRANT SELECT ON mysql.db TO 'dbaudit_reader'@'%';
-- Apply the changes
FLUSH PRIVILEGES;Use a strong, unique password and store it in environment variables or a secrets manager. Never commit credentials to version control.
Enable Query Tracking
For comprehensive query auditing, configure performance_schema and optionally enable audit log plugins for detailed logging.
-- Enable general query log (for development/testing only)
SET GLOBAL general_log = 'ON';
SET GLOBAL log_output = 'TABLE';
-- For production: Use MySQL Enterprise Audit or audit plugins
-- Install MySQL Enterprise Audit (if available)
INSTALL PLUGIN audit_log SONAME 'audit_log.so';
-- Or use Percona Audit Log Plugin (open source alternative)
INSTALL PLUGIN audit_log SONAME 'audit_log.so';
SET GLOBAL audit_log_policy = 'ALL';
-- Configure performance_schema for query tracking (recommended)
UPDATE performance_schema.setup_consumers
SET ENABLED = 'YES'
WHERE NAME LIKE 'events_statements%';
UPDATE performance_schema.setup_instruments
SET ENABLED = 'YES', TIMED = 'YES'
WHERE NAME LIKE 'statement/%';
Avoid using the general query log in production as it can impact performance. Use performance_schema or audit plugins instead.
Configure SSL (Recommended)
For production deployments, always use SSL/TLS encryption. DB Audit supports all MySQL SSL modes including certificate-based authentication.
# Generate client certificate for MySQL
openssl genrsa -out client-key.pem 2048
openssl req -new -key client-key.pem -out client-csr.pem
openssl x509 -req -in client-csr.pem -CA ca.pem -CAkey ca-key.pem \
-CAcreateserial -out client-cert.pem -days 365
# Set correct permissions
chmod 600 client-key.pem
# MySQL server configuration (my.cnf)
[mysqld]
ssl-ca=/etc/mysql/certs/ca.pem
ssl-cert=/etc/mysql/certs/server-cert.pem
ssl-key=/etc/mysql/certs/server-key.pem
require_secure_transport=ON
# Require SSL for audit user
ALTER USER 'dbaudit_reader'@'%' REQUIRE SSL;Configure DB Audit Collector
Add your MySQL connection to the DB Audit configuration file. Store sensitive credentials in environment variables.
databases:
- name: production-mysql
type: mysql
host: db.example.com
port: 3306
database: your_database
username: dbaudit_reader
password: ${MYSQL_PASSWORD}
# SSL Configuration (recommended for production)
ssl: true
ssl_mode: VERIFY_IDENTITY
ssl_ca: /etc/dbaudit/certs/ca.pem
ssl_cert: /etc/dbaudit/certs/client-cert.pem
ssl_key: /etc/dbaudit/certs/client-key.pem
# Connection settings
connect_timeout: 10
read_timeout: 30
# Monitoring options
options:
track_queries: true
track_connections: true
track_ddl: true
track_dml: true
track_errors: true
sample_rate: 1.0 # 100% of queriesTest Connection
Verify your configuration before deploying. The collector includes built-in connection testing.
# Test connection with mysql client
mysql -h db.example.com -u dbaudit_reader -p -e "SELECT VERSION();"
# Test with SSL
mysql -h db.example.com -u dbaudit_reader -p \
--ssl-ca=ca.pem \
--ssl-cert=client-cert.pem \
--ssl-key=client-key.pem \
-e "SHOW STATUS LIKE 'Ssl_cipher';"
# Verify DB Audit collector can connect
dbaudit-collector test-connections --config /etc/dbaudit/config.yamlAWS RDS MySQL & CloudWatch
Managed MySQL with CloudWatch Logs Integration
Amazon RDS for MySQL can publish audit logs to CloudWatch Logs using the MariaDB Audit Plugin, enabling centralized log management and integration with DB Audit. This section covers how to configure auditing on RDS MySQL and connect it to DB Audit via CloudWatch.
RDS MySQL uses the MariaDB Audit Plugin (MARIADB_AUDIT_PLUGIN) for audit logging. This requires a custom Option Group (not a Parameter Group) to configure. The plugin logs connection attempts, queries, and other database activity to CloudWatch Logs.
Available CloudWatch Log Types
| Log Type | CloudWatch Log Group | Description |
|---|---|---|
audit | /aws/rds/instance/<id>/audit | MariaDB Audit Plugin logs (Primary for auditing) |
error | /aws/rds/instance/<id>/error | MySQL error log (startup, shutdown, errors) |
general | /aws/rds/instance/<id>/general | General query log (all queries, high overhead) |
slowquery | /aws/rds/instance/<id>/slowquery | Slow query log (queries exceeding threshold) |
1. Create Option Group with MariaDB Audit Plugin
Create a custom option group and add the MARIADB_AUDIT_PLUGIN option with your desired audit settings.
# Create a custom option group for MariaDB Audit Plugin
aws rds create-option-group \
--option-group-name mysql-audit-options \
--engine-name mysql \
--major-engine-version 8.0 \
--option-group-description "MySQL option group with MariaDB Audit Plugin"
# Add the MariaDB Audit Plugin to the option group
aws rds add-option-to-option-group \
--option-group-name mysql-audit-options \
--options "OptionName=MARIADB_AUDIT_PLUGIN,OptionSettings=[{Name=SERVER_AUDIT_LOGGING,Value=ON},{Name=SERVER_AUDIT_EVENTS,Value=CONNECT,QUERY},{Name=SERVER_AUDIT_INCL_USERS,Value=},{Name=SERVER_AUDIT_EXCL_USERS,Value=rdsadmin}]"
# Apply the option group to your RDS instance
aws rds modify-db-instance \
--db-instance-identifier my-mysql-instance \
--option-group-name mysql-audit-options \
--apply-immediatelyThe MariaDB Audit Plugin must be configured via an Option Group, not a Parameter Group. Option groups are used for features that require plugin installation.
2. Enable CloudWatch Logs Export
Configure your RDS instance to publish audit logs to CloudWatch Logs.
# Enable CloudWatch Logs export for MySQL audit logs
aws rds modify-db-instance \
--db-instance-identifier my-mysql-instance \
--cloudwatch-logs-export-configuration '{"EnableLogTypes":["audit","error","general","slowquery"]}'
# Create a new instance with CloudWatch logging enabled
aws rds create-db-instance \
--db-instance-identifier my-mysql-instance \
--db-instance-class db.m5.large \
--engine mysql \
--engine-version 8.0.35 \
--master-username admin \
--manage-master-user-password \
--allocated-storage 100 \
--option-group-name mysql-audit-options \
--enable-cloudwatch-logs-exports '["audit","error","general","slowquery"]'
# Disable specific log exports (if needed)
aws rds modify-db-instance \
--db-instance-identifier my-mysql-instance \
--cloudwatch-logs-export-configuration '{"DisableLogTypes":["general","slowquery"]}'CloudWatch Log Group Structure
Audit logs are published to: /aws/rds/instance/<instance-id>/audit
Other available log types: error, general,
slowquery
3. Verify Audit Plugin Status
Connect to your RDS instance and verify the MariaDB Audit Plugin is active and configured correctly.
-- Verify MariaDB Audit Plugin is installed and running
SHOW PLUGINS;
-- Look for: SERVER_AUDIT | ACTIVE | AUDIT | server_audit.so
-- Check current audit plugin settings
SHOW GLOBAL VARIABLES LIKE 'server_audit%';
-- View audit plugin status
SHOW GLOBAL STATUS LIKE 'server_audit%';
-- Common SERVER_AUDIT variables:
-- server_audit_logging = ON
-- server_audit_events = CONNECT,QUERY
-- server_audit_incl_users = (users to include, empty = all)
-- server_audit_excl_users = rdsadmin (exclude RDS admin user)
-- server_audit_query_log_limit = 1024 (max query length)
-- Note: These settings are configured via Option Groups in RDS
-- You cannot modify them directly via SQL in RDS4. Configure IAM Permissions
Grant DB Audit permission to read CloudWatch Logs and RDS log files.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:GetLogEvents",
"logs:FilterLogEvents"
],
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/rds/instance/*/audit:*",
"arn:aws:logs:*:*:log-group:/aws/rds/instance/*/error:*",
"arn:aws:logs:*:*:log-group:/aws/rds/instance/*/general:*",
"arn:aws:logs:*:*:log-group:/aws/rds/instance/*/slowquery:*"
]
},
{
"Effect": "Allow",
"Action": [
"rds:DescribeDBInstances",
"rds:DescribeDBLogFiles",
"rds:DownloadDBLogFilePortion"
],
"Resource": "*"
}
]
}If running DB Audit on EC2 or ECS, attach an IAM role instead of using access keys. This is more secure and handles credential rotation automatically.
5. Configure DB Audit for RDS MySQL
Configure DB Audit to collect logs from CloudWatch and optionally query performance_schema directly.
# DB Audit configuration for RDS MySQL via CloudWatch
databases:
- name: production-rds-mysql
type: mysql
# RDS endpoint
host: my-mysql-instance.xxxx.us-east-1.rds.amazonaws.com
port: 3306
database: your_database
username: dbaudit_reader
password: ${RDS_MYSQL_PASSWORD}
# SSL is enabled by default for RDS
ssl: true
ssl_mode: VERIFY_IDENTITY
options:
# Use CloudWatch as the log source
log_source: cloudwatch
# CloudWatch configuration
cloudwatch:
region: us-east-1
log_group: /aws/rds/instance/my-mysql-instance/audit
# AWS credentials (use IAM role if running on EC2/ECS)
# access_key_id: ${AWS_ACCESS_KEY_ID}
# secret_access_key: ${AWS_SECRET_ACCESS_KEY}
# Or use IAM role (recommended)
use_iam_role: true
# Polling interval for CloudWatch logs
polling_interval: 30
# Also query performance_schema directly for real-time data
query_performance_schema: true6. Query Audit Logs in CloudWatch
Use CloudWatch Logs Insights to analyze MySQL audit data directly in the AWS Console.
# View MySQL audit logs in CloudWatch Logs Insights
# Log group: /aws/rds/instance/<instance-id>/audit
# Query for failed login attempts
fields @timestamp, @message
| filter @message like /FAILED_CONNECT|Access denied/
| sort @timestamp desc
| limit 100
# Query for DDL operations (CREATE, DROP, ALTER)
fields @timestamp, @message
| filter @message like /,CREATE,|,DROP,|,ALTER,|,TRUNCATE,/
| sort @timestamp desc
| limit 100
# Query for specific user activity
fields @timestamp, @message
| filter @message like /,dbaudit_reader,/
| sort @timestamp desc
| limit 50
# Query for queries on sensitive tables
fields @timestamp, @message
| filter @message like /customers|credit_cards|passwords/
| sort @timestamp desc
| limit 100
# Parse audit log fields (CSV format)
fields @timestamp, @message
| parse @message "*,*,*,*,*,*,*,*,*" as timestamp, serverhost, username, host, connectionid, queryid, operation, database, object
| filter operation = "QUERY"
| sort @timestamp desc
| limit 50RDS MySQL Audit Log Retention
RDS Instance Storage
Audit logs are retained on the RDS instance for 7 days by default. Older logs are automatically deleted.
CloudWatch Logs
Configure retention in CloudWatch (1 day to 10 years). Set based on your compliance requirements.
MariaDB Audit Plugin logs are in CSV format with fields: timestamp, serverhost, username, host, connectionid, queryid, operation, database, object, retcode. DB Audit automatically parses this format for analysis and alerting.
Compliance Support
DB Audit's MySQL connector helps you meet audit requirements for major compliance frameworks.
Troubleshooting
Connection refused
Check that MySQL is accepting connections on the configured host and port. Verify bind-address in my.cnf allows connections from the collector's IP address.
Access denied for user
Verify the username and password are correct. Check that the user was created with the correct host pattern (e.g., 'user'@'%' for any host).
SSL connection error
If the server requires SSL, ensure ssl: true is set in your configuration and the correct certificates are provided. Verify certificate permissions are set to 600.
Permission denied for performance_schema
Grant SELECT on performance_schema.* to your audit user. Ensure performance_schema is enabled in my.cnf (performance_schema=ON).
Ready to Audit Your MySQL Database?
Start monitoring your MySQL databases in minutes. No agents to install on your database servers.