Comparison of Open‑Source MySQL Audit Plugins: MariaDB, Percona, and McAfee

The audit function of a database records user operations for later query, analysis, and troubleshooting. This article surveys open‑source audit plugins and introduces their installation and usage.

Audit Overview

MySQL’s built‑in general log captures every statement, leading to massive useless data, I/O overhead under high concurrency, and uncontrolled log growth without rotation.

The binary log (binlog) records all data‑modifying actions but lacks connection‑user information; correlating thread IDs with process IDs can recover user details, though it requires extra configuration such as init_connect and a dedicated connection‑info table.

Using a custom access_log table introduces problems: all users need write permission, manual maintenance, no super‑user logging, and binlog‑related limitations.

MariaDB Audit Plugin

Supported versions: MySQL 5.7 and below.

Installation steps:

Install the plugin.

Configure the plugin (see image).

Load the plugin in MySQL 5.7.

Handle loading issues in MySQL 8.0.

Relevant parameters and audit events are shown in the accompanying screenshots.

Percona Audit Plugin

Supported versions: Percona Server 8.0.19 (based on MySQL 8.0).

Installation steps: the plugin is bundled, only configuration is required.

Key parameters include audit_log_format (OLD, NEW, JSON) and audit_log_exclude/include_commands for fine‑grained control. Example log entries (JSON and CSV) are:

{"audit_record":{"name":"Query","record":"4082_2020-05-07T03:28:39","timestamp":"2020-05-07T03:30:42Z","command_class":"insert","connection_id":"8","status":1136,"sqltext":"insert into t1 values(0)","user":"root[root]@localhost []","host":"localhost","os_user":"","ip":"","db":""}}

"Query","49284_2014-08-27T10:47:11","2014-08-27T10:47:23 UTC","show_databases","37",0,"show databases","root[root]@localhost []","localhost","",""

Other parameters such as audit_log_strategy (ASYNCHRONOUS, PERFORMANCE, SEMISYNCHRONOUS, SYNCHRONOUS) control flushing behavior.

McAfee Audit Plugin

Supported versions: MySQL 5.7 and below.

Installation steps: install the plugin, configure it, and load it for both MySQL 5.7 and 8.0 (see images).

Example activity logs (JSON) are:

{"msg-type":"activity","date":"1588835829430","thread-id":"7","query-id":"30","user":"msandbox","priv_user":"msandbox","ip":"127.0.0.1","host":"localhost","connect_attrs":{"_os":"linux-glibc2.12","_client_name":"libmysql","_pid":"18280","_client_version":"5.7.25","_platform":"x86_64","program_name":"mysql"},"rows":"5","status":"0","cmd":"show_databases","objects":[{"db":"information_schema","name":"/home/vicigel/sandboxes/msb_5_7_25_1/tmp/#sql_3b49_0","obj_type":"TABLE"}],"query":"show databases"}

Comparison

Audit granularity: Percona and McAfee allow command‑level control, while MariaDB only supports event‑level control (Percona = McAfee > MariaDB).

Log format: Only Percona supports selectable formats (JSON, OLD, NEW); McAfee and MariaDB have fixed formats (Percona > McAfee = MariaDB).

Performance impact: Percona offers configurable strategies, McAfee provides a sync option, MariaDB lacks such controls (Percona > McAfee > MariaDB).

Overall, the Percona audit plugin is the most feature‑rich, followed by McAfee, with MariaDB trailing.

References

https://mariadb.com/kb/en/mariadb-audit-plugin/

https://www.percona.com/doc/percona-server/LATEST/management/audit_log_plugin.html

https://github.com/mcafee/mysql-audit/wiki/Configuration