Merge pull request #694 from percona/ps-alf-8.4

Update the audit log filter 8.4

Author: patrickbirch

docs/audit-log-filter-formats.md

@@ -2,7 +2,7 @@
 
 When an auditable event occurs, the component writes a record to the log file.
 
-After the component starts, the first record lists the description of the server and the options at startup. After the first record, the auditable events are connections, disconnections, SQL statements executed, and so on. Statements within stored procedures or triggers are not logged, only the top-level statements.
+After the component starts, the first record marks audit logging start. With `audit_log_filter.format=NEW`, from Percona Server for MySQL 8.4.8-8 onward on the {{vers}} line (this docs build: {{release}}), that record’s `<NAME>` is `Startup` and the record includes `SERVER_ID` and `COMMAND_CLASS` (among the mandatory elements). Later records cover connections, disconnections, SQL statements executed, and so on. Statements within stored procedures or triggers are not logged, only the top-level statements. See [XML (new style)](audit-log-filter-new.md) for the full field list.
 
 If files are referenced by `LOAD_DATA`, the contents are not logged.
 

docs/audit-log-filter-new.md

@@ -1,47 +1,69 @@
 # Audit Log Filter format - XML (new style)
 
-The filter writes the audit log filter file in XML. The XML file uses 
-UTF-8.
+Starting with Percona Server for MySQL 8.4.8-8 on the {{vers}} line, the following describes new-style XML (`audit_log_filter.format=NEW`) from the Audit Log Filter component: element names, typical fields, and formatter behavior were aligned to the server for that release. This documentation build targets {{release}} (bump on each publish). If you run an older {{vers}} build than 8.4.8-8, verify against your own audit log in case output differs. Implementation reference: `components/audit_log_filter/log_record_formatter/new.cc` and `base.cc`.
 
-The <AUDIT> is the root element and this element contains 
-&lt;AUDIT_RECORD&gt; elements. Each &lt;AUDIT_RECORD&gt; element contains specific 
-information about an event that is audited. 
+The Audit Log Filter component can write the audit log file as new-style XML
+(`audit_log_filter.format=NEW`). The file uses UTF-8.
 
-For each new file, the Audit Log Filter component writes the XML 
-declaration and the root element tag. The component writes the closing 
-</AUDIT> root element when closing the file. If the file is open, this 
-closing element is not available.
+The root element is `<AUDIT>`. It contains `<AUDIT_RECORD>` elements. Each
+`<AUDIT_RECORD>` describes one audited event.
 
-```xml
+For each new file, the component writes the XML declaration and the opening
+`<AUDIT>` tag. When the file is closed, the component writes the closing
+`</AUDIT>` tag. If the file is still open, that closing tag is not present yet.
+
+Element order inside `<AUDIT_RECORD>` is not guaranteed (the writer may
+emit fields in a fixed order in practice, but consumers should not depend on it).
+
+Timestamps use the server local time zone, in `YYYY-MM-DDTHH:MM:SS`
+form. They do not append a ` UTC` suffix to the timestamp string.
+
+!!! note "NEW XML behavior (from 8.4.8-8, docs {{release}})"
+
+    Audit logging on/off is recorded with `<NAME>` values `Startup` and
+    `Shutdown`. The NEW formatter does not emit `STATUS_CODE`, and
+    does not write `VERSION`, `STARTUP_OPTIONS`, `MYSQL_VERSION`, or
+    `OS_VERSION` on the startup or shutdown audit record. Disconnect events
+    use the name `Disconnect`.
+
+## Example (illustrative)
 
+The snippet below shows the shape of several record types. Exact sets of
+elements depend on the event, filters, and server configuration.
+
+```xml
 <?xml version="1.0" encoding="utf-8"?>
 <AUDIT>
     <AUDIT_RECORD>
-        <NAME>Audit</NAME>
+        <NAME>Startup</NAME>
         <RECORD_ID>0_2023-03-29T11:11:43</RECORD_ID>
         <TIMESTAMP>2023-03-29T11:11:43</TIMESTAMP>
+        <COMMAND_CLASS>Audit</COMMAND_CLASS>
         <SERVER_ID>1</SERVER_ID>
     </AUDIT_RECORD>
     <AUDIT_RECORD>
-        <NAME>Command Start</NAME>
-        <RECORD_ID>1_2023-03-29T11:11:45</RECORD_ID>
-        <TIMESTAMP>2023-03-29T11:11:45</TIMESTAMP>
+        <NAME>Connect</NAME>
+        <RECORD_ID>1_2023-03-29T11:11:44</RECORD_ID>
+        <TIMESTAMP>2023-03-29T11:11:44</TIMESTAMP>
+        <COMMAND_CLASS>Connection</COMMAND_CLASS>
+        <CONNECTION_ID>11</CONNECTION_ID>
+        <HOST>localhost</HOST>
+        <IP>127.0.0.1</IP>
+        <USER>root</USER>
+        <OS_LOGIN></OS_LOGIN>
+        <PRIV_USER>root</PRIV_USER>
+        <PROXY_USER></PROXY_USER>
+        <DB>test</DB>
         <STATUS>0</STATUS>
-        <CONNECTION_ID>1</CONNECTION_ID>
-        <COMMAND_CLASS>query</COMMAND_CLASS>
+        <CONNECTION_TYPE>TCP/IP</CONNECTION_TYPE>
     </AUDIT_RECORD>
     <AUDIT_RECORD>
-        <NAME>Query</NAME>
+        <NAME>Command Start</NAME>
         <RECORD_ID>2_2023-03-29T11:11:45</RECORD_ID>
         <TIMESTAMP>2023-03-29T11:11:45</TIMESTAMP>
-        <COMMAND_CLASS>create_table</COMMAND_CLASS>
-        <CONNECTION_ID>11</CONNECTION_ID>
-        <HOST>localhost</HOST>
-        <IP></IP>
-        <USER>root[root] @ localhost []</USER>
-        <OS_LOGIN></OS_LOGIN>
-        <SQLTEXT>CREATE TABLE t1 (c1 INT)</SQLTEXT>
         <STATUS>0</STATUS>
+        <CONNECTION_ID>1</CONNECTION_ID>
+        <COMMAND_CLASS>query</COMMAND_CLASS>
     </AUDIT_RECORD>
     <AUDIT_RECORD>
         <NAME>Query Start</NAME>
@@ -53,17 +75,13 @@ closing element is not available.
         <SQLTEXT>CREATE TABLE t1 (c1 INT)</SQLTEXT>
     </AUDIT_RECORD>
     <AUDIT_RECORD>
-        <NAME>Query</NAME>
+        <NAME>Query Status End</NAME>
         <RECORD_ID>4_2023-03-29T11:11:45</RECORD_ID>
         <TIMESTAMP>2023-03-29T11:11:45</TIMESTAMP>
-        <COMMAND_CLASS>create_table</COMMAND_CLASS>
+        <STATUS>0</STATUS>
         <CONNECTION_ID>11</CONNECTION_ID>
-        <HOST>localhost</HOST>
-        <IP></IP>
-        <USER>root[root] @ localhost []</USER>
-        <OS_LOGIN></OS_LOGIN>
+        <COMMAND_CLASS>create_table</COMMAND_CLASS>
         <SQLTEXT>CREATE TABLE t1 (c1 INT)</SQLTEXT>
-        <STATUS>0</STATUS>
     </AUDIT_RECORD>
     <AUDIT_RECORD>
         <NAME>Command End</NAME>
@@ -73,40 +91,81 @@ closing element is not available.
         <CONNECTION_ID>1</CONNECTION_ID>
         <COMMAND_CLASS>query</COMMAND_CLASS>
     </AUDIT_RECORD>
+    <AUDIT_RECORD>
+        <NAME>Disconnect</NAME>
+        <RECORD_ID>6_2023-03-29T11:11:50</RECORD_ID>
+        <TIMESTAMP>2023-03-29T11:11:50</TIMESTAMP>
+        <COMMAND_CLASS>Connection</COMMAND_CLASS>
+        <CONNECTION_ID>11</CONNECTION_ID>
+        <HOST>localhost</HOST>
+        <IP>127.0.0.1</IP>
+        <USER>root</USER>
+        <OS_LOGIN></OS_LOGIN>
+        <PRIV_USER>root</PRIV_USER>
+        <PROXY_USER></PROXY_USER>
+        <DB>test</DB>
+        <STATUS>0</STATUS>
+        <CONNECTION_TYPE>TCP/IP</CONNECTION_TYPE>
+    </AUDIT_RECORD>
+    <AUDIT_RECORD>
+        <NAME>Shutdown</NAME>
+        <RECORD_ID>7_2023-03-29T11:12:00</RECORD_ID>
+        <TIMESTAMP>2023-03-29T11:12:00</TIMESTAMP>
+        <COMMAND_CLASS>Audit</COMMAND_CLASS>
+        <SERVER_ID>1</SERVER_ID>
+    </AUDIT_RECORD>
 </AUDIT>
 ```
 
-The order of the attributes within an &lt;AUDIT_RECORD&gt; can vary. Certain attributes are in every element. Other attributes are optional and depend on the type of audit record.
-
-The attributes in every element are the following:
-
-| Attribute Name | Description                                                                                                                                            |
-| -------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
-| `<NAME>`       | The action that generated the audit record.                                                                                                            |
-| `<RECORD_ID>`  | The `<RECORD_ID>` consists of a sequence number and a timestamp value. The sequence number is initialized when the component opens the audit log filter file. |
-| `<TIMESTAMP>`  | Displays the date and time when the audit event happened.                                                                                              |
-
-The optional attributes are the following:
-
-| Attribute Name          | Description            |
-| ----------------------- | ---------------------- |
-| `<COMMAND_CLASS>`       | Contains the type of performed action.                                                         |
-| `<CONNECTION_ID>`       | Contains the client connection identifier.                                                     |
-| `<CONNECTION_ATTRIBUTES>`| Contains the client connection attributes. Each attribute has a `<NAME>` and `<VALUE>` pair.  |
-| `<CONNECTION_TYPE>`     | Contains the type of connection security.                                                      |
-| `<DB>`                  | Contains the database name.                                                                    |
-| `<HOST>`                | Contains the client's hostname.                                                                |
-| `<IP>`                  | Contains the client's IP address.                                                              |
-| `<MYSQL_VERSION>`       | Contains the MySQL server version.                                                             |
-| `<OS_LOGIN>`            | Contains the user name used during an external authentication, for example, if the user is authenticated through an LDAP component. If the authentication component does not set a value or the user is authenticated using MySQL authentication, this value is empty.               |
-| `<OS_VERSION>`          | Contains the server's operating system.                                                        |
-| `<PRIV_USER>`           | Contains the user name used by the server when checking privileges. This name may be different than `<USER>`.     |
-| `<PROXY_USER>`          | Contains the proxy user. If a proxy is not used, the value is empty.                           |
-| `<SERVER_ID>`           | Contains the server ID.                                                                        |
-| `<SQLTEXT>`             | Contains the text of the SQL statement.                                                        |
-| `<STARTUP_OPTIONS>`     | Contains the startup options. These options may be provided by the command line or files.      |
-| `<STATUS>`              | Contains the status of a command. A 0 (zero) is a success. A nonzero value is an error.        |
-| `<STATUS_CODE>`         | Contains the status of a command, which either succeeds (0) or an error occurred (1).          |
-| `<TABLE>`               | Contains the table name.                                                                       |
-| `<USER>`                | Contains the user name from the client. This name may be different than `<PRIV_USER>`.         |
-| `<VERSION>`             | Contains the audit log filter format.                                                          |
+Query-class events (`Query Start`, `Query Status End`, nested variants, and
+so on) include `STATUS`, `CONNECTION_ID`, `COMMAND_CLASS` (SQL
+command name from the event), and often `SQLTEXT` (or digest text from
+extended info). They do not include `HOST`, `IP`, `USER`, or
+`OS_LOGIN` in NEW XML from 8.4.8-8 onward—those appear on connection
+records (and on general records, which use subclasses such as `Log`,
+`Error`, `Result`, `Status`, not the string `Query`).
+
+Connection records use `COMMAND_CLASS` with the value `Connection`
+(the event class label).
+
+If the client supplies connection attributes and the event carries them,
+`CONNECTION_ATTRIBUTES` holds one `ATTRIBUTE` per attribute, each with a
+`NAME` and `VALUE` child element.
+
+## Mandatory elements
+
+These appear on every `<AUDIT_RECORD>` in this format:
+
+| Element | Description |
+| --- | --- |
+| `<NAME>` | Event subclass string (for example `Startup`, `Connect`, `Query Start`, `TableRead`). |
+| `<RECORD_ID>` | Sequence number and timestamp (see [`audit_log_filter` file handling](reading-audit-log-filter-files.md)); format `SEQ_TIMESTAMP` where the timestamp part matches the formatter’s timestamp string. |
+| `<TIMESTAMP>` | Local date and time for the event. |
+
+## Optional elements (by record category)
+
+Many elements appear only for specific event classes. The following table lists
+elements used by the NEW XML formatter from Percona Server for MySQL 8.4.8-8 onward for at least one
+event type. It is not a promise that every field appears in every record.
+
+| Element | Description |
+| --- | --- |
+| `<COMMAND_CLASS>` | Meaning depends on the record: connection events use `Connection`; table-access events use `Table Access`; command events use the `COM_*` command text (`query`, and so on); query events use the SQL command name (for example `select`, `create_table`); general events use `General`. |
+| `<CONNECTION_ID>` | Client connection ID. |
+| `<CONNECTION_ATTRIBUTES>` | Nested `ATTRIBUTE` elements, each with `NAME` and `VALUE`. Omitted if there are no attributes. |
+| `<CONNECTION_TYPE>` | Connection security / transport (for example `TCP/IP`, `SSL`, `Socket`). |
+| `<STATUS>` | Status code for the event (for `Query` / `Command` / connection records, `0` success and non-zero for failure where applicable). |
+| `<SQLTEXT>` | Statement or digest text when the event carries SQL text. |
+| `<HOST>`, `<IP>`, `<USER>` | Client context on connection and general records (and on authentication records where applicable). Not emitted on `Query Start` / `Query Status End` style records in NEW XML. |
+| `<OS_LOGIN>` | External user from authentication (`external_user`); on connection records from 8.4.8-8 onward (documented behavior). |
+| `<PRIV_USER>`, `<PROXY_USER>`, `<DB>` | Included on connection records (including disconnect) from 8.4.8-8 onward (documented behavior). |
+| `<SERVER_ID>` | On `Startup`, `Shutdown`, and similar audit records. |
+| `<DB>`, `<TABLE>` | Database and table name on table-access records (`TableRead`, `TableInsert`, …). |
+| `<VARIABLE_NAME>`, `<VARIABLE_VALUE>` | Global variable audit events. |
+| `<STORED_PROGRAM>` | Stored program events (`DB` also appears). |
+| `<FLAGS>`, `<REWRITTEN_QUERY>` | Parse events (`SQLTEXT` may appear). |
+| `<COMPONENT>`, `<PRODUCER>`, `<MESSAGE>`, `<MESSAGE_ATTRIBUTES>` | Message events (attributes use the same `ATTRIBUTE` / `NAME` / `VALUE` pattern as connection attributes). |
+
+Characters such as `<`, `>`, `&`, and `"` in element text are XML-escaped by
+the component. Very long values may be truncated according to server-side
+limits.

docs/audit-log-filter-overview.md

@@ -4,6 +4,8 @@ The Audit Log Filter component allows you to monitor, log, and block a connectio
 
 Enabling the component produces a log file that contains a record of server activity. The log file has information on connections and databases accessed by that connection. 
 
+Set [`audit_log_filter.format`](audit-log-filter-variables.md#audit_log_filterformat) at startup to choose NEW (default), OLD, or JSON output. For new-style XML, the description in this documentation is aligned to the server from Percona Server for MySQL 8.4.8-8 onward on the {{vers}} line (this docs build: {{release}})—for example audit logging on/off uses `Startup` / `Shutdown`, disconnect events use `Disconnect`, and the NEW formatter does not emit `STATUS_CODE` or fields such as `VERSION`, `STARTUP_OPTIONS`, `MYSQL_VERSION`, and `OS_VERSION` on the audit lifecycle records. See [Audit Log Filter file format overview](audit-log-filter-formats.md) and [XML (new style)](audit-log-filter-new.md).
+
 The component uses the `mysql` system database to store filter and user account data. Set the [`audit_log_filter.database`](audit-log-filter-variables.md#audit_log_filterdatabase) variable at server startup to select a different database.
 
 The `AUDIT_ADMIN` privilege is required to enable users to manage the Audit Log Filter component.

docs/filter-audit-log-filter-files.md

@@ -7,6 +7,10 @@ The audit filter log filtering is based on rules. The filter rule definition has
 * Audit event subclass
 * Audit event fields (for example, `COMMAND_CLASS` or `STATUS`)
 
+From Percona Server for MySQL 8.4.8-8: The NEW XML formatter (`audit_log_filter.format=NEW`) behavior described here—including which `<NAME>` strings and child elements appear in each `<AUDIT_RECORD>`—was verified for that release on the {{vers}} line. This documentation build is {{release}}. If your server predates 8.4.8-8, or you use a build whose audit code differs, compare against a real log from your server.
+
+When you inspect new-style XML logs for that line of releases, expect values such as `Startup`, `Shutdown`, `Disconnect`, `Query Start`, `Query Status End`, and `Connection` as the `COMMAND_CLASS` on connect and disconnect. For the full field list per event type, see [XML (new style)](audit-log-filter-new.md).
+
 You can define multiple filters and assign any filter to multiple accounts. You can also create a default filter for specific user accounts. The filters are defined using function calls. After the filter is defined, the filter is stored in `mysql` system tables. 
 
 ## Audit Log Filter functions