PS-10191 [DOCS] - Update Audit Log Filter installation instructions for 8.0

patrickbirch · patrickbirch · commit 5196db238b0d · 2025-09-22T05:15:33.000-05:00
On branch ps-10191-8.0
	modified:   docs/install-audit-log-filter.md
diff --git a/docs/install-audit-log-filter.md b/docs/install-audit-log-filter.md
@@ -1,40 +1,226 @@
-# Install the Audit Log Filter
+# Install the Audit Log Filter 
 
-The `plugin_dir` system variable defines the plugin library location. If needed, at server startup, set the `plugin_dir` variable.
+## Table of contents  
 
-When upgrading a MySQL installation, plugins are not automatically upgraded. You may need to manually load the plugin after the MySQL upgrade.
+1. [Prerequisites](#prerequisites)  
+2. [Find the plugin directory](#find-the-plugin-directory)  
+3. [Load the plugin](#load-the-plugin)  
+4. [Run the installation script](#run-the-installation-script)  
+5. [Select a storage database (optional)](#select-a-storage-database-optional)  
+6. [Verify the installation](#verify-the-installation)  
+7. [Post‑installation configuration](#post‑installation-configuration)  
+8. [Common problems & troubleshooting](#common-problems--troubleshooting)  
+9. [References](#references)  
 
-In the `share` directory, locate the `audit_log_filter_linux_install.sql `script.
+---  
 
-Implemented in 8.0.34, at the time you run the script, you can select the database used to store the JSON filter tables. 
+## Prerequisites  
 
-* If the plugin is loaded, the installation script takes the database name from the `audit_log_filter_database` variable
-* If the plugin is not loaded, but passes the `-D db_name` to the mysql client when the installation script runs, uses the `db_name`.
-* If the plugin is not loaded and the `-D` option is not provided, the installation script creates the required tables in the default database name `mysql`.
+| Requirement | Details |
+|-------------|---------|
+| Percona Server version | 8.0.34‑26 or later – the first release that ships the Audit Log Filter plugin. |
+| Package manager | Debian/Ubuntu (APT) or RHEL/CentOS/Fedora (YUM/DNF). |
+| Root / sudo | Needed to edit the server’s configuration file and restart the service. |
+| Backup | Take a logical dump (`mysqldump`) before changing plugins or system variables. |
+| MySQL privileges | The account used for the steps must have `SUPER` (or `SYSTEM_VARIABLES_ADMIN` in newer releases) to set global variables and install plugins. |
+| Filesystem layout | Know where the server’s `plugin_dir` lives (default paths are listed below). |
 
-You can also designate a different database with the `audit_log_filter_database` system variable. The database name cannot be NULL or exceed 64 characters. If the database name is invalid, the audit log filter tables are not found.
+---  
 
-With 8.0.34 and higher, use this command:
+## Find the plugin directory  
 
+The binary for the filter plugin (`audit_log_filter.so`) resides in the directory referenced by the `plugin_dir` system variable.
 
-```{.bash data-prompt="$"}
-$ mysql -u -D database -p < audit_log_filter_linux_install.sql
+```sql
+mysql> SELECT @@plugin_dir;
++--------------------------+
+| @@plugin_dir             |
++--------------------------+
+| /usr/lib/mysql/plugin/   |
++--------------------------+
 ```
 
-To verify the plugin installation, run the following command:
+If you installed Percona Server from a package manager, the default locations are:
 
-```{.bash data-prompt="mysql>"}
-mysql> SELECT PLUGIN_NAME, PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS WHERE PLUGIN_NAME LIKE 'audit%';
+Distribution	Default plugin_dir
+Debian / Ubuntu (APT)	/usr/lib/mysql/plugin/
+RHEL / CentOS / Fedora (YUM / DNF)	/usr/lib64/mysql/plugin/
+If you need a custom location, add or modify the variable in the server’s config file:
+
+Debian/Ubuntu – edit /etc/mysql/percona-server.conf.d/mysqld.cnf (or /etc/mysql/my.cnf).
+RHEL/CentOS/Fedora – edit /etc/my.cnf.d/server.cnf (or /etc/my.cnf).
+
+```ini
+[mysqld]
+plugin_dir=/opt/percona/plugins
+```
+
+!!! note
+
+    After changing `my.cnf` you must restart the MySQL service for the new `plugin_dir` to take effect.
+
+### Load the plugin
+
+You can load the plugin dynamically (while the server is running) or statically (automatically at startup).
+
+1. Dynamic (runtime) load
+
+```sql
+-- Requires SYSTEM_VARIABLES_ADMIN (or SESSION_VARIABLES_ADMIN for a temporary load)
+mysql> INSTALL PLUGIN audit_log_filter SONAME 'audit_log_filter.so';
+```
+
+Verify:
+
+```sql
+mysql> SHOW PLUGINS LIKE 'audit_log_filter';
+```
+
+2. Static (startup) load
+Add the following line to the same [mysqld] section you edited above and restart the service:
+
+```ini
+[mysqld]
+plugin_load_add=audit_log_filter.so
+```
+Restart the server:
+
+Debian/Ubuntu
+
+```bash
+$ sudo systemctl restart mysql
 ```
 
-??? example "Expected output"
+RHEL/CentOS/Fedora
+
+```bash
+$ sudo systemctl restart mysqld
+```
+Confirm the plugin is active:
+
+```sql
+mysql> SELECT PLUGIN_NAME, PLUGIN_STATUS
+FROM information_schema.PLUGINS
+WHERE PLUGIN_NAME='audit_log_filter';
+```
+
+`PLUGIN_STATUS` should be `ACTIVE`.
+
+
+### Run the installation script
+
+Percona ships an SQL script that creates the internal database and tables used by the filter.
+
+```bash
+# The script is installed with the package, usually under /usr/share/percona-server/
+$ cd /usr/share/percona-server/
+sudo mysql -u root -p < audit_log_filter_linux_install.sql
+```
+
+What the script does:
+
+Creates the `audit_log_filter` database (or the database you later specify with `audit_log_filter_database`).
+
+Creates the `rules` and `users` tables that store filter definitions and user‑filter assignments.
+
+Registers built‑in UDFs (`audit_log_filter_set_filter()`, `audit_log_filter_set_user()`, …).
+
+If you prefer a different database name, you can create it yourself and then set the variable before the plugin is loaded (see the next section).
+
+Select a storage database (optional)
+By default the plugin uses the mysql system database. To store the filter tables elsewhere, set the global variable `audit_log_filter_database` before the plugin is loaded.
+
+```sql
+SET GLOBAL audit_log_filter_database='my_audit_db';
+```
+
+or add it to the config file:
+
+```ini
+[mysqld]
+audit_log_filter_database=my_audit_db
+```
+
+Important: The database name cannot be `NULL` and must be ≤ 64 characters. If the name is invalid, the plugin falls back to the default `mysql` database and logs a warning.
+
+After setting the variable, restart the service (or reload the plugin) so the new database is used.
+
+### Verify the installation
+
+Check the plugin is active
+
+```sql
+$ SHOW PLUGINS LIKE 'audit_log_filter';
+```
+
+Expected output:
+
+Plugin_name	Plugin_status
+audit_log_filter	ACTIVE
+
+
+Confirm the filter tables exist
+
+```sql
+mysql> USE audit_log_filter;   -- or the database you chose
+mysql> SHOW TABLES;
+```
+
+You should see at least `rules` and `users`.
+
+Enable the filter engine
+
+```
+mysql> SET GLOBAL audit_log_filter_enable = ON;
+```
+
+Verify:
+
+```sql
+mysql> SELECT @@audit_log_filter_enable;
+```
+
+Result should be ON.
+
+(Optional) Test a simple rule
+
+```sql
+mysql> INSERT INTO audit_log_filter.rules
+  (rule_name, priority, filter_expression, action)
+VALUES
+  ('test_log_all', 10, 'TRUE', 'LOG');
+
+
+mysql> SELECT * FROM audit_log_filter.rules;
+```
+
+Seeing the rule confirms that the tables are writable and the plugin is functional.
+
+Post‑installation configuration
+
+| Variable                        | Default        | Typical setting     | Description                                                                 |
+|:--------------------------------|---------------:|--------------------:|:----------------------------------------------------------------------------|
+| audit_log_filter_enable         | OFF            | ON                  | Turns the filter engine on/off.                                             |
+| audit_log_filter_mode           | ALLOW          | ALLOW or DENY       | Determines whether rules act as a whitelist (ALLOW) or blacklist (DENY).    |
+| audit_log_filter_rotate_on_size |             1G |        1G (or larger) | Size at which the filter log file rotates automatically.                    |
+| audit_log_filter_max_size       | 0 (no limit)   |         10G (example) | Upper bound for total log-file storage; set > 0 to enable pruning.          |
+| audit_log_filter_prune_seconds  |              0 |          86400 (1 day) | Age-based pruning interval, if desired.                                     |
+
+Adjust these variables in the same [mysqld] section of your config file and restart the service (or set them dynamically with ``SET GLOBAL …`) for the changes to take effect.
 
-    ```text
-    +--------------------+---------------+
-    | PLUGIN_NAME        | PLUGIN_STATUS |
-    +--------------------+---------------+
-    | audit_log_filter   | ACTIVE        |
-    +--------------------+---------------+
-    ```
+Common problems & troubleshooting
+Symptom	Likely cause	Fix
+ERROR 1129 (HY000): Can't open shared library	plugin_dir points to the wrong location or the .so file is missing.	Verify @@plugin_dir and ensure audit_log_filter.so exists there (ls $plugin_dir).
+Installation script reports “Access denied”	The MySQL account lacks CREATE DATABASE/CREATE TABLE privileges.	Run the script as root (or grant the needed privileges temporarily).
+No audit entries appear	audit_log_filter_enable is still OFF or audit_log_policy excludes FILTER events.	SET GLOBAL audit_log_filter_enable=ON; and ensure audit_log_policy includes FILTER.
+ABORT rules block admin accounts	The admin user does not have the AUDIT_ADMIN privilege.	GRANT AUDIT_ADMIN TO 'admin'@'%';
+Log rotation never occurs	audit_log_filter_rotate_on_size is set to 0.	Set a non‑zero size (e.g., 1G).
+Plugin loads but tables are missing	The installation script was not executed after the plugin was loaded.	Rerun audit_log_filter_linux_install.sql (or create the tables manually).
+For deeper log‑file management, see [Manage the Audit Log Filter files].
 
-After the installation, you can use the `--audit_log_filter` option when restarting the server. To prevent the server from not running the plugin use `--audit_log_filter` with either the `FORCE` or the `FORCE_PLUS_PERMANENT` values.
+References
+Audit Log Filter Overview – https://docs.percona.com/percona-server/8.0/audit-log-filter-overview.html
+Audit Log Filter Variables & Functions – https://docs.percona.com/percona-server/8.0/audit-log-filter-variables.html
+Create and Manage Filter Rules – (link to the rules guide when available)
+General Percona Server Installation (Linux) – https://docs.percona.com/percona-server/8.0/installation.html
+Document last updated: 22 Sep 2025
