1.存在問題
近日發現某庫錯誤日志里產生大量日志輸出,經分析是數據庫的InnoDB監控被莫名開啟后未及時關閉引起的,影響日志記錄和數據庫性能。查看innodb_status_output和innodb_status_output_locks狀態均為ON。
mysql>??show?variables?like"innodb_status_output%"; +----------------------------+-------+ |?Variable_name??????????????|?Value?| +----------------------------+-------+ |?innodb_status_output???????|?ON?| |?innodb_status_output_locks|?ON??| +----------------------------+-------+ 2?rows?in?set?(0.00?sec)
2. InnoDB監控相關的兩個參數
?? ? ? ?InnoDB有四種監控類型,包括StandardMonitor、LockMonitor、TablespaceMonitor、TableMonitor,其中后面兩類監控在5.7版本中被移除,移除后通過information_schema的表獲取。Standard Monitor監視活動事務持有的表鎖、行鎖,事務鎖等待,線程信號量等待,文件IO請求,buffer pool統計信息,InnoDB主線程purge和change buffer merge活動;Lock Monitor提供額外的鎖信息。???
InnoDB的monitor只在需要的時候開啟,它會造成性能開銷,觀察結束后切記關閉監控。
??? ? ?StandardMonitor開啟關閉方法如下,innodb_status_output參數就是用來控制InnoDB的monitor開啟或關閉的。這種開啟方法會將監控結果輸出到數據目錄下的MySQL錯誤日志中,每隔15秒產生一次輸出,這也就是發現錯誤日志下產生大量輸出的原因。
????????set?GLOBAL?innodb_status_output=ON/OFF;
??? ? ? Lock Monitor開啟關閉方法如下,注意開啟前必須先開啟innodb_status_output,而關閉時只需要直接關閉innodb_status_output_locks,如果關閉了innodb_status_output,那么Standard Monitor也會被一同關閉。
???set?GLOBALinnodb_status_output=ON; ????????set?GLOBAL?innodb_status_output_locks=ON;
3.安全審計日志追溯分析
上述莫名開啟操作考慮通過安全審計日志來追溯,安全審計日志樣例字段分析如下:
<audit_record> ?<name>Query</name> ?<record>12050XXXXX_2016-08-08T08:07:52</record> ?<timestamp>2016-09-17T06:10:40?UTC</timestamp> ?<command_class>select</command_class> ?<connection_id>1618XXX</connection_id> ?<status>0</status> ?<sqltext>select?1</sqltext> ??<user>XX[XX]@??[172.XX.XX.XXX]</user> ?<host></host> ?<os_user></os_user> ?<ip>172.XX.XX.XXX?</ip></audit_record>
上述日志按官網文檔解析如下:
<name>A?string?representing?the?typeof?instruction?that?generated?the?audit?event,?such?as?a?command?that?theserver?received?from?a?client.操作類型; <record_id>A?unique?identifier?forthe?audit?record.?The?value?is?composed?from?a?sequence?number?and?timestamp,in?the?format?SEQ_TIMESTAMP.? The?sequence?number?is?initialized?to?the?size?ofthe?audit?log?file?at?the?time?the?audit?log?plugin?opens?it?and?increments?by1?for?each?record?logged.? The?timestamp?is?a?UTC?value?in?yyyy-mm-ddThh:mm:ss?formatindicating?the?time?when?the?audit?log?plugin?opened?the?file.記錄ID; <timestamp>The?date?and?time?that?theaudit?event?was?generated.?For?example,?the?event?corresponding?to?execution?ofan?SQL?statement? received?from?a?client?has?a?<timestamp>?value?occurringafter?the?statement?finishes,?not?when?it?is?received.?The?value?has?the?formatyyyy-mm-ddThh:mm:ss? UTC?(with?T,?no?decimals).?The?format?includes?a?time?zonespecifier?at?the?end.?The?time?zone?is?always?UTC.語句執行完成的時間; <command_class>A?string?thatindicates?the?type?of?action?performed.操作指令類型; <connection_id>An?unsigned?integerrepresenting?the?client?connection?identifier.? This?is?the?same?as?theCONNECTION_ID()function?value?within?the?session;會話連接ID; <status>An?unsigned?integerrepresenting?the?command?status:?0?for?success,?nonzero?if?an?error?occurred.This?is?the?same?as?the?value?of?the?mysql_errno()C? API?function.0代表成功,非0代表對應錯誤碼; <sqltext>A?string?representing?thetext?of?an?SQL?statement.?The?value?can?be?empty.?Long?values?may?be?truncated.This?element?appears?only?if?the?<name>? value?is?Query?or?Execute.執行的SQL語句; 等等</name></sqltext></status></connection_id></command_class></timestamp></timestamp></record_id></name>
?? ??理解上述參數含義后,便可從安全審計日志中grep對應的關鍵字“innodb_status_output”及其上下文日志內容,格式內容同上,再根據上述解析分析可以審計出做這個莫名操作的帳號,操作時間,操作來源IP地址等信息,實現異常問題的可追溯。
4.小結
(1)?InnoDB的monitor只在需要的時候開啟,觀察結束后及時關閉,因為它會影響數據庫性能和日志輸出;
(2)類似異常操作可通過安全審計日志追溯,安全審計日志的記錄時效需要在有效范圍內,須平衡存儲空間和記錄時效;
(3)更重要的事,需要注意Audit Log Logging Control以及賬戶權限管理控制。
以上就是InnoDB monitor被莫名開啟的問題分析的內容,更多相關內容請關注PHP中文網(www.php.cn)!
