mysql - AWS Aurora 仅在登录失败时将换行符记录到错误日志中

Question

还有其他人遇到这个问题吗？

我已启用 Cloudwatch 日志记录并将发布切换为打开以获取一般日志、审计日志、慢速日志和错误日志，但我从未看到失败登录的条目。

也许 AWS-RDS 对错误日志的过滤过于激进了!

以下示例尝试以假用户身份登录并显示不存在的内容(在本例中为 BINLOGS)

这应该为失败的登录生成两个条目。

我实际得到的只是一堆换行符 (\n)，与登录失败的次数成正比。

sh-4.2$  mysql -utoot -pPoot -hMY_INSTANCE_NAME.cum0ld45s8ef.us-east-1.rds.amazonaws.com -e "SHOW BINARY LOGS;"; mysql -utoot -pPoot -hMY_INSTANCE_NAME.cum0ld45s8ef.us-east-1.rds.amazonaws.com -e "SHOW BINARY LOGS;"
ERROR 1045 (28000): Access denied for user 'toot'@'172.31.64.XX' (using password: YES)
ERROR 1045 (28000): Access denied for user 'toot'@'172.31.64.XX' (using password: YES)
sh-4.2$ aws rds download-db-log-file-portion --db-instance-identifier MY_INSTANCE_NAME --no-paginate --log-file-name error/mysql-error-running.log{
    "Marker": "15:106",
    "AdditionalDataPending": false,
    "LogFileData": "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n"

Answer 1

MySQL 不会将失败的登录尝试写入错误日志，除非 log_warnings 系统变量的值 > 1。

If the value is greater than 1, aborted connections are written to the error log, and access-denied errors for new connection attempts are written.

https://dev.mysql.com/doc/refman/5.6/en/server-system-variables.html#sysvar_log_warnings

在 Aurora 中，此行为是相同的，但 log_warnings 是通过实例 parameter group 配置的.