导读 本文主要分享 Apache Doris 中如何快速通过SQL的方式查询CRUD审计日志。
全文目录:
环境信息
插件介绍
快速体验
1. 硬件信息
CPU:48C
CPU信号:X86_64
内存:185GB
2. 软件信息
系统:CentOS
Apache Doris版本:2.0.2
JAVA版本:1.8
Doris默认装了是审计日志,即会将执行的SQL都记录到fe/log/fe.audit.log日志里,但如果需要映射到表、通过SQL的方式去查询解析这些日志的话,则需要安装配置审计日志插件。
Doris 的审计日志插件是在 FE 的插件框架基础上开发的,是一个可选插件。用户可以在运行时安装或卸载这个插件。
审计日志插件可以将 FE 的审计日志定期的导入到指定 Doris 集群中,以方便用户通过 SQL 对审计日志进行查看和分析。
1. AuditLoader配置
(1)下载 Audit Loader 插件
Audit Loader 插件在 Doris 的发行版中默认提供,通过官网下载 Doris 安装包解压并进入目录后即可在 extensions/audit_loader 子目录下找到 auditloader.zip 文件。
(2)解压安装包
unzip auditloader.zip
解压后生成如下3个文件:
auditloader.jar:插件代码包。
plugin.properties:插件属性文件。
plugin.conf:插件配置文件。
(3)修改plugin.conf
以下配置可供修改:
frontend_host_port:FE 节点 IP 地址和 HTTP 端口,格式为
: 。默认值为 127.0.0.1:8030。 database:审计日志库名,默认即可、需要与下一步的【创建库表】一致。
audit_log_table:审计日志表名,默认即可、需要与下一步的【创建库表】一致。
slow_log_table:慢查询日志表名,默认即可、需要与下一步的【创建库表】一致。
enable_slow_log:是否开启慢查询日志导入功能。默认值为 false。
user:集群用户名。该用户必须具有对应表的 INSERT 权限。
password:集群用户密码。
2. 创建库表
在 Doris 中,需要创建审计日志的库和表,表结构如下:
若需开启慢查询日志导入功能,还需要额外创建慢表 doris_slow_log_tbl_,其表结构与 doris_audit_log_tbl 一致。
其中 dynamic_partition 属性根据自己的需要,选择审计日志保留的天数。
-- 创建审计日志库名create database doris_audit_db__;-- 创建审计日志表名(如下有每个字段的comment)create table doris_audit_db__.doris_audit_log_tbl__(query_id varchar(48) comment "Unique query id",`time` datetime not null comment "Query start time",client_ip varchar(32) comment "Client IP",user varchar(64) comment "User name",catalog varchar(128) comment "Catalog of this query",db varchar(96) comment "Database of this query",state varchar(8) comment "Query result state. EOF, ERR, OK",error_code int comment "Error code of failing query.",error_message string comment "Error message of failing query.",query_time bigint comment "Query execution time in millisecond",scan_bytes bigint comment "Total scan bytes of this query",scan_rows bigint comment "Total scan rows of this query",return_rows bigint comment "Returned rows of this query",stmt_id int comment "An incremental id of statement",is_query tinyint comment "Is this statemt a query. 1 or 0",frontend_ip varchar(32) comment "Frontend ip of executing this statement",cpu_time_ms bigint comment "Total scan cpu time in millisecond of this query",sql_hash varchar(48) comment "Hash value for this query",sql_digest varchar(48) comment "Sql digest for this query",peak_memory_bytes bigint comment "Peak memory bytes used on all backends of this query",stmt string comment "The original statement, trimed if longer than 2G") engine=OLAPduplicate key(query_id, `time`, client_ip)partition by range(`time`) ()distributed by hash(query_id) buckets 10properties("dynamic_partition.time_unit" = "DAY","dynamic_partition.start" = "-30","dynamic_partition.end" = "3","dynamic_partition.prefix" = "p","dynamic_partition.buckets" = "1","dynamic_partition.enable" = "true","replication_num" = "3");-- 创建慢查询日志表名(如下有每个字段的comment)create table doris_audit_db__.doris_slow_log_tbl__(query_id varchar(48) comment "Unique query id",`time` datetime not null comment "Query start time",client_ip varchar(32) comment "Client IP",user varchar(64) comment "User name",catalog varchar(128) comment "Catalog of this query",db varchar(96) comment "Database of this query",state varchar(8) comment "Query result state. EOF, ERR, OK",error_code int comment "Error code of failing query.",error_message string comment "Error message of failing query.",query_time bigint comment "Query execution time in millisecond",scan_bytes bigint comment "Total scan bytes of this query",scan_rows bigint comment "Total scan rows of this query",return_rows bigint comment "Returned rows of this query",stmt_id int comment "An incremental id of statement",is_query tinyint comment "Is this statemt a query. 1 or 0",frontend_ip varchar(32) comment "Frontend ip of executing this statement",cpu_time_ms bigint comment "Total scan cpu time in millisecond of this query",sql_hash varchar(48) comment "Hash value for this query",sql_digest varchar(48) comment "Sql digest for this query",peak_memory_bytes bigint comment "Peak memory bytes used on all backends of this query",stmt string comment "The original statement, trimed if longer than 2G ") engine=OLAPduplicate key(query_id, `time`, client_ip)partition by range(`time`) ()distributed by hash(query_id) buckets 10properties("dynamic_partition.time_unit" = "DAY","dynamic_partition.start" = "-30","dynamic_partition.end" = "3","dynamic_partition.prefix" = "p","dynamic_partition.buckets" = "1","dynamic_partition.enable" = "true","replication_num" = "3");
3. 初始化插件
INSTALL PLUGIN FROM [source] [PROPERTIES ("key"="value", ...)]
source 支持三种类型:
指向一个 zip 文件的绝对路径。
指向一个插件目录的绝对路径。
指向一个 http 或 https 协议的 zip 文件下载路径
Example:
安装一个本地 zip 文件插件:
(1)安装一个本地zip文件插件
INSTALL PLUGIN FROM "/home/users/doris/auditdemo.zip";
(2)安装一个本地目录中的插件
INSTALL PLUGIN FROM "/home/users/doris/auditdemo/";
(3)下载并安装一个插件:注意需要放置一个和 .zip 文件同名的 md5 文件, 如 http://mywebsite.com/plugin.zip.md5 。其中内容为 .zip 文件的 MD5 值
INSTALL PLUGIN FROM "http://mywebsite.com/plugin.zip";
(4)下载并安装一个插件,同时设置了zip文件的md5sum的值
INSTALL PLUGIN FROM "http://mywebsite.com/plugin.zip" PROPERTIES("md5sum" = "73877f6029216f4314d712086a146570");
执行install成功后会在fe/plugins/目录下自动生成AuditLoader目录
4. 查询验证
执行如下sql验证是否安装注册成功,Status为INSTALLED则说明安装成功
SHOW PLUGINS;
直接通过SQL查询审计日志,快速体验。
select *fromdoris_audit_db__.doris_audit_log_tbl__wheretime > '2023-11-11 00:00:00'and stmt like '%ssb_test.part%'order bytime desclimit 10;
至此,【Apache Doris】审计日志插件 | 快速体验 分享结束,查阅过程中若遇到问题欢迎留言交流。
往期推荐
