审计日志插件支持为读取 JSON 格式的审计日志文件提供 SQL 接口的函数。（此功能不适用于以其他格式编写的日志文件。）

当审计日志插件初始化并配置为 JSON 日志记录时，它使用包含当前审计日志文件的目录作为搜索可读审计日志文件的位置。该插件根据系统变量的值确定文件位置、基本名称和后缀audit_log_file ，然后查找名称与以下模式匹配的文件，其中[...]表示可选的文件名部分：

basename[.timestamp].suffix[.gz][.enc]

如果文件名以 结尾.enc，则文件已加密，读取未加密的内容需要从密钥环中获取解密密码。有关加密审计日志文件的更多信息，请参阅 加密审计日志文件。

该插件会忽略手动重命名且与模式不匹配的文件，以及密钥环中不再可用的密码加密文件。该插件打开每个剩余的候选文件，验证该文件是否实际包含JSON审计事件，并使用每个文件的第一个事件的时间戳对文件进行排序。结果是一系列文件，这些文件可以使用日志读取功能进行访问：

audit_log_read()接受一个可选的JSON字符串参数，成功调用任一函数返回的结果都是一个JSON字符串。

要使用函数读取审计日志，请遵循以下原则：

要将位置指定给 audit_log_read()，请传递一个书签，它是一个包含唯一标识特定事件的元素的 JSON散列。这是一个示例书签，通过调用 函数获得： timestampidaudit_log_read_bookmark()

mysql> SELECT audit_log_read_bookmark();
+-------------------------------------------------+
| audit_log_read_bookmark()                       |
+-------------------------------------------------+
| { "timestamp": "2020-05-18 21:03:44", "id": 0 } |
+-------------------------------------------------+

传递当前书签以 audit_log_read()初始化从书签位置开始的事件阅读：

mysql> SELECT audit_log_read(audit_log_read_bookmark());
+-----------------------------------------------------------------------+
| audit_log_read(audit_log_read_bookmark())                             |
+-----------------------------------------------------------------------+
| [ {"timestamp":"2020-05-18 22:41:24","id":0,"class":"connection", ... |
+-----------------------------------------------------------------------+

的参数audit_log_read() 是可选的。如果存在，它可以是 关闭读取序列的值或 散列。 JSON nullJSON

Within a hash argument to audit_log_read(), items are optional and control aspects of the read operation such as the position at which to begin reading or how many events to read. The following items are significant (other items are ignored):

Example arguments accepted by audit_log_read():

To use the binary JSON string with functions that require a nonbinary string (such as functions that manipulate JSON values), perform a conversion to utf8mb4. Suppose that a call to obtain a bookmark produces this value:

mysql> SET @mark := audit_log_read_bookmark();
mysql> SELECT @mark;
+-------------------------------------------------+
| @mark                                           |
+-------------------------------------------------+
| { "timestamp": "2020-05-18 16:10:28", "id": 2 } |
+-------------------------------------------------+

Calling audit_log_read() with that argument can return multiple events. To limit audit_log_read() to reading at most N events, convert the string to utf8mb4, then add to it a max_array_length item with that value. For example, to read a single event, modify the string as follows:

mysql> SET @mark = CONVERT(@mark USING utf8mb4);
mysql> SET @mark := JSON_SET(@mark, '$.max_array_length', 1);
mysql> SELECT @mark;
+----------------------------------------------------------------------+
| @mark                                                                |
+----------------------------------------------------------------------+
| {"id": 2, "timestamp": "2020-05-18 16:10:28", "max_array_length": 1} |
+----------------------------------------------------------------------+

The modified string, when passed to audit_log_read(), produces a result containing at most one event, no matter how many are available.

To read a specific number of events beginning at the current position, pass a JSON hash that includes a max_array_length value but no position. This statement invoked repeatedly returns five events each time until no more events are available:

SELECT audit_log_read('{"max_array_length": 5}');

To set a limit on the number of bytes that audit_log_read() reads, set the audit_log_read_buffer_size system variable. As of MySQL 5.7.23, this variable has a default of 32KB and can be set at runtime. Each client should set its session value of audit_log_read_buffer_size appropriately for its use of audit_log_read(). Prior to MySQL 5.7.23, audit_log_read_buffer_size has a default of 1MB, affects all clients, and can be changed only at server startup.

有关审核日志读取功能的其他信息，请参阅审核日志功能。