I have a setup of a MySQL Instance installed on Google Cloud with the following flags:
general_log: on
log_output: FILE
On the client side, I'm connecting via Cloud SQL Proxy authentication with DBeaver. The issue is that when I execute queries containing new lines on DBeaver, the logs as shown on Logs Explorer page are being split into multiple sub-logs, each containing a line from that query. Is there some way I can concatenate these logs by reconfiguring the SQL Instance's flags or using a different GCP plugin for audit logging, other than general-log? I need to resolve this issue not on the client side (I'm aware that I can simply reformat the text editor on DBeaver to eliminate new line characters).
I'm aware of this new auditing plugin cloudsql_mysql_audit, but when I install it to my SQL Instance I can't see any logs at all.
Related
In Visual Studio's Server Explorer, I right-clicked Data Connections and selected Create New SQL Server Database.
In the same-named dialog that is then invoked, I entered a ServerName, a New Database Name, accepted the default of Windows authorization, but get this:
I'm pretty sure I installed MS SQL Server when I installed VS (2019). What is causing this error and what do I need to do to fix it?
Am I not allowed to create a Server Name and must use a specific one? If so, what?
UPDATE
I'm also getting problems now with MySql. I recently created MySql Databases (they are displaying on the left -- "movies" and "statesdb" and I've got connections to them, as indicated by the green connector icon), but now trying to create a new Database also fails (after I hit the "Test Connection" button):
UPDATE 2
I still get the same exact err msg after installing SQL Server Express.
And that's even though I do have a bunch of SQLExpress services running now (the only non-new one is the last one):
Do I need to use SQL Server Authentication instead of Windows?
To see if you have sql server installed and it’s running, you can open services.msc and look for SQL Server. The name in between the brackets is the instance name, I.e.: SQLEXPRESS.
To connect to a localhost instance you simply do .\instancename or for SQLEXPRESS: .\SQLEXPRESS
I tried to upload a .txt file into MySQL Workbench, but I have the following issue:
Error Code: 3948 Loading Local data is disable; this must be enable on both the client and server sides
Workbench uses a MySQL feature called LOAD DATA LOCAL for this .txt file import operation. Because that feature exposes some security problems in the server, the operator of the server needs to enable that feature, by running the MySQL server software (mysqld, it's called) with a specific system variable called local_infile. Your error message means that flag is not enabled.
You can try enabling it at runtime before you do your upload operation. Try this SQL statement.
SET ##GLOBAL.local_infile = 1;
If that doesn't work you need to ask the person who runs your server to enable it.
I have an existing MySQL (version 5.7) instance hosted (managed) by Google Cloud SQL. I want to get a notification when someone is trying to connect my database with a bad username\password.
My idea was to look for it on the Google Stackrive logs, but it's not there.
There is an option to collect this information?
UPDATE 1:
I tried to connect the instance with gcloud but unfortunately, it's not working.
$ gcloud sql connect mydb
Whitelisting your IP for incoming connection for 5 minutes...done.
ERROR: (gcloud.sql.connect) It seems your client does not have ipv6 connectivity and the database instance does not have an ipv4 address. Please request an ipv4 address for this database instance.
It's because the database is accessible only inside the internal network. I searched for flags like --internal-ip but didn't find one.
However, I was guessing that it's not making any difference if I'll try to access the database from my DB editor (workbench). So I did it:
Searching for the query that #Christopher advised - but it's not there.
What I missed?
UPDATE 2:
Screenshot of my Stackdrive:
Even if I remove this (resource.labels.database_id="***") condition - the result is the same.
There is an option to collect this information?
One of the best options to collect information about who is trying to connect to your Google Cloud SQL instance with wrong credentials is Stackdriver Logging.
Before beginning
To reproduce this steps, I connected to the Cloud SQL instance using the gcloud command:
gcloud sql connect [CLOUD_SQL_INSTANCE]
I am not entirely sure if using the mysql command line something will change along the lines, but in case it does, you should only look for the new log message, and update the last boolean entry (from point 4 on).
How to collect this information from Stackdriver Logging
Go under Stackdriver → Logging section.
To get the information we are looking for, we will use advanced log queries. Advanced log queries are expressions that can specify a set of log entries from any number of logs. Advanced logs queries can be used in the Logs Viewer, the Logging API, or the gcloud command-line tool. They are a powerful tool to get information from logs.
Here you will find how to get and enable advanced log queries in your logs.
Advanced log queries are just boolean expressions that specify a subset of all the log entries in your project. To find out who has enter with wrong credentials into your Cloud SQL instance running MySQL, we will use the following queries:
resource.type="cloudsql_database"
resource.labels.database_id="[PROJECT_ID]:[CLOUD_SQL_INSTANCE]"
textPayload:"Access denied for user"
Where [PROJECT_ID] corresponds to your project ID and [CLOUD_SQL_INSTANCE] corresponds to the name of the Cloud SQL instance you would like to supervise.
If you notice, the last boolean expression corresponding to textPayload uses the : operator.
As described here by using the : operator we are looking for matches with any sub string in the log entry field, so every log that matches the string specified, which in this case is: "Access denied for user".
If now some user enters the wrong credentials, you should see a message like the following appear within your logs:
[TIMEFRAME][Note] Access denied for user 'USERNAME'#'[IP]' (using password: YES)
From here is a matter of using one of GCP products to send you a notification when a user enters the wrong credentials.
I hope it helps.
As said in the GCP documentation :
Cloud Shell doesn't currently support connecting to a Cloud SQL instance that has only a private IP address.
Do you think it is possible to create a SQL server ODBC Connection for an active directory user who doesn't log in into the windows.
Ideally this type of users will be used in the batch process. So, Another person logs in and creates a batch process and runs it with another user.
Note: I dont want to create a SQL server authentication. Instead would like to use active directory.
Thanks.
You can't save alternate windows authentication credentials into an ODBC connection for SQL Server. You can only save credentials into the ODBC setting if you use SQL Server authentication.
There are other options though.
You can create a windows authentication ODBC connection to SQL server even if the account you create the connection with doesn't have database access. You just have to untick the "Connect to SQL Server to obtain default settings for the additional configuration options" and you can't use the "Test connection" feature. You just have to create the connection on faith.
With that connection, it will only work if your batch process or application is running as a different account to the logged-in user. Services that run as system accounts do this sort of thing. If you create an application that can be run as a service then you can change the account it runs under.
You can also run as another account manually. Using explorer you can [shift] + right-click on an application and choose "Run As different user" and then enter the other account credentials. Then when the process or application uses the ODBC connection, it will be the correct credentials and work.
There's also "ShellRunAs" https://technet.microsoft.com/en-us/sysinternals/shellrunas.aspx
I am trying to make the connection to a remote mysql database in CloverETL Designer (Community Version)
Documentation with examples on this subject seem fragmented so I have tried to piece the bits together but I'm not use if they are correct. I would be grateful for any suggestions or further clarification on this subject.
Here is what I have so far:
The SSL Certificate
As an alternative VPN connection the server guys passed me the raw CA certificate, which I saved as a .crt file in the conn folder of the CloverETL workspace.
CloverETL Connections
I created a new DB connection and tested it was working without SSL
In the graph window I created a simple graph
Switching to Source View I added the parameter attribute to the connection code like this:
<Connection database="MYSQL" dbURL="jdbc:mysql://hostname/database_name" id="JDBC0" jdbcSpecific="MYSQL" name="CPM" parameters="ssl=${WORKSPACE}/conn/mysql_cpm_cert.crt" password="password" type="JDBC" user="username"/>
Then I tested the connection to the database by creating new metadata from a DB table
The problem is that I don't know if the connect is now secure or not.
Here's the list of resources that I used to piece together the information:
components:bulkloaders:mysql_data_writer [CloverETL wiki]
MySQL :: MySQL 5.0 Reference Manual :: 6.3.6.3 SSL Command Options
Thanks
CPM
Your setup almost certainly does not use ssl. Both links you posted are not usable - first describes bulk loader and second connection via command line client. But what you need is to configure JDBC. So I would use http://dev.mysql.com/doc/refman/5.0/en/connector-j-reference-configuration-properties.html section "Security."
I would set:
useSSL=true
requireSSL=true
You will do that by adding items in table (Custom JDBC properties) on second tab (Advanced) of Connection Wizard. In source it should appear like "jdbc.useSSL=true jdbc.requireSSL=true" not "parameters=".
Then connection should fail, because in your default java key store is missing your certificate. It can be imported via http://docs.oracle.com/javase/1.4.2/docs/tooldocs/windows/keytool.html section "Importing Certificates"
I hope this helps.