How do I turn on audit logging for an Amazon RDS for MySQL or MariaDB instance and publish the logs to CloudWatch?
I want to audit database (DB) activity to meet requirements for my Amazon Relational Database Service (Amazon RDS) DB instance that runs MySQL or MariaDB. Then, I want to publish the logs to Amazon CloudWatch.
Short description
To capture events such as connections, disconnections, queries, or other server activity, add and configure the MariaDB Audit Plugin. Then, associate the DB instance with a custom option group. You can then publish the logs to CloudWatch.
Amazon RDS supports MariaDB Audit Plugin option settings on the following versions for MySQL and MariaDB:
- All MySQL 5.7 versions
- MySQL 8.0.25 and higher 8.0 versions
- MariaDB 10.3 and higher
If you use Amazon Aurora MySQL-Compatible Edition, then see How do I turn on audit logging for my Amazon Aurora MySQL DB cluster and publish the logs to CloudWatch?
Resolution
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.
Add and configure the MariaDB Audit Plugin, and then associate the DB instance with a custom option group
Complete the following steps:
- Create a custom option group, or modify an existing custom option group.
- Add the MariaDB Audit Plugin option to the option group, and then configure the option settings.
- To apply the option group to the DB instance, take one of the following actions:
For a new DB instance, configure the instance to use the newly created option group when you launch the DB instance.
For an existing DB instance, modify the DB instance, and then attach the new option group.
After you configure the DB instance with the MariaDB Audit Plugin, you don't need to reboot the DB instance. When the option group is active, auditing immediately begins.
Note: Amazon RDS doesn't support turning off logging in the MariaDB Audit Plugin. To turn off audit logging, remove the plugin from the associated option group to automatically restart the instance. To limit the length of the query string in a record, use the SERVER_AUDIT_QUERY_LOG_LIMIT option.
Publish audit logs to CloudWatch
You can use the Amazon RDS console or AWS CLI to turn on CloudWatch log exports.
To use the Amazon RDS console, complete the following steps:
- Open the Amazon RDS console.
- In the navigation pane, choose Databases.
- Select the DB instance that you want to use to export log data to CloudWatch.
- Choose Modify.
- In the Additional monitoring settings section, for Log exports, choose Audit log.
- Choose Continue.
- Review the Summary of modifications, and then choose Modify DB instance.
Note: Downtime might occur when you choose Apply immediately.
To use AWS CLI, run the modify-db-instance command to turn on CloudWatch log exports:
aws rds modify-db-instance --db-instance-identifier db_instance --cloudwatch-logs-export-configuration '{"EnableLogTypes":["audit"]}'
Note: Replace db_instance with the name of your DB instance.
After you turn on audit logging and modify your instance to export logs, events that are recorded in audit logs are sent to CloudWatch. Then, you can monitor the log events in CloudWatch.
Related information
- Language
- English
Relevant content
- asked 3 years ago
- asked 3 years ago
asked 5 years ago
