I want to audit database activity to meet compliance requirements for my Amazon Aurora Serverless v1 (Amazon Aurora Serverless version 1) clusters that run Amazon Aurora MySQL-Compatible Edition or Amazon Aurora PostgreSQL-Compatible Edition. Then I want to publish the logs to Amazon CloudWatch to view or download them. How can I do that?
Short description
For Aurora MySQL-Compatible DB clusters, you can enable the slow query log, general log, or audit logs. For Aurora PostgreSQL-Compatible DB clusters, you can control the level of logging by using the log_statement parameter.
By design, Aurora Serverless V1 connects to a proxy fleet of DB instances that scales automatically. There isn't a direct DB instance to access and host the log files. This means that you can't view the logs directly from the Amazon Relational Database Service (Amazon RDS) console. However, you can view and download logs that are sent to the CloudWatch console.
To enable Advanced Auditing, see How can I enable audit logging for my Amazon Aurora MySQL DB cluster and publish the logs to CloudWatch?
Resolution
To enable logs, first modify the cluster parameter groups for an Aurora Serverless V1 cluster. Aurora Serverless V1 then automatically uploads the logs to CloudWatch. For MySQL-compatible DB clusters, use an Aurora MySQL 5.6/5.7 cluster parameter group family based on your cluster version. For PostgreSQL-compatible DB clusters, use an Aurora PostgreSQL 10 cluster parameter group family.
Enabling the logging for Aurora Serverless V1
Note: If your DB cluster is already using a custom DB cluster parameter group, then skip steps 1 and 3 of this process.
- Create a custom DB cluster parameter group.
- Modify the DB cluster parameter group values. For MySQL-compatible clusters, the error log is enabled by default. To enable the slow query and general logs, modify the following parameters:
general_log=1
slow_query_log=1
For PostgreSQL-compatible clusters, log_statement parameter controls which SQL statements are logged, and the default value is none. Modify the following parameter to log the query and error logs:
log_statement=all
Tip: It's a best practice to set log_statement to all to log all statements when you debug issues in your DB instance. To log all data definition language (DDL) statements (such as CREATE, ALTER, and DROP), set the parameter value to ddl. To log all DDL and data modification language (DML) statements (such as INSERT, UPDATE, and DELETE), set the parameter value to mod.
- Modify your DB cluster to use the custom DB parameter group that you created in step 2.
After you modify your DB cluster, Aurora Serverless V1 attempts to perform an automatic seamless scale to apply the parameter changes.
Note: Aurora Serverless V1 uses the ForceApplyCapacityChange timeout action when applying this change. This means that that if your Aurora Serverless V1 DB cluster can't find a scaling point before timing out, connections might be dropped.
Viewing the logs in CloudWatch
Because Aurora Serverless V1 automatically publishes these logs to CloudWatch, you can view and download the logs and view in the CloudWatch console:
- Open the CloudWatch console.
- Choose Log groups from the navigation pane.
- Select the appropriate log group from the list.
For more information, see Monitoring log events in Amazon CloudWatch.
Related information
How do I publish logs for Amazon RDS or Aurora MySQL-Compatible instances to CloudWatch?
Publishing Aurora MySQL-Compatible logs to Amazon CloudWatch Logs
Publishing Aurora PostgreSQL-Compatible logs to Amazon CloudWatch Logs
Publishing database logs to Amazon CloudWatch Logs