How can I enable audit logging for an Amazon RDS for MySQL or MariaDB instance and publish the logs to CloudWatch?

Last updated: 2021-08-26

I want to audit database activity to meet compliance requirements for my Amazon Relational Database Service (Amazon RDS) DB instance that's running MySQL or MariaDB. Then, I want to publish the DB logs to Amazon CloudWatch. How can I do this?

Short description

You can use the MariaDB Audit Plugin to capture events, such as connections, disconnections, queries, or tables queried. First, enable and configure the MariaDB Audit Plugin and associate the DB instance with a custom option group. Then, you can publish the logs to CloudWatch.

If you use Amazon Aurora MySQL-Compatible Edition, then see How can I enable Advanced Auditing for my Aurora MySQL-Compatible DB cluster and then publish the logs to CloudWatch?


Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

Amazon RDS supports Audit Plugin option settings on the following versions for MySQL and MariaDB:

  • All MySQL 5.6 versions
  • MySQL 5.7.16 and higher 5.7 versions
  • MySQL 8.0.25 and higher 8.0 versions
  • MariaDB 10.2 and higher

For more information about supported versions, see MariaDB Audit Plugin support and Options for MariaDB database engines.

Enable the MariaDB Audit Plugin on your custom option group

1.    Create a custom option group or modify an existing custom option group.

2.    Add the MariaDB Audit Plugin option to the option group, and configure the option settings.

3.    Apply the option group to the DB instance.

To apply the option to a new DB instance, configure the instance to use the newly created option group when you launch the DB instance. To apply the option to an existing DB instance, modify the DB instance and attach the new option group. For more information, see Modifying a DB instance running the MySQL database engine or Modifying a DB instance running the MariaDB database engine.

After you configure the DB instance with the MariaDB Audit Plugin, you don't need to reboot the DB instance. When the option group is active, auditing begins immediately.

Note: Amazon RDS doesn't support turning off logging in the MariaDB Audit Plugin. To disable audit logging, remove the plugin from the associated option group. This restarts the instance automatically. To limit the length of the query string in a record, use the SERVER_AUDIT_QUERY_LOG_LIMIT option.

Publish audit logs to CloudWatch

1.    Open the Amazon RDS console.

2.    Choose Databases from the navigation pane.

3.    Select the DB instance that you want to use to export log data to CloudWatch.

4.    Choose Modify.

5.    From the Log exports section, select Audit log.

6.    Choose Continue.

7.    Review the Summary of modifications, and choose Modify instance.

You can also use the following AWS CLI command syntax to enable CloudWatch log exports:

aws rds modify-db-instance --db-instance-identifier <mydbinstance> --cloudwatch-logs-export-configuration '{"EnableLogTypes":["audit"]}'

After enabling audit logging and modifying your instance to export logs, events that are recorded in audit logs are sent to CloudWatch. Then, you can monitor the log events in CloudWatch.

Did this article help?

Do you need billing or technical support?