How can I enable audit logging for an Amazon RDS MySQL or MariaDB instance and publish the logs to CloudWatch?

Last updated: 2019-07-30

I want to audit database activity to meet compliance requirements for my Amazon Relational Database Service (Amazon RDS) instance that's running MySQL or MariaDB. Then, I want to publish the DB logs to Amazon CloudWatch. How can I do this?

Short Description

You can use the MariaDB Audit Plugin to capture events, such as connections, disconnections, queries, or tables queried. First, enable and configure the MariaDB Audit Plugin and associate the DB instance with a custom option group. Then, you can publish the logs to CloudWatch.

If you use Amazon Aurora for MySQL, see How can I enable Advanced Auditing for my Amazon Aurora MySQL DB cluster and then publish the logs to CloudWatch?

Resolution

Amazon RDS supports Audit Plugin option settings on the following versions for MySQL and MariaDB:

  • All MySQL 5.6 versions
  • MySQL 5.7.16 and later 5.7 versions
  • MariaDB 10.0.24 and later versions

Enabling the MariaDB Audit Plugin on your custom option group

  1. Create a custom option group or modify an existing custom option group.
  2. Add the MariaDB Audit Plugin option to the option group, and configure the option settings.
  3. Apply the option group to the DB instance.

To apply the option to a new DB instance, configure the instance to use the newly created option group when you launch the DB instance. To apply the option to an existing DB instance, modify the DB instance and attach the new option group. For more information, see Modifying a DB Instance Running the MySQL Database Engine or Modifying a DB Instance Running the MariaDB Database Engine.

After you configure the DB instance with the MariaDB Audit Plugin, you don't need to reboot the DB instance. When the option group is active, auditing begins immediately.

Note: Amazon RDS doesn't support turning off logging in the MariaDB Audit Plugin. To disable audit logging, remove the plugin from the associated option group. This restarts the instance automatically. To limit the length of the query string in a record, use the SERVER_AUDIT_QUERY_LOG_LIMIT option.

Publishing audit logs to CloudWatch

  1. Open the Amazon RDS console.
  2. Choose Databases from the navigation pane.
  3. Select the DB instance that you want to use to export log data to CloudWatch.
  4. Choose Modify.
  5. From the Log exports section, select Audit log.
  6. Choose Continue.
  7. Review the Summary of modifications, and choose Modify instance.

You can also use the AWS Command Line Interface (AWS CLI) to enable CloudWatch log exports by running a command similar to the following:

aws rds modify-db-instance --db-instance-identifier <mydbinstance> --cloudwatch-logs-export-configuration '{"EnableLogTypes":["audit"]}'

After enabling audit logging and modifying your instance to export logs, events recorded in audit logs are sent to CloudWatch. Then, you can monitor the log events in CloudWatch


Did this article help you?

Anything we could improve?


Need more help?