How can I enable logs on an Aurora Serverless cluster so I can view and download the logs?

Last updated: 2020-04-06

I want to audit database activity to meet compliance requirements for my Amazon Aurora Serverless clusters that run MySQL or PostgreSQL. Then I want to publish the logs to Amazon CloudWatch to view or download them. How can I do that?

Short Description

For MySQL-compatible DB clusters, you can enable the slow query log, general log, or audit logs. For PostgreSQL-compatible DB clusters, you can control the level of logging by using the log_statements parameter.

By design, Aurora Serverless connects to a proxy fleet of DB instances that scales automatically. Because there isn't a direct DB instance to access and host the log files, you can't view the logs directly from the Amazon Relational Database Service (Amazon RDS) console. However, you can view and download logs that are sent to the CloudWatch console.

To enable Advanced Auditing, see How can I enable Advanced Auditing for my Amazon Aurora MySQL DB cluster and then publish the logs to CloudWatch?

Resolution

To enable logs, first modify the cluster parameter groups for an Aurora serverless cluster. Aurora Serverless then automatically uploads the logs to CloudWatch. For MySQL-compatible DB clusters, use an Aurora MySQL 5.6 cluster parameter group family. For PostgreSQL-compatible DB clusters, use an Aurora PostgreSQL 10 cluster parameter group family.

Enabling the logging for Aurora Serverless

  1. Create a custom DB cluster parameter group.
  2. Modify the DB Cluster Parameter Group values. For MySQL-compatible clusters, the error log is enabled by default. To enable the slow query and general logs, modify the following parameters:
    general_log=1
    slow_query_log=1
    For PostgreSQL-compatible clusters, log_statement parameter controls which SQL statements are logged, and the default value is none. Modify the following parameter to log the query and error logs:
    log_statements=all
    Tip: It's a best practice to set this parameter to all to log all statements when you debug issues in your DB instance. To log all data definition language (DDL) statements (such as CREATE, ALTER, and DROP), set the parameter value to ddl. To log all DDL and data modification language (DML) statements (such as INSERT, UPDATE, and DELETE), set the parameter value to mod.
  3. Modify your DB cluster to use the custom DB parameter group that you created in step 2.

After you modify your DB cluster to use a new custom DB parameter group, you must reboot the cluster to apply the changes.

Viewing the logs in CloudWatch

Because Aurora Serverless automatically publishes these logs to CloudWatch, you can view and download the logs and view in the CloudWatch console:

  1. Open the CloudWatch console.
  2. Choose Log groups from the navigation pane.
  3. Select the appropriate log group from the list.

For more information, see Monitoring Log Events in Amazon CloudWatch.