Use https://seceonhelp.freshdesk.com/support/login to access updated Knowledge Base Articles, Submit Technical Support Tickets and Review Status of submitted support tickets.

Cloud Device Configuration : AWS RDS Audit Logs

Owned by Collect and Control Engine
Last updated: Jan 02, 2023 by Customer Success & Engineering
3 min read

 

Overview

Use Advanced Auditing with Amazon Aurora to record and audit database events such as connections, disconnections, tables queried, or types of queries issued (DML, DDL, or DCL) on an Aurora MySQL DB cluster. For more information about the type of information included in the log files, see Audit Log Details.

First, enable the Advanced Auditing parameters on the associated custom DB cluster parameter group. Then, you can publish the Advanced Auditing logs to CloudWatch.

Enabling Advanced Auditing parameters on the cluster parameter group

Steps

 

  1. Create a custom DB cluster parameter group.

     

  2. Modify the parameters for Advanced Auditing.

    1. Use the server_audit_logging parameter to enable or disable Advanced Auditing. This parameter defaults to OFF; set it to ON to enable Advanced Auditing.

    2. Use the server_audit_events parameter to specify what events to log. Contains the comma-delimited list of events to log. Events must be specified in all caps, and there should be no white space between the list elements. This should be set to CONNECT,QUERY

  3. Modify the cluster to associate the new custom DB parameter group with your Aurora MySQL DB cluster.

     

For details about the Advanced Auditing parameters, see Enabling Advanced Auditing. These parameters are dynamic, so you don't need to reboot your DB cluster. However, when you change the parameter group from default to a custom parameter group, you must manually reboot the DB instance to apply the new DB parameter group.

Publishing the Advanced Auditing logs to CloudWatch

  1. Open the Amazon RDS console.

  2. Choose Databases from the navigation pane.

  3. Select the Aurora MySQL DB cluster for which you want to export log data to CloudWatch.

  4. Choose Modify.

  5. From the Log exports section, select Audit log.

  6. Choose Continue.

  7. Review the Summary of modifications, and choose Modify cluster.

The AWS RDS Audit logs will be stored in the Cloudwatch Log Group -

/aws/rds/cluster/<database-name>/audit (NOTE this down, needed later)

 

Provision on the Seceon OTM UI

Now provision this Cloudwatch Log Group in the Settings -

Provisioning > Cloud Device > AWS Configuration

Configure Audit Services (RDS Audit) - Add

Access Key ID - Enter AWS IAM user Access Key ID

Secret Access Key - Enter AWS IAM user Secret Access Key

Region - Enter AWS region

Storage Type - Choose Cloudwatch Logs

Storage Name - Enter AWS Cloudwatch Log group

CCE IP - Enter CCE IP

 

Verification

 

STEP1: Login to UI >> SYSTEM>> LOGS AND FLOWS COLLECTION STATUS .

STEP 2: >> LOGS AND FLOWS COLLECTION STATUS .

 

 

Seceon Inc. All rights reserved. https://www.seceon.com