Menu
Amazon Relational Database Service
User Guide (API Version 2014-10-31)

Using Advanced Auditing in an Amazon Aurora DB Cluster

You can use the high-performance Advanced Auditing feature in Amazon Aurora to audit database activity. To do so, you enable the collection of audit logs by setting several DB cluster parameters. When Advanced Auditing is enabled, you can use it to log any combination of supported events. You can view or download the audit logs to review them.

You must be using Aurora 1.10.1 or greater to use Advanced Auditing.

Enabling Advanced Auditing

Use the parameters described in this section to enable and configure Advanced Auditing for your DB cluster.

Use the server_audit_logging parameter to enable or disable Advanced Auditing, and the server_audit_events parameter to specify what events to log.

Use the server_audit_excl_users and server_audit_incl_users parameters to specify who gets audited. If server_audit_excl_users and server_audit_incl_users are empty (the default), all users are audited. If you add users to server_audit_incl_users and leave server_audit_excl_users empty, then only those users are audited. If you add users to server_audit_excl_users and leave server_audit_incl_users empty, then only those users are not audited, and all other users are. If you add the same users to both server_audit_excl_users and server_audit_incl_users, then those users are audited because server_audit_incl_users is given higher priority.

Configure Advanced Auditing by setting these parameters in the parameter group used by your DB cluster. You can use the procedure shown in Modifying Parameters in a DB Parameter Group to modify DB cluster parameters using the AWS Management Console. You can use the modify-db-cluster-parameter-group AWS CLI command or the ModifyDBClusterParameterGroup Amazon RDS API command to modify DB cluster parameters programmatically.

Modifying these parameters doesn't require a DB cluster restart.

server_audit_logging

Enables or disables Advanced Auditing. This parameter defaults to OFF; set it to ON to enable Advanced Auditing.

server_audit_events

Contains the comma-delimited list of events to log. Events must be specified in all caps, and there should be no white space between the list elements, for example: CONNECT,QUERY_DDL. This parameter defaults to an empty string.

You can log any combination of the following events:

  • CONNECT – Logs both successful and failed connections and also disconnections. This event includes user information.

  • QUERY – Logs all query text and query results in plain text, including queries that fail due to syntax or permission errors.

  • QUERY_DCL – Similar to the QUERY event, but returns only data control language (DCL) queries (GRANT, REVOKE, and so on).

  • QUERY_DDL – Similar to the QUERY event, but returns only data definition language (DDL) queries (CREATE, ALTER, and so on).

  • QUERY_DML – Similar to the QUERY event, but returns only data manipulation language (DML) queries (INSERT, UPDATE, and so on).

  • TABLE – Logs the tables that were affected by query execution.

server_audit_excl_users

Contains the comma-delimited list of users whose activity isn't logged. There should be no white space between the list elements, for example: user_1,user_2. This parameter defaults to an empty string. Connect and disconnect events aren't affected by this variable; they are always logged if specified. A user is logged if that user is also specified in the server_audit_incl_users parameter, because that setting has higher priority than server_audit_excl_users.

server_audit_incl_users

Contains the comma-delimited list of users whose activity is logged. There should be no white space between the list elements, for example: user_1,user_2. This parameter defaults to an empty string. Connect and disconnect events aren't affected by this variable; they are always logged if specified. A user is logged even if that user is also specified in the server_audit_excl_users parameter, because server_audit_incl_users has higher priority.

Viewing Audit Logs

You can view and download the audit logs by using the AWS console. On the Instances page, select and expand the DB cluster, then choose Logs.

To download a log file, locate that file in the Logs section and then choose download.

You can also get a list of the log files by using the describe-db-log-files AWS CLI command. You can view the content of a log file by using the download-db-log-file-portion AWS CLI command, and download a log file by using the DownloadCompleteDBLogFile REST API.

Audit Log Details

Log files are in UTF-8 format. Logs are written in multiple files, the number of which varies based on instance size. To see the latest events, you might have to review all of the audit log files.

Log entries are not in sequential order. You can use the queryid value for ordering.

Log files are rotated when they reach 100 MB in aggregate. This limit is not configurable.

The audit log files include the following information in rows in the specified order:

Field Description

timestamp

The Unix time stamp for the logged event with microsecond precision.

serverhost

The name of the instance that the event is logged for.

username

The connected user.

host

The host that the user connected from.

connectionid

The connection ID number for the logged operation.

queryid

The query ID number, which can be used for finding the relational table events and related queries. For TABLE events, multiple lines are added.

operation

The recorded action type. Possible values are: CONNECT, QUERY, READ, WRITE, CREATE, ALTER, RENAME, and DROP.

database

The active database, as set by the USE command.

object

For QUERY events, this value indicates the executed query. For TABLE events, it indicates the table name.

retcode

The return code of the logged operation.