Menu
Amazon Relational Database Service
User Guide (API Version 2014-10-31)

Publishing Amazon Aurora MySQL Logs to Amazon CloudWatch Logs

You can configure your Aurora MySQL DB cluster to publish general, slow, audit, and error log data to a log group in Amazon CloudWatch Logs. With CloudWatch Logs, you can perform real-time analysis of the log data, and use CloudWatch to create alarms and view metrics. You can use CloudWatch Logs to store your log records in highly durable storage.

To publish logs to CloudWatch Logs, the respective logs must be enabled. Error logs are enabled by default, but you must enable the other types of logs explicitly. For information about enabling logs in MySQL, see Selecting General Query and Slow Query Log Output Destinations in the MySQL documentation. For more information about enabling audit logs, see Enabling Advanced Auditing.

Note

Be aware of the following:

  • If exporting log data is disabled, Aurora doesn't delete existing log groups or log streams. If exporting log data is disabled, existing log data remains available in CloudWatch Logs, depending on log retention, and you still incur charges for stored audit log data. You can delete log streams and log groups using the CloudWatch Logs console, the AWS CLI, or the CloudWatch Logs API.

  • An alternative way to publish audit logs to CloudWatch Logs is by enabling advanced auditing and setting the cluster-level DB parameter server_audit_logs_upload to 1. The default for the server_audit_logs_upload parameter is 0.

    If you use this alternative method, you must have an IAM role to access CloudWatch Logs and set the aws_default_logs_role cluster-level parameter to the ARN for this role. For information about creating the role, see Setting Up IAM Roles to Access AWS Services. However, if you have the AWSServiceRoleForRDS service-linked role, it provides access to CloudWatch Logs and overrides any custom-defined roles. For information service-linked roles for Amazon RDS, see Using Service-Linked Roles for Amazon RDS.

  • If you don't want to export audit logs to CloudWatch Logs, make sure that all methods of exporting audit logs are disabled. These methods are the AWS Management Console, the AWS CLI, the RDS API, and the server_audit_logs_upload parameter.

Publishing Aurora MySQL Logs to CloudWatch Logs with the AWS Management Console

You can publish Aurora MySQL logs to CloudWatch Logs with the console.

To publish Aurora MySQL logs from the console

  1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/.

  2. In the navigation pane, choose Clusters.

  3. Choose the Aurora MySQL DB cluster that you want to publish the log data for.

  4. For Actions, choose Modify cluster.

  5. In the Log exports section, choose the logs that you want to start publishing to CloudWatch Logs.

  6. Choose Continue, and then choose Modify DB Cluster on the summary page.

Publishing Aurora MySQL Logs to CloudWatch Logs with the CLI

You can publish Aurora MySQL logs with the AWS CLI. You can run the modify-db-cluster AWS CLI command with the following options:

  • --db-cluster-identifier—The DB cluster identifier.

  • --cloudwatch-logs-export-configuration—The configuration setting for the log types to be enabled for export to CloudWatch Logs for the DB cluster.

You can also publish Aurora MySQL logs by running one of the following AWS CLI commands:

Run one of these AWS CLI commands with the following options:

  • --db-cluster-identifier—The DB cluster identifier.

  • --engine—The database engine.

  • --enable-cloudwatch-logs-exports—The configuration setting for the log types to be enabled for export to CloudWatch Logs for the DB cluster.

Other options might be required depending on the AWS CLI command that you run.

The following command modifies an existing Aurora MySQL DB cluster to publish log files to CloudWatch Logs.

For Linux, OS X, or Unix:

aws rds modify-db-cluster \ --db-cluster-identifier mydbcluster \ --cloudwatch-logs-export-configuration '{"EnableLogTypes":["error","general","slowquery","audit"]}'

For Windows:

aws rds modify-db-cluster ^ --db-cluster-identifier mydbcluster ^ --cloudwatch-logs-export-configuration '{"EnableLogTypes":["error","general","slowquery","audit"]}'

The following command creates an Aurora MySQL DB cluster to publish log files to CloudWatch Logs.

For Linux, OS X, or Unix:

aws rds create-db-cluster \ --db-cluster-identifier mydbcluster \ --engine aurora \ --enable-cloudwatch-logs-exports '["error","general","slowquery","audit"]'

For Windows:

aws rds create-db-cluster ^ --db-cluster-identifier mydbcluster ^ --engine aurora ^ --enable-cloudwatch-logs-exports '["error","general","slowquery","audit"]'
Publishing Aurora MySQL Logs to CloudWatch Logs with the RDS API

You can publish Aurora MySQL logs with the RDS API. You can run the ModifyDBCluster action with the following options:

  • DBClusterIdentifier—The DB cluster identifier.

  • CloudwatchLogsExportConfiguration—The configuration setting for the log types to be enabled for export to CloudWatch Logs for the DB cluster.

You can also publish Aurora MySQL logs with the RDS API by running one of the following RDS API actions:

Run the RDS API action with the following parameters:

  • DBClusterIdentifier—The DB cluster identifier.

  • Engine—The database engine.

  • EnableCloudwatchLogsExports—The configuration setting for the log types to be enabled for export to CloudWatch Logs for the DB cluster.

Other parameters might be required depending on the AWS CLI command that you run.

Monitoring Log Events in Amazon CloudWatch

After enabling Aurora MySQL log events, you can monitor the events in Amazon CloudWatch Logs. A new log group is automatically created for the Aurora DB cluster under the following prefix, in which cluster-name represents the DB cluster name, and log_type represents the log type.

/aws/rds/cluster/cluster-name/log_type

For example, if you configure the export function to include the slow query log for a DB cluster named mydbcluster, slow query data is stored in the /aws/rds/cluster/mydbcluster/slowquery log group.

All of the events from all of the DB instances in a DB cluster are pushed to a log group using different log streams.

If a log group with the specified name exists, Aurora uses that log group to export log data for the Aurora DB cluster. You can use automated configuration, such as AWS CloudFormation, to create log groups with predefined log retention periods, metric filters, and customer access. Otherwise, a new log group is automatically created using the default log retention period, Never Expire, in CloudWatch Logs. You can use the CloudWatch Logs console, the AWS CLI, or the CloudWatch Logs API to change the log retention period. For more information about changing log retention periods in CloudWatch Logs, see Change Log Data Retention in CloudWatch Logs.

You can use the CloudWatch Logs console, the AWS CLI, or the CloudWatch Logs API to search for information within the log events for a DB cluster. For more information about searching and filtering log data, see Searching and Filtering Log Data.