Amazon Neptune
User Guide (API Version 2017-11-29)

Using Audit Logs with Amazon Neptune Clusters

To audit Amazon Neptune DB cluster activity, enable the collection of audit logs by setting a DB cluster parameter. When audit logs are enabled, you can use it to log any combination of supported events. You can view or download the audit logs to review them.

Enabling Audit Logs

Use the parameter described in this section to enable and configure audit logs for your DB cluster.

Use the neptune_enable_audit_log parameter to enable (1) or disable (0) audit logs.

Configure audit logs by setting these parameters in the parameter group that is used by your DB cluster. You can use the procedure shown in Editing a DB Cluster Parameter Group or DB Parameter Group to modify DB cluster parameters using the AWS Management Console. To modify DB cluster parameters programmatically, use the modify-db-cluster-parameter-group AWS CLI command or the ModifyDBClusterParameterGroup API command.

Modifying these parameters doesn't require a DB cluster restart.

Viewing Audit Logs

You can view and download the audit logs by using the AWS Management Console. On the Instances page, choose the DB instance to show its details, and then scroll to the Logs section.

To download a log file, select that file in the Logs section, and then choose Download.

Audit Log Details

Log files are in UTF-8 format. Logs are written in multiple files, the number of which varies based on the instance size. To see the latest events, you might have to review all the audit log files.

Log entries are not in sequential order. You can use the timestamp value for ordering.

Log files are rotated when they reach 100 MB in aggregate. This limit is not configurable.

The audit log files include the following comma-delimited information in rows, in the specified order:

Field Description


The Unix timestamp for the logged event with microsecond precision.


The hostname or IP of the instance that the event is logged for.


The hostname or IP that the user connected from.


The connection type. Can be Websocket, HTTP_POST, or HTTP_GET.


The raw request message that was sent to the Neptune endpoint.

IAM User ARN The ARN of the IAM user in the following format: arn:partition:service:region:account:resource. For example: arn:aws:iam::123456789012:user/Anna.

Empty if IAM authentication is disabled.

Auth Context

Contains a serialized JSON object that has authentication information. The field authenticationSucceeded is True if the user was authenticated.

Empty if IAM authentication is disabled.

HttpHeader The HTTP header information. Can contain a query. Empty for WebSocket connections.
Payload The Gremlin or SPARQL query.