How can I receive SNS notifications about Amazon RDS for SQL Server error and agent log events that match a CloudWatch filter pattern?
4 minute read
I have an Amazon Relational Database Service (Amazon RDS) DB instance that runs SQL Server. I want to create Amazon CloudWatch alarms and Amazon Simple Notification Service (Amazon SNS) topics so that I'm notified about SQL Server error and agent log events that match specific CloudWatch filter patterns. How can I do this?
After the Amazon RDS for SQL Server log data is published to CloudWatch, you can create metric filters to search and filter the logs. Metric filters define the terms and patterns that are searched for in the log data as it is sent to Amazon CloudWatch Logs. Then, CloudWatch Logs uses the metric filters to turn log data into numerical CloudWatch metrics that you can set alarms for. You can use any type of CloudWatch statistic, including percentile statistics, when viewing these metrics or setting alarms. For more information, see Creating metrics from log events using filters.
You can create filter patterns, such as "Login failed for user" to identify failed login attempts. Or, you can create a filter for "I/O requests taking longer than 15 seconds to complete" to identify I/O bottlenecks or disk bottlenecks.
The following example uses a metric filter to search for and count events that include the term "Login failed for user" to track failed login attempts.
From the Period dropdown list, select the evaluation period. The default period is 5 minutes.
From the Conditions section, choose the following: Threshold type - Static. Whenever test is - Greater > threshold. Than - Enter 10.
Expand the Additional configuration section. For Datapoints to alarm, enter the number of evaluation periods (data points) that must be in the ALARM state to trigger the alarm.
From Missing data treatment, select Treat missing data as missing.
From the Notification section, under Select an SNS topic, select an existing SNS topic, or create a new topic to receive notifications.
Enter the email endpoints that you want to receive the notification.
Enter the Alarm name and Alarm description, and then choose Next.
From the Preview and create page, review the Metric graph and Conditions.
Choose Create alarm.
After following these example steps, the alarm state is Insufficient data for the first few minutes. After the alarm has enough data, the status is OK. If you receive more than 10 login failures within a 5-minute period, then the CloudWatch alarm sends an SNS notification to the email that you specified.