By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

understanding RDS audit log file format

0

Hi all,
accroding to this official documentation, RDS audit log has the following comma-delimited information
https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Auditing.html

timestamp, serverhost, username, host, connectionid, queryid, operation, database, object, retcode

i've noticed some logs are writing "READ" in place of operation and "proc" in place of object
for example, a log might say "some timestamp, prod1, user1, xx.xxx.xxx.xxx, 23, 12, read, mysql, proc, 0
how would you interpret this particular log? and what does it tell me?

i've read the official doc but the explanation is a bit vague

appreciate your help

thanks,

Topics
Migration & ModernizationAnalyticsDatabaseManagement & Governance
Tags
Amazon Relational Database ServiceAurora MySQLAmazon CloudWatch Logs
Language
English
AWS-User-9313915
asked 2 years ago2988 views
1 Answer
0
Accepted Answer

Greetings,

As mentioned in the below provided documentation link, the operation is the the recorded action type for the event and the object is the value indicates the query that the database performed or for a TABLE events, it indicates the table name.

https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Auditing.html

If the the server_audit_events is set to TABLE, the it logs the tables that were affected by query execution. Please refer the below mentioned explanation for the logs when the server_audit_events is set to TABLE,

E.g. 1653053459680124,c731-instance-1,admin,52.94.133.136,35,698024,WRITE,testdb,test2,0

In this log record according to "timestamp, serverhost, username, host, connectionid, queryid, operation, database, object, retcode", the operation is WRITE and the object is test2 from the database testdb, and the operation done is admin on server c731-instance-1 from the source 52.94.133.136.

E.g. 1653053810763970,c731-instance-1,admin,52.94.133.136,35,701204,WRITE,mysql,proc,0

In this log record according to "timestamp, serverhost, username, host, connectionid, queryid, operation, database, object, retcode", the operation is WRITE and the object is a Stored Procedure which is created in the the database mysql, and the is operation done by admin on server c731-instance-1 from the source 52.94.133.136.

I hope the above provided information is clear and helpful!

Thanks

AWS
Omkar_S
answered 2 years ago
profile picture
EXPERT
Sedat Salman
reviewed 10 months ago
  • AWS-User-9313915
    2 years ago

    OmKar, thanks for the on-point explanation! now i understand "proc" stands for procedure. i wasnt sure what that means lol!!!

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content