By using AWS re:Post, you agree to the Terms of Use
/understanding RDS audit log file format/

understanding RDS audit log file format

0

Hi all,
accroding to this official documentation, RDS audit log has the following comma-delimited information
https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Auditing.html

timestamp, serverhost, username, host, connectionid, queryid, operation, database, object, retcode

i've noticed some logs are writing "READ" in place of operation and "proc" in place of object
for example, a log might say "some timestamp, prod1, user1, xx.xxx.xxx.xxx, 23, 12, read, mysql, proc, 0
how would you interpret this particular log? and what does it tell me?

i've read the official doc but the explanation is a bit vague

appreciate your help

thanks,

1 Answers
0
Accepted Answer

Greetings,

As mentioned in the below provided documentation link, the operation is the the recorded action type for the event and the object is the value indicates the query that the database performed or for a TABLE events, it indicates the table name.

https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Auditing.html

If the the server_audit_events is set to TABLE, the it logs the tables that were affected by query execution. Please refer the below mentioned explanation for the logs when the server_audit_events is set to TABLE,

E.g. 1653053459680124,c731-instance-1,admin,52.94.133.136,35,698024,WRITE,testdb,test2,0

In this log record according to "timestamp, serverhost, username, host, connectionid, queryid, operation, database, object, retcode", the operation is WRITE and the object is test2 from the database testdb, and the operation done is admin on server c731-instance-1 from the source 52.94.133.136.

E.g. 1653053810763970,c731-instance-1,admin,52.94.133.136,35,701204,WRITE,mysql,proc,0

In this log record according to "timestamp, serverhost, username, host, connectionid, queryid, operation, database, object, retcode", the operation is WRITE and the object is a Stored Procedure which is created in the the database mysql, and the is operation done by admin on server c731-instance-1 from the source 52.94.133.136.

I hope the above provided information is clear and helpful!

Thanks

answered 2 months ago
  • OmKar, thanks for the on-point explanation! now i understand "proc" stands for procedure. i wasnt sure what that means lol!!!

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions