Collect AWS RDS logs

Supported in:

This document describes how you can collect AWS RDS logs by setting up a Google SecOps feed.

For more information, see Data ingestion to Google SecOps.

An ingestion label identifies the parser that normalizes raw log data to structured UDM format. The information in this document applies to the parser with the AWS_RDS ingestion label.

Before you begin

To complete the tasks on this page, ensure that you have the following:

  • An AWS account that you can sign in to.

  • A global administrator or RDS administrator.

Configure AWS RDS

  1. Use an existing database or create a new database:
    • To use an existing database, select the database, click Modify, and then select Log exports.
    • To use a new database, when you create the database, select Additional configuration.
  2. To publish to Amazon CloudWatch, select the following log types:
    • Audit log
    • Error log
    • General log
    • Slow query log
  3. To specify log export for AWS Aurora PostgreSQL and PostgreSQL, select PostgreSQL log.
  4. To specify log export for AWS Microsoft SQL server, select the following log types:
    • Agent log
    • Error log
  5. Save the log configuration.
  6. Select CloudWatch > Logs to view the collected logs. The log groups are automatically created after the logs are available through the instance.

To publish the logs to CloudWatch, configure IAM user and KMS key policies. For more information, see IAM user and KMS key policies.

Based on the service and region, identify the endpoints for connectivity by referring to the following AWS documentation:

For engine-specific information, see the following documentation:

Configure a feed in Google SecOps to ingest AWS RDS logs

  1. In the Google SecOps menu, click Settings > Feeds > Add new.
  2. In the Source type list, select Amazon S3 or Amazon SQS.
  3. In the Log type list, select AWS RDS to create a feed for an AWS RDS.
  4. Click Next.
  5. Google SecOps supports log collection using an access key ID and secret method. To create the access key ID and secret, see Configure tool authentication with AWS.
  6. Based on the AWS RDS configuration that you created, specify values for the input parameters:
    • If you use Amazon S3, specify values for the following fields:
      • Region
      • S3 URI
      • URI is a
      • Source deletion option
    • If you use Amazon SQS, specify values for the following fields:
      • Region
      • Queue name
      • Account number
      • Queue access key ID
      • Queue secret access key
      • Source deletion option
  7. Click Next, and then click Submit.

For more information about Google SecOps feeds, see Create and manage feeds using the feed management UI. For information about requirements for each feed type, see Feed management API.

If you encounter issues when you create feeds, contact Google SecOps support.

Field mapping reference

This parser extracts fields from AWS RDS syslog messages, primarily focusing on timestamp, description, and client IP. It uses grok patterns to identify these fields and populates corresponding UDM fields, classifying events as either GENERIC_EVENT or STATUS_UPDATE based on the presence of a client IP.

UDM mapping table

Log Field UDM Mapping Logic
client_ip principal.ip Extracted from the raw log message using the regular expression \\[CLIENT: %{IP:client_ip}\\].
create_time.nanos N/A Not mapped to the IDM object.
create_time.seconds N/A Not mapped to the IDM object.
metadata.description The descriptive message from the log, extracted using grok patterns. Copied from create_time.nanos. Copied from create_time.seconds. Set to "GENERIC_EVENT" by default. Changed to "STATUS_UPDATE" if client_ip is present. Static value "AWS_RDS", set by the parser. Static value "AWS_RDS", set by the parser.
pid principal.process.pid Extracted from the descrip field using the regular expression process ID of %{INT:pid}.

Changes

2023-04-24

  • Newly created parser.