AWS Prescriptive Guidance Monitoring and alerting tools and best practices for Amazon RDS for
MySQL and MariaDB
Database logs
MySQL and MariaDB databases generate logs that you can access for auditing and troubleshooting.
Those logs are:
• Audit – The audit trail is a set of records that log the server's activity. For each client session, it
records who connected to the server (user name and host), which queries were run, which tables
were accessed, and which server variables were changed.
•
Error – This log contains the server's (mysqld) startup and shutdown times, and diagnostic
messages such as errors, warnings, and notes that occur during server startup and shutdown,
and while the server is running.
•
General – This log records the activity of mysqld, including the connect and disconnect activity
for each client, and SQL queries received from clients. The general query log can be very useful
when you suspect an error and want to know exactly what the client sent to mysqld.
• Slow query – This log provides a record of SQL queries that took a long time to perform.
As a best practice, you should publish database logs from Amazon RDS to Amazon CloudWatch
Logs. With CloudWatch Logs, you can perform real-time analysis of the log data, store the data
in highly durable storage, and manage the data with the CloudWatch Logs agent. You can access
and watch your database logs from the Amazon RDS console. You can also use CloudWatch Logs
Insights to interactively search and analyze your log data in CloudWatch Logs. The following
example illustrates a query on the audit log that checks how many times CONNECT events appear
in the log, who connected, and which client (IP address) they connected from. The excerpt from the
audit log could look like this:
20221201 14:07:05,ip-10-22-1-51,rdsadmin,localhost,821,0,CONNECT,,,0,SOCKET
20221201 14:07:05,ip-10-22-1-51,rdsadmin,localhost,821,0,DISCONNECT,,,0,SOCKET
20221201 14:12:20,ip-10-22-1-51,rdsadmin,localhost,822,0,CONNECT,,,0,SOCKET
20221201 14:12:20,ip-10-22-1-51,rdsadmin,localhost,822,0,DISCONNECT,,,0,SOCKET
20221201 14:17:35,ip-10-22-1-51,rdsadmin,localhost,823,0,CONNECT,,,0,SOCKET
20221201 14:17:35,ip-10-22-1-51,rdsadmin,localhost,823,0,DISCONNECT,,,0,SOCKET
20221201 14:22:50,ip-10-22-1-51,rdsadmin,localhost,824,0,CONNECT,,,0,SOCKET
20221201 14:22:50,ip-10-22-1-51,rdsadmin,localhost,824,0,DISCONNECT,,,0,SOCKET
The example Log Insights query shows that rdsadmin connected to the database from
localhost every 5 minutes, for a total of 22 times, as shown in the following illustration. These
Database logs 37