Configuring RDS Cloudwatch

3 Steps

Setting up Cloudwatch to monitoring access logs on RDS is a straightforward process, though it involves a per RDS instance step making it a bit laborious. Acante has provided a AWS CLI script to simplify this repetitive process. There are three main steps:

1. Create or modify an existing RDS Parameter Group (one time action)
2. Update the RDS instance configurations and reboot the instance
3. Run the Acante Terraform with Cloudwatch monitoring enabled (one time action)

1. Configure the RDS Parameter Group

Each RDS instance is provisioned with a default parameter group. An additional Parameter Group can be associated with the RDS to set certain configurations. The following configurations are required to enable Cloudwatch logs for Acante analysis. If you have an existing Parameter Group associated with the RDS’, it should be modified with the desired configuration. Else a new one can be created as shown below:

• Create the Parameter Group as described here (mysql) and here (pgres) in AWS documentation.

• Modify the New (or Existing) Parameter Group and configure the following fields:

  • MySQL:
    • Search for “general_log” and set its value as “1”
    • Search for log_output and set its value as "FILE"
  • Postgres: search for “log_statement” and set its value as “all”

None of the other configurations matter for Acante analysis. With this, the Parameter Group is configured for use with multiple RDS instances. If using the same Parameter Group for multiple (or all) RDS’, this step does NOT need to be repeated.

2. Update RDS Instance Configurations

This is a per instance configuration for each RDS you want Acante to monitor. In the AWS RDS Console choose the database on interest and go to the Configurations page. Click on “Modify”. Two configurations needs to be updated:

• Associate the Parameter Group with the RDS instance (required only if the Parameter Group was newly created) - MySQL example below
  

• Turn on Log Exports - Postgres example below
  

  • For postgres: select PostgreSQL Log
  • For mysql: select General Log (other options can be left unchecked or as is)

• Reboot the instance immediately or in the next maintenance window

Acante can provide an AWS CLI script that simplifies running this step (2) against a set of RDS instances with a single command. It takes the following CLI inputs:

• The RDS instance type (mysql or postgres)
• The Parameter Group name created / modified in the previous step
• List of RDS instances (of this instance type) to update configurations for using this Parameter Group

3. Run the Acante Terraform

Run the provided Terraform on the Configurations page of the Acante UI to enable Cloudwatch log collection for RDS. Update the inputs in the .tfvars input file

• Set the Cloudwatch flag to True

enable-cloudwatch-logs-processing=true

This needs to be run only ONCE. As additional RDS’ are enabled for access monitoring, this step does NOT need to be repeated. The commands to run the Terraform are provided in the README (Steps 2, 3, 4, 5, 6). Note: that in Step 4, instead of creating the new workspace, you should “select” the previously created one as follows (example provide with workspace dev-<region>-ws :

terraform workspace select dev-<region>-ws