Collect AWS RDS logs

Supported in:

Google secops SIEM

This document describes how you can collect AWS RDS logs by setting up a Google SecOps feed.

For more information, see Data ingestion to Google SecOps.

An ingestion label identifies the parser that normalizes raw log data to structured UDM format. The information in this document applies to the parser with the AWS_RDS ingestion label.

Before you begin

Ensure you have the following prerequisites:

An AWS account that you can sign in to
A global administrator or RDS administrator

How to configure AWS RDS

Use an existing database or create a new database:
- To use an existing database, select the database, click Modify, and then select Log exports.
- To use a new database, when you create the database, select Additional configuration.
To publish to Amazon CloudWatch, select the following log types:
- Audit log
- Error log
- General log
- Slow query log
To specify log export for AWS Aurora PostgreSQL and PostgreSQL, select PostgreSQL log.
To specify log export for AWS Microsoft SQL server, select the following log types:
- Agent log
- Error log
Save the log configuration.
Select CloudWatch > Logs to view the collected logs. The log groups are automatically created after the logs are available through the instance.

To publish the logs to CloudWatch, configure IAM user and KMS key policies. For more information, see IAM user and KMS key policies.

Based on the service and region, identify the endpoints for connectivity by referring to the following AWS documentation:

For information about any logging sources, see AWS Identity and Access Management endpoints and quotas.
For information about CloudWatch logging sources, see CloudWatch logs endpoints and quotas.

For engine-specific information, see the following documentation:

Set up feeds

There are two different entry points to set up feeds in the Google SecOps platform:

SIEM Settings > Feeds
Content Hub > Content Packs

Set up feeds from SIEM Settings > Feeds

For Google Security Operations unified customers only:
To configure multiple feeds for different log types within this product family, see Configure multiple feeds.

For all customers:
To configure a single feed, follow these steps:

Go to SIEM Settings > Feeds.
Click Add New Feed.
On the next page, click Configure a single feed. Skip this step if you're using the Google SecOps SIEM-standalone platform.
Enter a unique name for the Feed name.
Select Amazon S3 or Amazon SQS as the Source type.
Select AWS RDS as the Log type.
Click Next.
Google SecOps supports log collection using an access key ID and secret method. To create the access key ID and secret, see Configure tool authentication with AWS.
Based on the AWS RDS configuration that you created, specify values for the input parameters:
- If you use Amazon S3, specify values for the following mandatory fields:
  - Region
  - S3 URI
  - URI is a
  - Source deletion option
- If you use Amazon SQS, specify values for the following mandatory fields:
  - Region
  - Queue name
  - Account number
  - Queue access key ID
  - Queue secret access key
  - Source deletion option
Click Next, and then click Submit.

For more information about Google SecOps feeds, see Create and manage feeds using the feed management UI. For information about requirements for each feed type, see Feed management API.

If you encounter issues when you create feeds, contact Google SecOps support.

Set up feeds from the Content Hub

You can configure the ingestion feed in Google SecOps using either Amazon SQS (preferred) or Amazon S3.

Specify values for the following fields:

Region: Region where the S3 bucket or SQS queue is hosted.
Queue Name: Name of the SQS queue from which to read log data.
Account Number: Account number that owns the SQS queue.
Queue Access Key ID: 20-character account access key ID. For example, AKIAOSFOODNN7EXAMPLE.
Queue Secret Access Key: 40-character secret access key. For example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY.
Source deletion option: Option to delete files and directories after transferring the data.

Advanced options

Feed Name: A prepopulated value that identifies the feed.
Source Type: Method used to collect logs into Google SecOps.
Asset Namespace: Namespace associated with the feed.
Ingestion Labels: Labels applied to all events from this feed.

Field mapping reference

This parser extracts fields from AWS RDS syslog messages, primarily focusing on timestamp, description, and client IP. It uses grok patterns to identify these fields and populates corresponding UDM fields, classifying events as either GENERIC_EVENT or STATUS_UPDATE based on the presence of a client IP.

UDM mapping table

Log Field	UDM Mapping	Logic
`client_ip`	`principal.ip`	Extracted from the raw log message using the regular expression `\\[CLIENT: %{IP:client_ip}\\]`.
`create_time.nanos`	N/A	Not mapped to the IDM object.
`create_time.seconds`	N/A	Not mapped to the IDM object.
	`metadata.description`	The descriptive message from the log, extracted using grok patterns. Copied from `create_time.nanos`. Copied from `create_time.seconds`. Set to "GENERIC_EVENT" by default. Changed to "STATUS_UPDATE" if `client_ip` is present. Static value "AWS_RDS", set by the parser. Static value "AWS_RDS", set by the parser.
`pid`	`principal.process.pid`	Extracted from the `descrip` field using the regular expression `process ID of %{INT:pid}`.

Need more help? Get answers from Community members and Google SecOps professionals.