Collect AWS RDS logs

Supported in:

This document describes how you can collect AWS RDS logs by setting up a Google SecOps feed.

For more information, see Data ingestion to Google SecOps.

An ingestion label identifies the parser that normalizes raw log data to structured UDM format. The information in this document applies to the parser with the AWS_RDS ingestion label.

Before you begin

Ensure you have the following prerequisites:

  • An AWS account that you can sign in to

  • A global administrator or RDS administrator

How to configure AWS RDS

  1. Use an existing database or create a new database:
    • To use an existing database, select the database, click Modify, and then select Log exports.
    • To use a new database, when you create the database, select Additional configuration.
  2. To publish to Amazon CloudWatch, select the following log types:
    • Audit log
    • Error log
    • General log
    • Slow query log
  3. To specify log export for AWS Aurora PostgreSQL and PostgreSQL, select PostgreSQL log.
  4. To specify log export for AWS Microsoft SQL server, select the following log types:
    • Agent log
    • Error log
  5. Save the log configuration.
  6. Select CloudWatch > Logs to view the collected logs. The log groups are automatically created after the logs are available through the instance.

To publish the logs to CloudWatch, configure IAM user and KMS key policies. For more information, see IAM user and KMS key policies.

Based on the service and region, identify the endpoints for connectivity by referring to the following AWS documentation:

For engine-specific information, see the following documentation:

Set up feeds

There are two different entry points to set up feeds in the Google SecOps platform:

  • SIEM Settings > Feeds > Add New
  • Content Hub > Content Packs > Get Started

How to set up the AWS RDS feed

  1. Click the Amazon Cloud Platform pack.
  2. Locate the AWS RDS log type.
  3. Google SecOps supports log collection using an access key ID and secret method. To create the access key ID and secret, see Configure tool authentication with AWS.
  4. Specify the values in the following fields.

    • Source Type: Amazon SQS V2
    • Queue Name: The SQS queue name to read from
    • S3 URI: The bucket URI.
      • s3://your-log-bucket-name/
        • Replace your-log-bucket-name with the actual name of your S3 bucket.
    • Source deletion options: Select the deletion option according to your ingestion preferences.

    • Maximum File Age: Include files modified in the last number of days. Default is 180 days.

    • SQS Queue Access Key ID: An account access key that is a 20-character alphanumeric string.

    • SQS Queue Secret Access Key: An account access key that is a 40-character alphanumeric string.

    Advanced options

    • Feed Name: A prepopulated value that identifies the feed.
    • Asset Namespace: Namespace associated with the feed.
    • Ingestion Labels: Labels applied to all events from this feed.
  5. Click Create feed.

For more information about configuring multiple feeds for different log types within this product family, see Configure feeds by product.

Field mapping reference

This parser extracts fields from AWS RDS syslog messages, primarily focusing on timestamp, description, and client IP. It uses grok patterns to identify these fields and populates corresponding UDM fields, classifying events as either GENERIC_EVENT or STATUS_UPDATE based on the presence of a client IP.

UDM mapping table

Log Field UDM Mapping Logic
client_ip principal.ip Extracted from the raw log message using the regular expression \\[CLIENT: %{IP:client_ip}\\].
create_time.nanos N/A Not mapped to the IDM object.
create_time.seconds N/A Not mapped to the IDM object.
metadata.description The descriptive message from the log, extracted using grok patterns. Copied from create_time.nanos. Copied from create_time.seconds. Set to "GENERIC_EVENT" by default. Changed to "STATUS_UPDATE" if client_ip is present. Static value "AWS_RDS", set by the parser. Static value "AWS_RDS", set by the parser.
pid principal.process.pid Extracted from the descrip field using the regular expression process ID of %{INT:pid}.

Need more help? Get answers from Community members and Google SecOps professionals.