Amazon RDS CloudWatch Monitoring

Amazon RDS supports sending audit logs to CloudWatch. DCAP Central can monitor a CloudWatch log group, and forward these messages to SonarW.

There are four components int this setup: Amazon RDS, Amazon CloudWatch, Sonar CloudWatch and SonarGateway.

Setup

Amazon RDS

This guide assumes you already have an RDS instance set up and running. If you need one, please consult the Amazon RDS documentation on how to set one up. RDS that are supported by DCAP Central: Aurora, MySQL and MariaDB.

You will now need to set up the parameters in your instance to enable audit logging. The exact details for how to set this up depend on the specific engine you’re running on your instance.

Consult the following links to enable advanced auditing on your instance:

Aurora
Using Advanced Auditing with an Amazon Aurora MySQL DB Cluster

MySQL & MariaDB :

Amazon CloudWatch

Once advanced auditing is enabled in the database, you will need to enable exporting it to Amazon CloudWatch. Consult the documentation for the specific engine you are running for this task:

For Aurora:
Exporting Audit Log Data From Amazon Aurora to Amazon CloudWatch Logs

For MySQL & MariaDB :

Exporting Audit Log Data From Amazon MySQL & MariaDB to Amazon CloudWatch Logs

Sonar CloudWatch

All the audit logs from your instance will now arrive into a specific CloudWatch group, which you configured in the previous step. You will now configure Sonar Cloudwatch to monitor that group for events.

Assuming you see the logs in your log group on cloudwatch:

1- Start the sonarcloudwatch service:

sudo systemctl start sonarcloudwatch

2- Open the UI https://<host ip>:8443/cloud_sources.xhtml

3- Click on “Add new Cloud Source” >> “Add Amazon cloud watch”

4- Enter profile name for the Credentials , For Example “default” as a profile name, then enter you credentials.

5- Click on “load log groups” , choose your log group .

6- Before you add the new log group please make sure the format field is selected according to your logs format in this log group. Formats available: Aurora, MySQL, MariaDB and General.

7- Then click “Add selected Log group”

8- Select your newly added log group.

7- Enable your log group to start consuming your logs from aws cloud watch.

For more information on setting up the credentials see AWS CLI Configuration and Credential Files.

Within a few seconds you should see data flowing from your cloudwatch log group into SonarW.

Troubleshooting

If you don’t see data in SonarW after following the above steps, there are a few things you can check.

First, the data may be arriving, but not ingested yet. To verify this is not the case, connect to SonarW, and run the following command to flush the instance collection:

db.runCommand({flush: 'instance'})

Then check again for the contents. All documents from cloudwatch should have a Log Stream key with the appropriate ARN for this stream.

If you still don’t see any data coming in. check the credentials used to load your log group messages.

It is also recommended to examine the log file at /var/log/sonar/gateway/cloudwatch.log. If there is anything wrong, you should have a proper message that explains it.