Monitoring database activity streams
Database activity streams monitor and report activities. The stream of activity is collected and transmitted to Amazon Kinesis.
From Kinesis, you can monitor the activity stream, or other services and applications can consume
the activity stream for further analysis. You can find the underlying Kinesis stream name by
using the Amazon CLI command describe-db-clusters
or the RDS API
DescribeDBClusters
operation.
Aurora manages the Kinesis stream for you as follows:
-
Aurora creates the Kinesis stream automatically with a 24-hour retention period.
-
Aurora scales the Kinesis stream if necessary.
-
If you stop the database activity stream or delete the DB cluster, Aurora deletes the Kinesis stream.
The following categories of activity are monitored and put in the activity stream audit log:
-
SQL commands – All SQL commands are audited, and also prepared statements, built-in functions, and functions in PL/SQL. Calls to stored procedures are audited. Any SQL statements issued inside stored procedures or functions are also audited.
-
Other database information – Activity monitored includes the full SQL statement, the row count of affected rows from DML commands, accessed objects, and the unique database name. For Aurora PostgreSQL, database activity streams also monitor the bind variables and stored procedure parameters.
Important
The full SQL text of each statement is visible in the activity stream audit log, including any sensitive data. However, database user passwords are redacted if Aurora can determine them from the context, such as in the following SQL statement.
ALTER ROLE role-name WITH password
-
Connection information – Activity monitored includes session and network information, the server process ID, and exit codes.
If an activity stream has a failure while monitoring your DB instance, you are notified through RDS events.
Topics
Accessing an activity stream from Kinesis
When you enable an activity stream for a DB cluster, a Kinesis stream is created for you. From Kinesis, you can monitor your database activity in real time. To further analyze database activity, you can connect your Kinesis stream to consumer applications. You can also connect the stream to compliance management applications such as IBM's Security Guardium or Imperva's SecureSphere Database Audit and Protection.
You can access your Kinesis stream either from the RDS console or the Kinesis console.
To access an activity stream from Kinesis using the RDS console
-
Open the Amazon RDS console at https://console.amazonaws.cn/rds/
. -
In the navigation pane, choose Databases.
-
Choose the DB cluster on which you started an activity stream.
-
Choose Configuration.
-
Under Database activity stream, choose the link under Kinesis stream.
-
In the Kinesis console, choose Monitoring to begin observing the database activity.
To access an activity stream from Kinesis using the Kinesis console
Open the Kinesis console at https://console.amazonaws.cn/kinesis
. -
Choose your activity stream from the list of Kinesis streams.
An activity stream's name includes the prefix
aws-rds-das-cluster-
followed by the resource ID of the DB cluster. The following is an example.aws-rds-das-cluster-NHVOV4PCLWHGF52NP
To use the Amazon RDS console to find the resource ID for the DB cluster, choose your DB cluster from the list of databases, and then choose the Configuration tab.
To use the Amazon CLI to find the full Kinesis stream name for an activity stream, use a describe-db-clusters CLI request and note the value of
ActivityStreamKinesisStreamName
in the response. -
Choose Monitoring to begin observing the database activity.
For more information about using Amazon Kinesis, see
What Is Amazon Kinesis Data Streams?
Audit log contents and examples
Monitored events are represented in the database activity stream as JSON strings. The structure consists of a
JSON object containing a DatabaseActivityMonitoringRecord
, which in turn contains a
databaseActivityEventList
array of activity events.
Topics
Examples of an audit log for an activity stream
Following are sample decrypted JSON audit logs of activity event records.
Example Activity event record of an Aurora PostgreSQL CONNECT SQL statement
The following activity event record shows a login with the use of a
CONNECT
SQL statement (command
) by a psql client (clientApplication
).
{ "type":"DatabaseActivityMonitoringRecords", "version":"1.1", "databaseActivityEvents": { "type":"DatabaseActivityMonitoringRecord", "clusterId":"cluster-4HNY5V4RRNPKKYB7ICFKE5JBQQ", "instanceId":"db-FZJTMYKCXQBUUZ6VLU7NW3ITCM", "databaseActivityEventList":[ { "startTime": "2019-10-30 00:39:49.940668+00", "logTime": "2019-10-30 00:39:49.990579+00", "statementId": 1, "substatementId": 1, "objectType": null, "command": "CONNECT", "objectName": null, "databaseName": "postgres", "dbUserName": "rdsadmin", "remoteHost": "172.31.3.195", "remotePort": "49804", "sessionId": "5ce5f7f0.474b", "rowCount": null, "commandText": null, "paramList": [], "pid": 18251, "clientApplication": "psql", "exitCode": null, "class": "MISC", "serverVersion": "2.3.1", "serverType": "PostgreSQL", "serviceName": "Amazon Aurora PostgreSQL-Compatible edition", "serverHost": "172.31.3.192", "netProtocol": "TCP", "dbProtocol": "Postgres 3.0", "type": "record", "errorMessage": null } ] }, "key":"decryption-key" }
Example Activity event record of an Aurora MySQL CONNECT SQL statement
The following activity event record shows a logon with the use of a
CONNECT
SQL statement (command
) by a mysql client
(clientApplication
).
{ "type":"DatabaseActivityMonitoringRecord", "clusterId":"cluster-
some_id
", "instanceId":"db-some_id
", "databaseActivityEventList":[ { "logTime":"2020-05-22 18:07:13.267214+00", "type":"record", "clientApplication":null, "pid":2830, "dbUserName":"rdsadmin", "databaseName":"", "remoteHost":"localhost", "remotePort":"11053", "command":"CONNECT", "commandText":"", "paramList":null, "objectType":"TABLE", "objectName":"", "statementId":0, "substatementId":1, "exitCode":"0", "sessionId":"725121", "rowCount":0, "serverHost":"master", "serverType":"MySQL", "serviceName":"Amazon Aurora MySQL", "serverVersion":"MySQL 5.7.12", "startTime":"2020-05-22 18:07:13.267207+00", "endTime":"2020-05-22 18:07:13.267213+00", "transactionId":"0", "dbProtocol":"MySQL", "netProtocol":"TCP", "errorMessage":"", "class":"MAIN" } ] }
Example Activity event record of an Aurora PostgreSQL CREATE TABLE statement
The following example shows a CREATE TABLE
event for Aurora PostgreSQL.
{ "type":"DatabaseActivityMonitoringRecords", "version":"1.1", "databaseActivityEvents": { "type":"DatabaseActivityMonitoringRecord", "clusterId":"cluster-4HNY5V4RRNPKKYB7ICFKE5JBQQ", "instanceId":"db-FZJTMYKCXQBUUZ6VLU7NW3ITCM", "databaseActivityEventList":[ { "startTime": "2019-05-24 00:36:54.403455+00", "logTime": "2019-05-24 00:36:54.494235+00", "statementId": 2, "substatementId": 1, "objectType": null, "command": "CREATE TABLE", "objectName": null, "databaseName": "postgres", "dbUserName": "rdsadmin", "remoteHost": "172.31.3.195", "remotePort": "34534", "sessionId": "5ce73c6f.7e64", "rowCount": null, "commandText": "create table my_table (id serial primary key, name varchar(32));", "paramList": [], "pid": 32356, "clientApplication": "psql", "exitCode": null, "class": "DDL", "serverVersion": "2.3.1", "serverType": "PostgreSQL", "serviceName": "Amazon Aurora PostgreSQL-Compatible edition", "serverHost": "172.31.3.192", "netProtocol": "TCP", "dbProtocol": "Postgres 3.0", "type": "record", "errorMessage": null } ] }, "key":"decryption-key" }
Example Activity event record of an Aurora MySQL CREATE TABLE statement
The following example shows a CREATE TABLE
statement for Aurora MySQL.
The operation is represented as two separate event records. One event has
"class":"MAIN"
. The other event has "class":"AUX"
. The
messages might arrive in any order. The logTime
field of the
MAIN
event is always earlier than the logTime
fields of any
corresponding AUX
events.
The following example shows the event with a class
value of
MAIN
.
{ "type":"DatabaseActivityMonitoringRecord", "clusterId":"cluster-
some_id
", "instanceId":"db-some_id
", "databaseActivityEventList":[ { "logTime":"2020-05-22 18:07:12.250221+00", "type":"record", "clientApplication":null, "pid":2830, "dbUserName":"master", "databaseName":"test", "remoteHost":"localhost", "remotePort":"11054", "command":"QUERY", "commandText":"CREATE TABLE test1 (id INT)", "paramList":null, "objectType":"TABLE", "objectName":"test1", "statementId":65459278, "substatementId":1, "exitCode":"0", "sessionId":"725118", "rowCount":0, "serverHost":"master", "serverType":"MySQL", "serviceName":"Amazon Aurora MySQL", "serverVersion":"MySQL 5.7.12", "startTime":"2020-05-22 18:07:12.226384+00", "endTime":"2020-05-22 18:07:12.250222+00", "transactionId":"0", "dbProtocol":"MySQL", "netProtocol":"TCP", "errorMessage":"", "class":"MAIN" } ] }
The following example shows the corresponding event with a class
value of
AUX
.
{ "type":"DatabaseActivityMonitoringRecord", "clusterId":"cluster-
some_id
", "instanceId":"db-some_id
", "databaseActivityEventList":[ { "logTime":"2020-05-22 18:07:12.247182+00", "type":"record", "clientApplication":null, "pid":2830, "dbUserName":"master", "databaseName":"test", "remoteHost":"localhost", "remotePort":"11054", "command":"CREATE", "commandText":"test1", "paramList":null, "objectType":"TABLE", "objectName":"test1", "statementId":65459278, "substatementId":2, "exitCode":"", "sessionId":"725118", "rowCount":0, "serverHost":"master", "serverType":"MySQL", "serviceName":"Amazon Aurora MySQL", "serverVersion":"MySQL 5.7.12", "startTime":"2020-05-22 18:07:12.226384+00", "endTime":"2020-05-22 18:07:12.247182+00", "transactionId":"0", "dbProtocol":"MySQL", "netProtocol":"TCP", "errorMessage":"", "class":"AUX" } ] }
Example Activity event record of an Aurora PostgreSQL SELECT statement
The following example shows a SELECT
event .
{ "type":"DatabaseActivityMonitoringRecords", "version":"1.1", "databaseActivityEvents": { "type":"DatabaseActivityMonitoringRecord", "clusterId":"cluster-4HNY5V4RRNPKKYB7ICFKE5JBQQ", "instanceId":"db-FZJTMYKCXQBUUZ6VLU7NW3ITCM", "databaseActivityEventList":[ { "startTime": "2019-05-24 00:39:49.920564+00", "logTime": "2019-05-24 00:39:49.940668+00", "statementId": 6, "substatementId": 1, "objectType": "TABLE", "command": "SELECT", "objectName": "public.my_table", "databaseName": "postgres", "dbUserName": "rdsadmin", "remoteHost": "172.31.3.195", "remotePort": "34534", "sessionId": "5ce73c6f.7e64", "rowCount": 10, "commandText": "select * from my_table;", "paramList": [], "pid": 32356, "clientApplication": "psql", "exitCode": null, "class": "READ", "serverVersion": "2.3.1", "serverType": "PostgreSQL", "serviceName": "Amazon Aurora PostgreSQL-Compatible edition", "serverHost": "172.31.3.192", "netProtocol": "TCP", "dbProtocol": "Postgres 3.0", "type": "record", "errorMessage": null } ] }, "key":"decryption-key" }
{ "type": "DatabaseActivityMonitoringRecord", "clusterId": "", "instanceId": "db-4JCWQLUZVFYP7DIWP6JVQ77O3Q", "databaseActivityEventList": [ { "class": "TABLE", "clientApplication": "Microsoft SQL Server Management Studio - Query", "command": "SELECT", "commandText": "select * from [testDB].[dbo].[TestTable]", "databaseName": "testDB", "dbProtocol": "SQLSERVER", "dbUserName": "test", "endTime": null, "errorMessage": null, "exitCode": 1, "logTime": "2022-10-06 21:24:59.9422268+00", "netProtocol": null, "objectName": "TestTable", "objectType": "TABLE", "paramList": null, "pid": null, "remoteHost": "local machine", "remotePort": null, "rowCount": 0, "serverHost": "172.31.30.159", "serverType": "SQLSERVER", "serverVersion": "15.00.4073.23.v1.R1", "serviceName": "sqlserver-ee", "sessionId": 62, "startTime": null, "statementId": "0x03baed90412f564fad640ebe51f89b99", "substatementId": 1, "transactionId": "4532935", "type": "record", "engineNativeAuditFields": { "target_database_principal_id": 0, "target_server_principal_id": 0, "target_database_principal_name": "", "server_principal_id": 2, "user_defined_information": "", "response_rows": 0, "database_principal_name": "dbo", "target_server_principal_name": "", "schema_name": "dbo", "is_column_permission": true, "object_id": 581577110, "server_instance_name": "EC2AMAZ-NFUJJNO", "target_server_principal_sid": null, "additional_information": "", "duration_milliseconds": 0, "permission_bitmask": "0x00000000000000000000000000000001", "data_sensitivity_information": "", "session_server_principal_name": "test", "connection_id": "AD3A5084-FB83-45C1-8334-E923459A8109", "audit_schema_version": 1, "database_principal_id": 1, "server_principal_sid": "0x010500000000000515000000bdc2795e2d0717901ba6998cf4010000", "user_defined_event_id": 0, "host_name": "EC2AMAZ-NFUJJNO" } } ] }
Example Activity event record of an Aurora MySQL SELECT statement
The following example shows a SELECT
event.
The following example shows the event with a class
value of MAIN
.
{ "type":"DatabaseActivityMonitoringRecord", "clusterId":"cluster-
some_id
", "instanceId":"db-some_id
", "databaseActivityEventList":[ { "logTime":"2020-05-22 18:29:57.986467+00", "type":"record", "clientApplication":null, "pid":2830, "dbUserName":"master", "databaseName":"test", "remoteHost":"localhost", "remotePort":"11054", "command":"QUERY", "commandText":"SELECT * FROM test1 WHERE id < 28", "paramList":null, "objectType":"TABLE", "objectName":"test1", "statementId":65469218, "substatementId":1, "exitCode":"0", "sessionId":"726571", "rowCount":2, "serverHost":"master", "serverType":"MySQL", "serviceName":"Amazon Aurora MySQL", "serverVersion":"MySQL 5.7.12", "startTime":"2020-05-22 18:29:57.986364+00", "endTime":"2020-05-22 18:29:57.986467+00", "transactionId":"0", "dbProtocol":"MySQL", "netProtocol":"TCP", "errorMessage":"", "class":"MAIN" } ] }
The following example shows the corresponding event with a class
value of AUX
.
{ "type":"DatabaseActivityMonitoringRecord", "instanceId":"db-
some_id
", "databaseActivityEventList":[ { "logTime":"2020-05-22 18:29:57.986399+00", "type":"record", "clientApplication":null, "pid":2830, "dbUserName":"master", "databaseName":"test", "remoteHost":"localhost", "remotePort":"11054", "command":"READ", "commandText":"test1", "paramList":null, "objectType":"TABLE", "objectName":"test1", "statementId":65469218, "substatementId":2, "exitCode":"", "sessionId":"726571", "rowCount":0, "serverHost":"master", "serverType":"MySQL", "serviceName":"Amazon Aurora MySQL", "serverVersion":"MySQL 5.7.12", "startTime":"2020-05-22 18:29:57.986364+00", "endTime":"2020-05-22 18:29:57.986399+00", "transactionId":"0", "dbProtocol":"MySQL", "netProtocol":"TCP", "errorMessage":"", "class":"AUX" } ] }
DatabaseActivityMonitoringRecords JSON object
The database activity event records are in a JSON object that contains the following information.
JSON Field | Data Type | Description |
---|---|---|
|
string |
The type of JSON record. The value is |
version |
string |
The version of the database activity monitoring
records. The version of the generated database activity records depends on the engine version of the DB cluster:
All of the following fields are in both version 1.0 and version 1.1 except where specifically noted. |
string |
A JSON object that contains the activity events. |
|
key | string | An encryption key that you use to decrypt the databaseActivityEventList |
databaseActivityEvents JSON Object
The databaseActivityEvents
JSON object contains the following information.
Top-level fields in JSON record
Each event in the audit log is wrapped inside a record in JSON format. This record contains the following fields.
- type
-
This field always has the value
DatabaseActivityMonitoringRecords
. - version
-
This field represents the version of the database activity stream data protocol or contract. It defines which fields are available.
Version 1.0 represents the original data activity streams support for Aurora PostgreSQL versions 10.7 and 11.4. Version 1.1 represents the data activity streams support for Aurora PostgreSQL versions 10.10 and higher and Aurora PostgreSQL 11.5 and higher. Version 1.1 includes the additional fields
errorMessage
andstartTime
. Version 1.2 represents the data activity streams support for Aurora MySQL 2.08 and higher. Version 1.2 includes the additional fieldsendTime
andtransactionId
. - databaseActivityEvents
-
An encrypted string representing one or more activity events. It's represented as a base64 byte array. When you decrypt the string, the result is a record in JSON format with fields as shown in the examples in this section.
- key
-
The encrypted data key used to encrypt the
databaseActivityEvents
string. This is the same Amazon KMS key that you provided when you started the database activity stream.
The following example shows the format of this record.
{ "type":"DatabaseActivityMonitoringRecords", "version":"1.1", "databaseActivityEvents":"
encrypted audit records
", "key":"encrypted key
" }
Take the following steps to decrypt the contents of the databaseActivityEvents
field:
-
Decrypt the value in the
key
JSON field using the KMS key you provided when starting database activity stream. Doing so returns the data encryption key in clear text. -
Base64-decode the value in the
databaseActivityEvents
JSON field to obtain the ciphertext, in binary format, of the audit payload. -
Decrypt the binary ciphertext with the data encryption key that you decoded in the first step.
-
Decompress the decrypted payload.
-
The encrypted payload is in the
databaseActivityEvents
field. -
The
databaseActivityEventList
field contains an array of audit records. Thetype
fields in the array can berecord
orheartbeat
.
-
The audit log activity event record is a JSON object that contains the following information.
JSON Field | Data Type | Description |
---|---|---|
|
string |
The type of JSON record. The value is |
clusterId |
string | The DB cluster resource identifier. It corresponds to the DB cluster
attribute DbClusterResourceId . |
instanceId |
string | The DB instance resource identifier. It corresponds to the DB instance attribute
DbiResourceId . |
string |
An array of activity audit records or heartbeat messages. |
databaseActivityEventList JSON array
The audit log payload is an encrypted databaseActivityEventList
JSON array. The following tables lists alphabetically the
fields for each activity event in the decrypted DatabaseActivityEventList
array of an audit log.
The fields differ depending on whether you use Aurora PostgreSQL or Aurora MySQL. Consult
the table that applies to your database engine.
Important
The event structure is subject to change. Aurora might add new fields to activity events in the future. In applications that parse the JSON data, make sure that your code can ignore or take appropriate actions for unknown field names.
databaseActivityEventList fields for Aurora PostgreSQL | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Field | Data Type | Description | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
class |
string |
The class of activity event. Valid values for Aurora PostgreSQL are the following:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
clientApplication |
string | The application the client used to connect as reported by the client. The client doesn't have to provide this information, so the value can be null. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
command |
string | The name of the SQL command without any command details. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
commandText |
string |
The actual SQL statement passed in by the user. For Aurora PostgreSQL, the value is identical to the original SQL statement. This field is used for all types of records except for connect or disconnect records, in which case the value is null. ImportantThe full SQL text of each statement is visible in the activity stream audit log, including any sensitive data. However, database user passwords are redacted if Aurora can determine them from the context, such as in the following SQL statement.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
databaseName |
string | The database to which the user connected. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
dbProtocol |
string | The database protocol, for example Postgres 3.0 . |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
dbUserName |
string | The database user with which the client authenticated. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
errorMessage (version 1.1 database activity records only) |
string |
If there was any error, this field is populated with the error message that
would've been generated by the DB server. The An error is defined as any activity that would produce a client-visible
PostgreSQL error log event at a severity level of Internal PostgreSQL server errors such as background checkpointer process errors do not generate an error message. However, records for such events are still emitted regardless of the setting of the log severity level. This prevents attackers from turning off logging to attempt avoiding detection. See also the |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
exitCode |
int | A value used for a session exit record. On a clean exit, this contains the
exit code. An exit code can't always be obtained in some failure scenarios.
Examples are if PostgreSQL does an exit() or if an operator performs
a command such as kill -9 .If there was any error, the
See also the
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
logTime |
string | A timestamp as recorded in the auditing code path. This represents the SQL statement execution end
time. See also the startTime field. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
netProtocol |
string | The network communication protocol. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
objectName |
string | The name of the database object if the SQL statement is operating on one. This field is used only where the SQL statement operates on a database object. If the SQL statement is not operating on an object, this value is null. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
objectType |
string | The database object type such as table, index, view, and so on. This field is used only where the SQL
statement operates on a database object. If the SQL statement is not operating on an object, this value is
null. Valid values include the following:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
paramList |
string | An array of comma-separated parameters passed to the SQL statement. If the SQL statement has no parameters, this value is an empty array. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
pid |
int | The process ID of the backend process that is allocated for serving the client connection. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
remoteHost |
string | Either the client IP address or hostname. For Aurora PostgreSQL, which one is used depends on the
database's log_hostname parameter setting. The remoteHost value also includes [local] and localhost
which indicate activity from the rdsadmin user. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
remotePort |
string | The client port number. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
rowCount |
int | The number of rows returned by the SQL statement. For example, if a SELECT statement returns 10 rows, rowCount is 10. For INSERT or UPDATE statements, rowCount is 0. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
serverHost |
string | The database server host IP address. The serverHost value also includes [local] and localhost
which indicate activity from the rdsadmin user. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
serverType |
string | The database server type, for example PostgreSQL . |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
serverVersion |
string | The database server version, for example 2.3.1 for Aurora PostgreSQL. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
serviceName |
string | The name of the service, for example Amazon Aurora PostgreSQL-Compatible edition .
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
sessionId |
int | A pseudo-unique session identifier. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
sessionId |
int | A pseudo-unique session identifier. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
startTime (version 1.1 database activity records only) |
string |
The time when execution began for the SQL statement. To calculate the approximate execution time of the SQL statement, use
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
statementId |
int | An identifier for the client's SQL statement. The counter is at the session level and increments with each SQL statement entered by the client. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
substatementId |
int | An identifier for a SQL substatement. This value counts the contained substatements for each SQL
statement identified by the statementId field. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
type |
string | The event type. Valid values are record or heartbeat . |
databaseActivityEventList fields for Aurora MySQL | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Field | Data Type | Description | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
class |
string |
The class of activity event. Valid values for Aurora MySQL are the following:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
clientApplication |
string | The application the client used to connect as reported by the client. The client doesn't have to provide this information, so the value can be null. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
command |
string |
The general category of the SQL statement. The values for this field depend on the value of
The values when
The values when
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
commandText |
string |
For events with a For events with a For Aurora MySQL, characters such as quotation marks are preceded by a backslash, representing an escape character. ImportantThe full SQL text of each statement is visible in the audit log, including any sensitive data. However, database user passwords are redacted if Aurora can determine them from the context, such as in the following SQL statement.
NoteSpecify a password other than the prompt shown here as a security best practice. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
databaseName |
string | The database to which the user connected. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
dbProtocol |
string | The database protocol. Currently, this value is always MySQL for Aurora MySQL. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
dbUserName |
string | The database user with which the client authenticated. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
endTime (version 1.2 database activity records only) |
string |
The time when execution ended for the SQL statement. It is represented in Coordinated Universal Time (UTC) format. To calculate the execution time of the SQL statement, use
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
errorMessage (version 1.1 database activity records only) |
string |
If there was any error, this field is populated with the error message that
would've been generated by the DB server. The An error is defined as any activity that would produce a client-visible
MySQL error log event at a severity level of Internal MySQL server errors such as background checkpointer process errors do not generate an error message. However, records for such events are still emitted regardless of the setting of the log severity level. This prevents attackers from turning off logging to attempt avoiding detection. See also the |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
exitCode |
int | A value used for a session exit record. On a clean exit, this contains the exit code. An exit code can't always be obtained in some failure scenarios. In such cases, this value might be zero or might be blank. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
logTime |
string | A timestamp as recorded in the auditing code path. It is represented in Coordinated Universal Time
(UTC) format. For the most accurate way to calculate statement duration, see the startTime and
endTime fields. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
netProtocol |
string | The network communication protocol. Currently, this value is always TCP for
Aurora MySQL. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
objectName |
string | The name of the database object if the SQL statement is operating on one. This field is used only
where the SQL statement operates on a database object. If the SQL statement isn't operating on an
object, this value is blank. To construct the fully qualified name of the object, combine
databaseName and objectName . If the query involves multiple objects, this field
can be a comma-separated list of names. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
objectType |
string |
The database object type such as table, index, and so on. This field is used only where the SQL statement operates on a database object. If the SQL statement is not operating on an object, this value is null. Valid values for Aurora MySQL include the following:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
paramList |
string | This field isn't used for Aurora MySQL and is always null. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
pid |
int | The process ID of the backend process that is allocated for serving the client connection. When the
database server is restarted, the pid changes and the counter for the statementId
field starts over. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
remoteHost |
string | Either the IP address or hostname of the client that issued the SQL statement. For Aurora MySQL, which
one is used depends on the database's skip_name_resolve parameter setting. The value
localhost indicates activity from the rdsadmin special user. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
remotePort |
string | The client port number. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
rowCount |
int | The number of table rows affected or retrieved by the SQL statement. This field is used only for SQL statements that are data manipulation language (DML) statements. If the SQL statement is not a DML statement, this value is null. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
serverHost |
string | The database server instance identifier. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
serverType |
string | The database server type, for example MySQL . |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
serverVersion |
string | The database server version. Currently, this value is always MySQL 5.7.12 for
Aurora MySQL. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
serviceName |
string | The name of the service. Currently, this value is always Amazon Aurora MySQL for
Aurora MySQL. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
sessionId |
int | A pseudo-unique session identifier. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
startTime (version 1.1 database activity records only) |
string |
The time when execution began for the SQL statement. It is represented in Coordinated Universal Time (UTC) format. To calculate the execution time of the SQL statement, use
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
statementId |
int | An identifier for the client's SQL statement. The counter increments with each SQL statement entered by the client. The counter is reset when the DB instance is restarted. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
substatementId |
int | An identifier for a SQL substatement. This value is 1 for events with class MAIN and 2
for events with class AUX . Use the statementId field to identify all the events
generated by the same statement. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
transactionId (version 1.2 database activity records only) |
int | An identifier for a transaction. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
type |
string | The event type. Valid values are record or heartbeat . |
Processing a database activity stream using the Amazon SDK
You can programmatically process an activity stream by using the Amazon SDK. The following are fully functioning Java and Python examples of how you might process the Kinesis data stream.