Skip to main content
Sumo Logic

Collect logs and metrics from Amazon Aurora PostgreSQL

This page explains the logs and metrics collected from your Aurora PosgreSQL database, provides example queries and instructions for setting up log and metric collection.

The Sumo Logic App for Aurora PostgreSQL ULM includes predefined searches and dashboards that allow you to monitor logs and metrics for your Aurora MySQL database. The logs enable you to monitor database activity, user activity, incoming connections, query execution time, and errors. The metrics allow you to monitor database resource utilization and throughput performance.

This guide provides an overview of the Sumo App for Aurora PostgreSQL ULM pre-defined queries and dashboards, as well as instructions for collecting logs and metrics from Aurora PostreSQL, and installing the App.

This page explains the logs and metrics collected from your Aurora PosgreSQL database, provides example queries and instructions for setting up log and metric collection. Click a link to jump to a topic:

Log and metric types

The Sumo Logic App for Aurora PostgreSQL ULM uses the following logs and metrics:

Log examples

The following is an example of an AWS Cloud Trail log.

{"eventVersion":"1.05","userIdentity":{"type":"IAMUser","principalId":"AI1234567890QEWUABG5Q",
"arn":"arn:aws:iam::951234567898:user/bwilliams","accountId":"951234567898","accessKeyId":
"ABCDEFGHIHFBOT4FDVK","userName":"jjones","sessionContext":{"attributes":{"mfaAuthenticated":
"true","creationDate":"2018-11-05T11:22:45Z"}},"invokedBy":"signin.amazonaws.com"},"eventTime":
"2018-11-12T06:56:02Z","eventSource":"rds.amazonaws.com","eventName":"DeleteDBCluster","awsRegion"
:"us-east-3","sourceIPAddress":"19.174.45.8","userAgent":"signin.amazonaws.com","requestParameters"
:{"dBClusterIdentifier":"nitinpsql968cluster01","skipFinalSnapshot":false,"finalDBSnapshotIdentifier"
:"psqldb968nitin02-final-snapshot"},"responseElements":{"allocatedStorage":1,"availabilityZones"
:["us-east-1a","us-east-1b","us-east-1c"],"backupRetentionPeriod":2,"databaseName":"nitintestdpsql1",
"dBClusterIdentifier":"nitinpsql968cluster01","dBClusterParameterGroup":"default.aurora-postgresql9.6",
"dBSubnetGroup":"default-vpc-b81fc4d7","status":"available","earliestRestorableTime":"Nov 5, 2018 2:17:31 PM",
"endpoint":"nitinpsql968cluster01.cluster-ci123456789d.us-east-3.rds.amazonaws.com","readerEndpoint"
:"nitinpsql968cluster01.cluster-ro-ci123456789d.us-east-1.rds.amazonaws.com","multiAZ":false,"engine"
:"aurora-postgresql","engineVersion":"9.6.8","latestRestorableTime":"Nov 5, 2018 3:36:06 PM","port"
:5432,"masterUsername":"npandepsql","preferredBackupWindow":"08:59-09:29","preferredMaintenanceWindow"
:"sun:08:09-sun:08:39","readReplicaIdentifiers":[],"dBClusterMembers":[{"dBInstanceIdentifier":"psqldb968nitin02"
,"isClusterWriter":true,"dBClusterParameterGroupStatus":"in-sync","promotionTier":1}],"vpcSecurityGroups"
:[{"vpcSecurityGroupId":"sg-0e81530fe36e37076","status":"active"}],"hostedZoneId":"Z2R2ITUGPM61AM",
"storageEncrypted":true,"kmsKeyId":"arn:aws:kms:us-west-3:951234567898:key/9a3d8016-4cdb-478f-a3a4-9a310fc25307",
"dbClusterResourceId":"cluster-LXLBREEIXOAMLSUUDXVKXFVIDA","dBClusterArn":"arn:aws:rds:us-west-2:951234567898:cluster:nitinpsql968cluster01",
"associatedRoles":[],"iAMDatabaseAuthenticationEnabled":false,"clusterCreateTime":"Nov 5, 2018 2:16:12 PM","engineMode"
:"provisioned","deletionProtection":false,"httpEndpointEnabled":false},"requestID":"0df6f69d-8040-45fa-9171-98043977a14c",
"eventID":"ab48927c-7bd8-4c1d-9d86-0b2f6732949c","eventType":"AwsApiCall","recipientAccountId":"951234567898"}

Query examples

This section provides an example of a log query and metrics query taken from panels in a dashboard.

Log query example

The following log query is from the Event Status Trend panel of the CloudTrail Event - Overview dashboard.

(_sourceCategory=*cloudtrail* or _sourceCategory=*AWS_EAGLE*) "\"eventSource\":\"rds.amazonaws.com\"" ("\"engine\":\"aurora-postgresql\"")
| json "userIdentity", "eventSource", "eventName", "awsRegion", "sourceIPAddress", "userAgent", "eventType", "recipientAccountId", "requestParameters", "responseElements", "requestID", "errorCode", "errorMessage" nodrop
| json field=userIdentity "type", "principalId", "arn", "userName", "accountId" nodrop
| json field=userIdentity "sessionContext.attributes.mfaAuthenticated" as mfaAuthenticated nodrop
| json field=requestParameters "dBClusterIdentifier", "engine", "engineMode" as req_dBClusterIdentifier, req_engine, req_engineMode nodrop
| json field=responseElements "dBClusterIdentifier", "engine", "engineMode" as res_dBClusterIdentifier, res_engine, res_engineMode nodrop
| parse field=arn ":assumed-role/*" as user nodrop  
| parse field=arn "arn:aws:iam::*:*" as accountId, user nodrop
| if (isEmpty(errorCode), "Success", "Failure") as eventStatus
| if (isEmpty(userName), user, userName) as user
| if (isEmpty(req_dBClusterIdentifier), res_dBClusterIdentifier, req_dBClusterIdentifier) as dBClusterIdentifier
| if (isEmpty(req_engine), res_engine, req_engine) as engine
| if (isEmpty(req_engineMode), res_engineMode, req_engineMode) as engineMode
| where eventSource = "rds.amazonaws.com" and (req_engine in ("aurora-postgresql") or res_engine in ("aurora-postgresql"))
| timeslice 6h
| count by _timeslice, eventStatus, eventName
| transpose row _timeslice column eventStatus, eventName

Metrics query example

The following metrics query is from the Volume Write IOPS panel of the Metric - Overview dashboard.

_sourceCategory=AWS/RDS/Metric Namespace=AWS/RDS  metric=VolumeWriteIOPs DBClusterIdentifier=* Statistic=Average | avg by DBClusterIdentifier

Collect logs and metrics for the Sumo Logic Aurora PostgreSQL ULM App

The Sumo Logic App for Aurora PostgreSQL ULM  is used for monitoring CloudTrail event Logs and CloudWatch Metrics. Metrics allow you to monitor database resource utilization and throughput performance. CloudTrail events help you monitor use of Aurora services and operations by users.

This section provides instruction for collecting logs and metrics for the Sumo Logic App for Aurora PostgreSQL ULM.

Step 1: Collecting AWS CloudTrail events using AWS CloudTrail Source

This section provides instructions for setting up AWS CloudTrail Source to collect events for ingest into Sumo Logic.

To collect AWS CloudTrail events, do the following: 
  1. Configure a Hosted Collector.
  2. Add an AWS CloudTrail Source to the Hosted Collector, providing the following information:

  • Name - Enter a name to display for the new Source.
  • Description - Enter an optional description.
  • S3 Region - Select the Amazon Region for your CloudTrail Aurora S3 bucket.
  • Bucket Name - Enter the exact name of your CloudTrail Aurora S3 bucket.
  • Path Expression - Enter the string that matches the S3 objects you'd like to collect. You can use a wildcard (*) in this string. (DO NOT use a leading forward slash. See Amazon Path Expressions.)The S3 bucket name is not part of the path. Don’t include the bucket name when you are setting the Path Expression.
  • Source Category - Enter a source category, for example, AWS/Cloudtrail.
  • Access Key ID and Secret Access Key - Enter your Amazon Access Key ID and Secret Access Key.
  • Scan Interval. Use the default of 5 minutes, or enter a time interval frequency at which Sumo Logic will scan your S3 bucket for new data.
  • Enable Timestamp Parsing - Select the checkbox to enable.
  • Time Zone - Deselect Ignore time zone from log file and instead select UTC.
  • Timestamp Format - Select Automatically detect the format.
  • Enable Multiline Processing - Select the checkbox to enable, and select Infer Boundaries.
  1. Click Save.

Step 2: Collecting Aurora CloudWatch metrics using AWS CloudWatch Metric Source

This section provides instructions setting up the collection of Aurora CloudWatch metrics using AWS CloudWatch Metric Source for ingest into Sumo Logic.

To collect Aurora CloudWatch metrics, do the following: 
  1. Configure a Hosted Collector.
  2. Configure an Amazon CloudWatch Metrics Source, providing the following information:

  • Name - Enter a name to display for the new Source.
  • Description - Enter an optional description.
  • Regions - Select your Amazon Regions for Amazon RDS.
  • Namespaces - Select AWS/RDS.
  • Source Category - Enter a source category, for example, AWS/RDS/Metric.
  • Access Key ID and Secret Access Key - Enter your Amazon Access Key ID and Secret Access Key.
  • Scan Interval - Accept the default of 5 minutes, or enter a time interval at which Sumo Logic will scan CloudWatch Sources for new data.
  1. Click Save.