AWS Redshift Audit Visibility
This guide walks through enabling database audit logging on Amazon Redshift and routing those logs to either CloudWatch or Amazon S3, where Monad can ingest them. For CloudWatch, use the AWS CloudWatch Logs input; for S3, use the Redshift Audit Logs input.
Sync Type: Incremental
How Redshift Delivers Audit Logs
Amazon Redshift records database activity in three audit log types, and can deliver them to two destinations.
Log Types
| Log Type | Description |
|---|---|
| Connection log | Authentication attempts, connections, and disconnections. |
| User log | Changes to database user definitions (create, drop, rename, alter). |
| User activity log | Each query run against the database. Requires the enable_user_activity_logging parameter to be true. |
Destinations
| Destination | Description |
|---|---|
| CloudWatch | Audit log entries streamed to CloudWatch log groups, queryable via standard CloudWatch APIs. |
| Amazon S3 | Audit log files delivered as gzip-compressed objects to an S3 bucket. |
You can route to one or both destinations. Choose based on which Monad input you want to use:
- CloudWatch → AWS CloudWatch Logs input.
- S3 → Redshift Audit Logs input.
Audit logging is not enabled by default on Redshift. The connection log and user log are produced once audit logging is on; the user activity log additionally requires the enable_user_activity_logging parameter to be enabled (see Step 1).
Step 1 — Enable the User Activity Log Parameter (optional)
The connection log and user log require no parameter changes. Skip this step unless you want the user activity log.
The user activity log is gated behind a cluster parameter:
- Open the Amazon Redshift Console
- In the left navigation pane, choose Configurations → Workload management (or Parameter groups)
- Select the parameter group attached to your cluster, or Create parameter group and attach it later
- Set
enable_user_activity_loggingparam's value totrue - Save changes. If you created a new parameter group, attach it to the cluster (Clusters → your cluster → Actions → Modify → Database configurations → Parameter group) and reboot the cluster to apply.
Step 2 — Turn On Audit Logging and Choose a Destination
- Open the Amazon Redshift Console
- In the left navigation pane, choose Clusters and select your cluster
- Choose Properties
- Under Database configurations, find Audit logging and choose Edit
- Toggle Configure audit logging to on
- Under Log export type, choose your destination:
- Select the log types you want to export: Connection log, User log, and/or User activity log
Step 3A — Route to CloudWatch
- In the Edit audit logging dialog, set Log export type to CloudWatch
- Select the log types to export
- Choose Save changes
AWS automatically creates a CloudWatch log group per log type once the export is enabled.
CloudWatch Log Group Naming
Redshift publishes each log type to its own log group under the following convention:
Code
Where <log-type> is one of connectionlog, userlog, or useractivitylog. For example:
| Log Type | CloudWatch Log Group |
|---|---|
| Connection log | /aws/redshift/cluster/<cluster-name>/connectionlog |
| User log | /aws/redshift/cluster/<cluster-name>/userlog |
| User activity log | /aws/redshift/cluster/<cluster-name>/useractivitylog |
You will use this log group name (or the /aws/redshift/cluster/<cluster-name>/ prefix) when configuring the CloudWatch Logs input in Step 5.
Step 3B — Route to S3
- In the Edit audit logging dialog, set Log export type to S3
- Choose an existing bucket or create a new one, and optionally specify an S3 key prefix
- Select the log types to export
- Choose Save changes
If you use an existing bucket, attach a bucket policy that allows the Redshift service principal to write logs:
Code
S3 Bucket Naming Convention
Redshift organizes audit log objects within the bucket using the following key structure:
Code
For example:
Code
If you specified a custom key prefix when enabling audit logging, it is prepended to the path:
Code
Limitation: Monad's Redshift Audit Logs input for S3 supports the Connection log and User log types only. The User activity log type is not supported via this input. If you need to ingest the user activity log, route it to CloudWatch and use the AWS CloudWatch Logs input instead.
Step 4 — Grant IAM Permissions
The IAM role or user used by Monad needs read access to the destination you chose.
For CloudWatch
Code
For S3
Code
Attach the policy to either an IAM role (for Role ARN authentication, recommended) or an IAM user (for static credentials). See AWS Authentication Methods for configuring the trust relationship.
Step 5 — Connect Monad
CloudWatch
Configure the AWS CloudWatch Logs input with:
- Region: the AWS region where your Redshift cluster is deployed
- Role ARN (or Access Key / Secret Key): the credentials from Step 4
- Log Group Name Prefix:
/aws/redshift/cluster/<cluster-name>/to ingest all log types, or a specific log group such as/aws/redshift/cluster/<cluster-name>/connectionlog
S3
Configure the Redshift Audit Logs input with:
- Bucket: the bucket receiving the audit logs
- Log Type: Connection Log or User Log
- Prefix: the path up to the region, e.g.
AWSLogs/<account-id>/redshift/<region>. Include your custom key prefix in front if you set one. - Region: the region of the S3 bucket (auto-detected if left blank)
- Role ARN (or Access Key / Secret Key): the credentials from Step 4
- Backfill Start Time (optional): an ISO 8601 date to start ingesting historical logs from
To ingest both the connection log and user log from S3, create one Redshift Audit Logs input per log type.
Related Articles
- Amazon Redshift Database Audit Logging
- Enabling Redshift audit logging
- Redshift audit logging to CloudWatch
- STL_CONNECTION_LOG
- STL_USERLOG