Register here

Book a demo

Complete this form to speak with one
of our sales representatives.

Best Practices for Monitoring Database Activity

Monitoring DB activity is important for several reasons. Beyond Security & Compliance, performance, and operational reliability can also be improved by monitoring DB Activity. In this blog, we will discuss specifics related to AWS RDS, but they are applicable to any database on any cloud.
Аватар користувача

Importance Of Monitoring DB Activity

 

Monitoring DB activity is important for several reasons. Beyond Security & Compliance, performance, and operational reliability can also be improved by monitoring DB Activity. 

In this document, we will discuss specifics related to AWS RDS, but they are applicable to any database on any cloud. 

Here’s a breakdown of some of the reasons why it’s critical to monitor RDS activity:


Security and Compliance

  • Suspicious Activity Detection: You can catch unauthorised access or unusual query patterns (e.g., data exfiltration attempts).
  • Audit Trails: With Amazon RDS Enhanced Monitoring and CloudTrail, you can maintain detailed logs for compliance and auditing.
  • IAM Misuse: Detects if any IAM roles or users are accessing the DB inappropriately


Performance Optimization

  • Query Analysis: Monitoring helps identify slow or long-running queries that could be affecting performance.
  • Resource Utilization: You can track CPU, memory, IOPS, and storage usage to ensure your DB instance is properly sized.
  • Connection Metrics: Keeping an eye on DB connections helps avoid bottlenecks or throttling issues.


Cost Management

  • Over-Provisioning Detection: Monitoring shows if you’re paying for more performance than needed.
  • Under-Provisioning: Conversely, helps identify when performance suffers due to resource limits, prompting a scale-up.


Operational Reliability

  • Auto-Scaling Triggers: Monitoring supports event-driven automation such as scaling storage or instances based on demand.
  • Maintenance Scheduling: Plan DB upgrades or backups with minimal impact based on observed usage patterns.
  • Ensures backups are occurring as scheduled.
  • Helps validate that point-in-time recovery can be executed effectively.


Key Log Sources for Monitoring DB Activity

In this section we will discuss key log sources, using which we can achieve goals stated above.


AWS CloudTrail

CloudTrail, logs all API calls made to AWS services, including:

  • RDS instance creation, deletion, modification
  • Backup and snapshot operations
  • Security group changes
  • IAM activity

Used For:

  • Security auditing
  • Tracking administrative activity
  • Detecting unauthorized changes


RDS Database Logs

These are DB engine-specific logs (varies by engine like MySQL, PostgreSQL, Oracle, etc.).

Examples:

  • PostgreSQL: postgresql.log
  • MySQL: error.log, slowquery.log, general.log
  • SQL Server: errorlog, agentlog
  • Used For:
    • SQL query tracking
    • Slow query identification
    • Error debugging
    • Connection/disconnection info
  • How to Access:
    • RDS Console (Logs & events tab)
    • AWS CLI / RDS API
    • Enable CloudWatch log exports to stream them to CloudWatch Logs


Amazon CloudWatch Observability Metrics

CloudWatch provides real-time metrics for databases like:

  • CPU utilization
  • Memory usage (Enhanced Monitoring)
  • DB connections
  • Read/write latency and throughput

These can be used for various use cases such as:

  • Performance monitoring
  • Auto-scaling triggers
  • Alerting (e.g., CPU > 80% for 5 minutes)


VPC Flow Logs

Flow logs capture IP-level traffic in/out of the DB instance. For detailed VPC guidance, check out our blog on VPC. VPC Flow logs helps detect –

  • Suspicious access attempts
  • Misconfigured security groups or routing issues


Log Source Summary

Log Source Purpose Example Use Case
RDS DB Logs Query and error tracking Debug slow queries, auth failures
CloudTrail Logs API and config change auditing Detect unauthorized admin actions
VPC Flow Logs Network-level visibility Security audits, network traffic detections
CloudWatch Metrics/Enhanced Monitoring Performance monitoring Auto-scaling, alerting, CPU/memory/process tracking
Performance Insights Query performance analysis Bottleneck identification


Sample Use Cases

In this section, we will discuss key use cases from Security & Observability domains.


Security & Auditing Use Cases


Detect Unauthorized Access Attempts

  • What to look for: Failed login attempts or unexpected use of sensitive actions (e.g., DeleteDBInstance, RebootDBInstance).
  • Example: Alert when an IAM user attempts to delete a production database.


Monitor Root Account Usage

  • Why: Root access should be rarely used.
  • Use case: Trigger an alert if root makes any API call, especially to RDS or IAM.


Track Changes to Security Groups

  • What to track: Modifications to security group rules attached to RDS instances.
  • Use case: Alert if someone opens port 3306 (MySQL) to 0.0.0.0/0.


Audit IAM Role Usage

  • What to detect: Use of high-privilege IAM roles.
  • Use case: Identify when someone assumes a role like RDSAdmin and accesses sensitive DB actions.


Failed Login Attempts

  • Logs show: IP address, username, timestamp, reason for failure.
  • Why important: Repeated failures could indicate brute-force attacks or credential stuffing.


Example (PostgreSQL log):

pgsql

CopyEdit

FATAL: password authentication failed for user “admin”

DETAIL: Connection matched pg_hba.conf line 100: “host all all 0.0.0.0/0 md5”


Access From Unusual IPs or Locations

  • Use DB logs to identify successful logins from unexpected sources.
  • Combine with CloudTrail and VPC Flow Logs to correlate network activity.


Unauthorized Queries or Privileged Commands

  • DB logs (especially general.log in MySQL or query logs in PostgreSQL) can capture:
    • DROP, DELETE, ALTER statements
    • Access to sensitive tables (e.g., users, credentials)
  • Look for abnormal query patterns or non-application users issuing privileged commands.


Logging of Superuser Activity

  • Monitor for commands issued by users with elevated privileges (e.g., rds_superuser in PostgreSQL).
  • Sudden privilege escalation or direct access by admins should be audited.


Data Exfiltration Patterns

  • Large volume of SELECT * queries or full table scans may indicate data scraping attempts.
  • Log anomalies in query patterns or spikes in query volume.


How Coralogix Can Help

In this journey Coralogix helps customers in several ways. We have several out-of-the-box alerts & dashboards to accelerate time to value for customers. 


Alerts

Here are some of the preconfigures alerts for CloudTrail Logs – 

  • Detect RDS Security Group Creation
  • Detect RDS Snapshot Export
  • Detect Deletion of RDS Instance/Cluster
  • Detect RDS Instance Creation
  • Detect RDS Instance/Cluster Stopped
  • Detect RDS Cluster Creation
  • Detect RDS Security Group Deletion
  • Detect RDS Snapshot Restored
  • Detect Database Was Created with No Encryption
  • Detect Database Was Made Public
  • Detect Snapshot Made Public


Some example alerts for RDS DB Logs. These alerts can be finetuned based on specific customer needs –

  • Detect UPDATE Statement Executed
  • Detect GRANT Statement Executed
  • Detect DELETE Statement Executed
  • Detect ALTER Statement Executed
  • Detect DROP Statement Executed
Back to Resources
Aseem Rastogi

Book a demo

Complete this form to speak with one of our sales representatives.