Continuously Monitoring Amazon Aurora Audit Logs with Alienvault/AT&T Cybersecurity

Database auditing, while it may seem a tedious endeavor, is vital to monitor database resource utilization with a specific focus on tracking user database actions. Auditing can be influenced by a number of mitigating factors from individual event actions to a particular combination of factors such as time and user name. Setting up analytical processes that continuously monitor your database through consistent, regular audit log analysis can significantly improve your internal security measures. Furthermore, database auditing supports organizational actions to align with increasingly stringent compliance measures.

Continuous monitoring is also a critical part of achieving reliability, availability, and performance on your AWS cloud infrastructure. Ideally, set up processes to collect monitoring data from all components of your AWS environments in a continual process so that debugging a multi-point failure is a much easier occurrence for your development team if one should occur.

Enable Advanced Auditing

Optimize the high-performance Advanced Auditing feature in Amazon Aurora to track database activity into an audit log especially for audit and compliance purposes. Enable the MariaDB Audit Plugin to parse the collected raw log data by configuring several DB cluster parameters. With Advanced Auditing, you can monitor any combination of supported events by viewing or downloading the audit logs to review them.

You can log any combination of the following events:

• CONNECT – Logs both successful and failed connections and also disconnections. This event includes user information.
• QUERY – Logs all queries in plain text, including queries that fail due to syntax or permission errors.
• QUERY_DCL – Similar to the QUERY event, but returns only data control language (DCL) queries (GRANT, REVOKE, and so on).
• QUERY_DDL – Similar to the QUERY event, but returns only data definition language (DDL) queries (CREATE, ALTER, and so on).
• QUERY_DML – Similar to the QUERY event, but returns only data manipulation language (DML) queries (INSERT, UPDATE, and so on, and also SELECT).
• TABLE – Logs the tables that were affected by query execution. 

                                                         (From "Using Advanced Auditing with an Amazon Aurora MySQL DB Cluster - Amazon Aurora", 2019)

With the combined power of Amazon RDS for MariaDB and Amazon Aurora, it is possible to direct DB instance log events straight to Amazon CloudWatch Logs. Publishing your logs in this manner allows you to build "richer and more seamless interactions with your DB instance logs" through AWS. And all of this serves to establish a solid auditing foundation for compliance requirements. 

Near-real time insights for DB instance logs

You can configure your Aurora Maria DB cluster to publish general, slow, audit, and error log data to a log group in Amazon CloudWatch Logs. With CloudWatch Logs, you can store your log records in highly durable storage as well as perform real-time analysis of the log data, view metrics, and create custom alarms that send Slack alerts when monitored conditions occur. You also gain the ability to monitor your logs, in near-real-time, for specific values, patterns, and phrases. 

Going a step further though, and factor in SIEM tool AT&T Cybersecurity's—formerly AlienVault— feature, AWS Log Discovery and Collection in USM Anywhere. Leveraging a SIEM tool such as AT&T Cybersecurity enables you to realize 24/7 security monitoring and recording of specific database activity. Such a use case integration allows you to expand the value of published logs across a comprehensive range of use cases, such as:

• Creating alarms for unusual abnormal conditions, such as extremely high volumes of slow queries or a number of failed connection attempts
• Connecting logs to other application logs
• Maintaining audit logs for security and compliance purposes
• Identifying popular trends in log data over time

Log events from these resources get published as log streams (which cover sequences of log events) to specific log groups. Each DB instance and log type form a separate group in the same AWS Region as the DB instance, with the following naming pattern:

/aws/rds/instance/<db-instance-id>/<log-type>

Example Process:

Adding a Job scheduler in Alienvault/AT&T Cybersecurity to Monitor Your Database Audit Logs

Go to CloudWatch >Log Groups to filter log streams

Logs

Click Edit Job to enter a name and description for a job.

Now, input the Region Name, Group Name, and Stream Name information for your AWS account. Select the asterisk option ( * ) in Region name to monitor all regions for a given group. And in Source Format, choose either syslog (all messages are syslog formatted) or raw (for non-syslog formatted data).

In the Schedule field, indicate when USM Anywhere should run the job:

• Choose from different time options: Hour, Day, Week, Month, or Year
• Configure the interval options for the time selected. The chosen time increment will determine the available options.

Click Save to achieve continuous monitoring.

AlienVault/AT&T Cybersecurity Captures the Drop Event in Your Database

Slack Notification Examples of a Drop Table Event

Audit trails as established by such intrusion detection processes as above can help increase data integrity by improving security breach detection. In this manner, an audited system acts as a deterrent against users from meddling with data because hackers can swiftly be identified.

Ibexlabs is an experienced DevOps & Managed Services provider and an AWS consulting partner. Our AWS Certified DevOps consultancy team evaluates your infrastructure and make recommendations based on your individual business or personal requirements. Contact us today and set up a free consultation to discuss a custom-built solution tailored just for you.