User guide

ManualsBrandsAmazon ManualsComputer equipmentRedshift

221

222

223

224

225

226

227

228

229

230

The connection log, user log, and user activity log are enabled together by using the AWS Management

Console, the Amazon Redshift API Reference, or the AWS Command Line Interface (AWS CLI). For the

user activity log, you must also enable the enable_user_activity_logging database parameter. If

you enable only the audit logging feature, but not the associated parameter, the database audit logs will

log information for only the connection log and user log, but not for the user activity log. The

enable_user_activity_logging parameter is disabled (false) by default, but you can set it to true

to enable the user activity log. For more information, see Amazon Redshift Parameter Groups (p. 56).

Managing Log Files

The number and size of Amazon Redshift log files in Amazon S3 will depend heavily on the activity in

your cluster. At a minimum, Amazon Redshift uploads logging information on an hourly basis. If you have

an active cluster that is generating large logs, Amazon Redshift may upload the log files more frequently.

You might have a series of log files for the same type of activity, such as having multiple connection logs

within the same hour.

Because Amazon Redshift uses Amazon S3 to store logs, you will incur charges for the storage that you

use in Amazon S3. Before you configure logging, you should have a plan for how long you need to store

the log files, and determine when they can either be deleted or archived based on your auditing needs.

The plan that you create depends heavily on the type of data that you store, such as data subject to

compliance or regulatory requirements. For more information about Amazon S3 pricing, go to Amazon

Simple Storage Service (S3) Pricing.

Bucket Permissions for Amazon Redshift Audit

Logging

When you enable logging, Amazon Redshift collects logging information and uploads it to log files stored

in Amazon S3.You can use an existing bucket or a new bucket. Amazon Redshift requires the following

IAM permissions to the bucket:

• s3:GetBucketAcl The service requires read permissions to the Amazon S3 bucket so it can identify the

bucket owner.

• s3:PutObject The service requires put object permissions to upload the logs. Each time logs are

uploaded, the service determines whether the current bucket owner matches the bucket owner at the

time logging was enabled. If these owners do not match, logging is still enabled but no log files can be

uploaded until you select a different bucket.

If you want to use a new bucket, and have Amazon Redshift create it for you as part of the configuration

process, the correct permissions will be applied to the bucket. However, if you create your own bucket

in Amazon S3 or use an existing bucket, you need to add a bucket policy that includes the bucket name,

and the Amazon Redshift Account ID that corresponds to your region from the following table:

Account IDRegion

193672423079US East (N. Virginia) region

902366379725US West (Oregon) region

053454850223EU (Frankfurt) region

210876761215EU (Ireland) region

404641285394Asia Pacific (Tokyo) region

API Version 2012-12-01

218

Amazon Redshift Management Guide

Managing Log Files