How do I log failed attempts to log in to my Amazon RDS for MySQL DB instance?

2 minute read
0

I want to track failed or dropped connections to my Amazon Relational Database Service (Amazon RDS) for MySQL DB instance for security purposes.

Resolution

When a connection to a DB instance that runs MySQL fails or is dropped, the attempted connection is logged in error.log. By default, the log_warnings DB parameter in the custom DB parameter group associated with the DB instance is turned on. This parameter tracks failed attempts to connect to a DB instance that is running MySQL. If the value of log_warnings is greater than one, then the server logs the dropped connections and access denied errors when new connections are attempted.

If a user attempts to log in to your DB instance with the wrong credentials, then the failed attempts are captured to the error.log. See the following example of failed log in attempts in the logs:

2016-08-23 15:03:37 1183 [Warning] Access denied for user 'tester'@'124.41.31.5' (using password: NO)

Note: For DB instances running MySQL 5.7.2 and later, use log_error_verbosity instead of log_warnings. For more information, see the MySQL documentation for log_error_verbosity.

It's a best practice to turn on general_log for short-term troubleshooting, and to then turn it off again after you finish troubleshooting. When turned on, general_log records every query that runs, resulting in significant overhead on production DB instances with heavy workloads.

Related information

Monitoring Amazon RDS log files

Server system variables in MySQL documentation