While working with a neptune database cluster in AWS, I found that there are multiple options for enabling audit logging for the neptune cluster; enable_cloudwatch_logs_exports and neptune_enable_audit_log in aws_neptune_cluster_parameter_group.
I've not been able to find anything in the documentation that describes the difference between these values shown in the examples below. From my observations the two values control separate settings, but from the outside they appear to define the same setting? Is one applieda the cluster level, and applied directly to the underlying readers/writers?
Cluster resource option:
resource "aws_neptune_cluster" "my_cluster" {
enable_cloudwatch_logs_exports = ["audit"]
neptune_cluster_parameter_group_name = aws_neptune_cluster_parameter_group.my_param_group.name
...
}
Parameter group setting:
resource "aws_neptune_cluster_parameter_group" "my_param_group" {
parameter {
name = "neptune_enable_audit_log"
value = 1
}
...
}
Yes, there are two separate settings for using Audit Logs in Neptune. Enabling them via the parameter group is required to turn on audit logging for all instances in a cluster. Once audit logs are enabled, they are stored locally on the instance by default. The only way to access them from here is to use the Amazon Neptune console.
If you want to export Audit Logs to CloudWatch (for better visibility and parsing/searching) you can also set the cluster resource parameter for enable_cloudwatch_logs_exports to export these logs to CloudWatch.