configuring-log-export
Configuring Log Export
Configures log and metric export for CockroachDB Cloud clusters to deliver cluster logs, audit logs, and performance metrics to external monitoring services. Supports AWS CloudWatch, GCP Cloud Logging, and third-party integrations like Datadog.
When to Use This Skill
- Setting up log export to AWS CloudWatch or GCP Cloud Logging
- Configuring metric export to CloudWatch or Datadog
- Verifying that SQL audit logs are being exported to an external sink
- Troubleshooting log export errors or missing logs
- Estimating CloudWatch or logging service costs for CockroachDB log volume
- Configuring log export via Terraform
Prerequisites
- CockroachDB Cloud Advanced plan — Log export is not available on Basic or Standard plans
- ccloud CLI authenticated with Cluster Admin role
- Cloud provider setup:
- AWS: CloudWatch Logs group created, IAM role granting CockroachDB Cloud cross-account access
- GCP: Cloud Logging API enabled, service account with Logs Writer role
- Cluster ID: Available from
ccloud cluster list
Verify access:
ccloud auth whoami
ccloud cluster info <cluster-name> -o json
# Look for "plan": "ADVANCED"
Configuration Decisions
Before proceeding, determine which export destinations apply to the user's environment. Ask which options are relevant, then follow only the corresponding sections below.
Decision 1 — Log export destination:
- AWS CloudWatch: Use when the cluster runs on AWS and logs should go to CloudWatch Logs. Requires IAM cross-account role setup.
- GCP Cloud Logging: Use when the cluster runs on GCP. Requires a service account with Logs Writer role.
Decision 2 — Metric export destination:
- CloudWatch: Use when metrics should go to AWS CloudWatch. Requires IAM role with
cloudwatch:PutMetricDatapermission. - Datadog: Use when metrics should go to Datadog. Requires a Datadog API key and site.
- Skip: No metric export needed at this time.
Steps
1. Check Current Log Export Configuration
# Check if log export is currently configured
ccloud cluster info <cluster-name> -o json
# Look for "log_export_config" in the output
2. Set Up Log Export to AWS CloudWatch
Follow this section only if the user selected AWS CloudWatch in Decision 1. Skip to Step 3 if using GCP Cloud Logging.
2.1 Create a CloudWatch Log Group
# Create a log group in AWS (if it doesn't exist)
aws logs create-log-group \
--log-group-name cockroachdb-<cluster-name> \
--region <aws-region>
# Set retention policy (recommended)
aws logs put-retention-policy \
--log-group-name cockroachdb-<cluster-name> \
--retention-in-days 90 \
--region <aws-region>
2.2 Create an IAM Role for CockroachDB Cloud
See cloud provider setup reference for the complete IAM role policy.
The IAM role must:
- Trust the CockroachDB Cloud AWS account as an allowed principal
- Grant
logs:CreateLogStream,logs:PutLogEvents,logs:DescribeLogGroups,logs:DescribeLogStreamspermissions - Be scoped to the specific log group
2.3 Enable Log Export
# Enable log export to CloudWatch
ccloud cluster log-export create <cluster-id> \
--log-group-name cockroachdb-<cluster-name> \
--auth-principal <iam-role-arn> \
--type AWS_CLOUDWATCH \
--region <aws-region>
3. Set Up Log Export to GCP Cloud Logging
Follow this section only if the user selected GCP Cloud Logging in Decision 1. Skip if using AWS CloudWatch.
3.1 Enable Cloud Logging API
gcloud services enable logging.googleapis.com
3.2 Grant CockroachDB Cloud Service Account Access
# Get the CockroachDB Cloud service account from ccloud cluster info
# Grant Logs Writer role
gcloud projects add-iam-policy-binding <gcp-project-id> \
--member="serviceAccount:<cockroachdb-service-account>" \
--role="roles/logging.logWriter"
3.3 Enable Log Export
ccloud cluster log-export create <cluster-id> \
--auth-principal <gcp-project-id> \
--type GCP_CLOUD_LOGGING
4. Configure Metric Export
Skip this section if the user selected Skip in Decision 2. Follow only the relevant subsection (4.1 or 4.2) based on the selected metric export destination.
Metric export sends CockroachDB performance metrics to CloudWatch or Datadog.
4.1 Metric Export to CloudWatch
ccloud cluster metric-export create cloudwatch <cluster-id> \
--role-arn <iam-role-arn> \
--target-region <aws-region>
The IAM role for metric export needs cloudwatch:PutMetricData permission.
4.2 Metric Export to Datadog
ccloud cluster metric-export create datadog <cluster-id> \
--api-key <datadog-api-key> \
--site <datadog-site>
Datadog site values: datadoghq.com (US), datadoghq.eu (EU), us3.datadoghq.com (US3), us5.datadoghq.com (US5)
5. Verify Log and Metric Export
# Check log export status
ccloud cluster log-export list <cluster-id> -o json
# Status should be ENABLED
# Check metric export status
ccloud cluster metric-export list <cluster-id> -o json
Verify log delivery in CloudWatch:
# Check for recent log streams
aws logs describe-log-streams \
--log-group-name cockroachdb-<cluster-name> \
--order-by LastEventTime \
--descending \
--limit 5 \
--region <aws-region>
# Tail recent log events
aws logs tail cockroachdb-<cluster-name> \
--since 1h \
--region <aws-region>
Verify audit logs are being exported:
Audit logs are included in the log export if SQL audit logging is enabled on the cluster. To confirm:
-- Check audit logging is enabled
SHOW CLUSTER SETTING sql.log.admin_audit.enabled;
SHOW CLUSTER SETTING sql.log.user_audit;
If audit logging is enabled but audit events are not appearing in CloudWatch, check:
- Log export status is ENABLED
- The IAM role has correct permissions
- Log group name matches the configured export target
- Allow 5-10 minutes for initial log delivery
6. Configure Log Export via Terraform
resource "cockroach_log_export_config" "main" {
id = cockroach_cluster.main.id
auth_principal = "<iam-role-arn>"
log_name = "cockroachdb-${cockroach_cluster.main.name}"
type = "AWS_CLOUDWATCH"
region = "<aws-region>"
}
resource "cockroach_metric_export_cloudwatch_config" "main" {
id = cockroach_cluster.main.id
role_arn = "<iam-role-arn>"
target_region = "<aws-region>"
}
Known Terraform issue: Creating a cluster with log export and CMEK in the same terraform apply can cause a race condition. Apply the cluster first, then add log export and CMEK configurations in a subsequent apply.
Safety Considerations
| Impact Type | Severity | Recommendation |
|---|---|---|
| Log export enabling | Low | No impact on cluster operation |
| Log export disabling | Low | Stops log delivery but does not affect cluster |
| IAM misconfiguration | Medium | Log export will fail silently; monitor for delivery gaps |
| Cost impact | Medium | High-volume clusters can generate significant CloudWatch/logging costs |
| Terraform race condition | Medium | Apply cluster creation before log/CMEK config |
Cost planning:
- CockroachDB Cloud can generate 1-10 GB of logs per day per node depending on query volume and audit settings
- CloudWatch Logs pricing: ~$0.50/GB ingestion + $0.03/GB storage/month (varies by region)
- Enable log retention policies to control storage costs
- Audit logging significantly increases log volume — plan accordingly
Do not:
- Delete the CloudWatch log group while log export is active (will cause delivery errors)
- Revoke IAM permissions without disabling log export first
- Enable cluster-wide SQL audit logging without considering the log volume increase
Rollback
# Disable log export
ccloud cluster log-export delete <cluster-id>
# Disable metric export
ccloud cluster metric-export delete cloudwatch <cluster-id>
ccloud cluster metric-export delete datadog <cluster-id>
Log export can be re-enabled at any time with the same or different configuration. Historical logs are not re-sent — only new logs are exported after re-enabling.
References
Skill references:
Related skills:
- configuring-audit-logging — Enable SQL audit logging (must be enabled for audit logs to appear in export)
- auditing-cloud-cluster-security — Run a full security posture audit
Official CockroachDB Documentation:
More from cockroachlabs/cockroachdb-skills
cockroachdb-sql
Use when writing, generating, or optimizing SQL for CockroachDB, designing CockroachDB schemas, or when the user asks about CockroachDB-specific SQL patterns, type mappings, and distributed database best practices. Also use when encountering CockroachDB anti-patterns like missing primary keys, sequential ID hotspots, or incorrect type usage.
31analyzing-range-distribution
Analyzes CockroachDB range distribution across tables and indexes using SHOW RANGES to identify range count, size patterns, leaseholder placement, and replication health. Use when investigating hotspots, uneven data distribution, range fragmentation, or validating zone configuration effects without DB Console access.
27managing-cluster-settings
Reviews, audits, and modifies CockroachDB cluster settings. Self-Hosted has full control over all settings and start flags. Advanced/BYOC can modify most SQL-level settings but infrastructure settings are managed by CRL. Standard has limited settings access — session variables are the primary tuning mechanism. Basic has minimal settings — use session variables and Cloud Console. Use when auditing configuration, tuning performance, or troubleshooting settings-related issues.
25hardening-user-privileges
Hardens CockroachDB user privileges by auditing and tightening role-based access control, reducing admin grants, restricting PUBLIC role permissions, and applying least-privilege principles. Use when reducing excessive privileges, cleaning up admin access, or implementing RBAC best practices.
25auditing-table-statistics
Audits optimizer table statistics for staleness, missing coverage, and data quality issues using SHOW STATISTICS. Use when diagnosing poor query performance, unexpected plan changes, or after bulk data changes to identify stale statistics requiring refresh via CREATE STATISTICS.
25monitoring-background-jobs
Monitors CockroachDB background job health by identifying failed, paused, and long-running jobs using SHOW JOBS and SHOW AUTOMATIC JOBS. Surfaces schema changes, backups/restores, automatic statistics collection, and SQL stats compaction jobs without DB Console access. Use when investigating schema change delays, failed backups, or automatic job issues.
24