---
id: redshift-ulm
title: Amazon Redshift ULM
description: The Sumo Logic app for Amazon Redshift ULM helps you monitor activity in Amazon Redshift.
slug: /help/docs/integrations/amazon-aws/redshift-ulm/
canonical: https://www.sumologic.com/help/docs/integrations/amazon-aws/redshift-ulm/
---
import useBaseUrl from '@docusaurus/useBaseUrl';
})
Amazon Redshift is Amazon’s data warehousing service. The Sumo Logic app for Amazon Redshift ULM helps you monitor activity in Amazon Redshift. The app is a unified logs and metrics application with preconfigured dashboards provide insight into database connections, SQL command and statement execution, database user account events, CloudTrail events, and resource utilization by node and cluster.
## Log types
The Amazon Redshift app uses the following log types:
* Amazon Redshift Audit Logs
* Amazon CloudTrail Event Logs
* Amazon Redshift Metrics
### Sample log messages
```json title="Amazon Redshift Connection Audit Log Sample"
dir="ltr">authenticated |Mon, 21 May 2018 01:38:01:601|::ffff:127.0.0.1 |32828 |15523|dev |rdsdb |password
|0| | |0| | | |dir="ltr">authentication failure |Mon, 21 May 2018 05:20:10:123|::ffff:10.11.12.16 |66790
|98031|vendor |himanshu |password |0|TLSv1.2 |ECDHE-RSA-AES256-SHA384 |0| | | |
```
```sql title="Amazon Redshift User Activity Audit Log Sample"
'2018-05-21T06:00:09Z UTC [ db=prod_sales user=duc pid=99753 userid=95 xid=6728324 ]' LOG: create table SumoProdbackUp.organization as
(select * from SumoProd.simpleuser)
'2018-05-21T06:00:09Z UTC [ db=vendor user=ankit pid=36616 userid=53 xid=2956702 ]' LOG: DELETE FROM SumoProd.employee WHERE id = 38;
'2018-05-21T06:20:09Z UTC [ db=dev user=himanshu pid=64458 userid=35 xid=5143208 ]' LOG: drop user testuser3
```
Click to expand. Amazon CloudTrail Redshift Log Sample.
```json title="Amazon CloudTrail Redshift Log Sample"
{
"eventVersion": "1.04",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDA1234567890WUABG5Q",
"arn": "arn:aws:iam::951234567838:user/Nitin",
"accountId": "951234567838",
"accessKeyId": "ASIA12345678UPV5IWTQ",
"userName": "Nitin",
"sessionContext": {
"attributes": {
"mfaAuthenticated": "true",
"creationDate": "2018-05-11T14:08:12Z"
}
},
"invokedBy": "signin.amazonaws.com"
},
"eventTime": "2018-05-11T17:37:06Z",
"eventSource": "redshift.amazonaws.com",
"eventName": "RebootCluster",
"awsRegion": "us-west-1",
"sourceIPAddress": "114.140.11.57",
"userAgent": "signin.amazonaws.com",
"requestParameters": {
"clusterIdentifier": "sumologicdevbi"
},
"responseElements": {
"nodeType": "dc2.large",
"preferredMaintenanceWindow": "mon:10:00-mon:10:30",
"clusterStatus": "rebooting",
"clusterCreateTime": "Mar 13, 2018 4:49:17 AM",
"vpcId": "vpc-4333942c",
"enhancedVpcRouting": false,
"endpoint": {
"port": 5439,
"address": "sumologicdev-bi.cklqobrc1234.us-west-1.redshift.amazonaws.com"
},
"masterUsername": "sumologicdevbi",
"clusterSecurityGroups": [],
"pendingModifiedValues": {},
"dBName": "sumologicdevbi",
"availabilityZone": "us-west-1c",
"clusterVersion": "1.0",
"encrypted": false,
"publiclyAccessible": true,
"tags": [],
"clusterParameterGroups": [
{
"clusterParameterStatusList": [
{
"parameterApplyStatus": "pending-reboot",
"parameterName": "spectrum_enable_enhanced_vpc_routing"
},
{
"parameterApplyStatus": "pending-reboot",
"parameterName": "enable_user_activity_logging"
},
{
"parameterApplyStatus": "pending-reboot",
"parameterName": "max_cursor_result_set_size"
},
{
"parameterApplyStatus": "pending-reboot",
"parameterName": "query_group"
},
{
"parameterApplyStatus": "pending-reboot",
"parameterName": "datestyle"
},
{
"parameterApplyStatus": "pending-reboot",
"parameterName": "extra_float_digits"
},
{
"parameterApplyStatus": "pending-reboot",
"parameterName": "search_path"
},
{
"parameterApplyStatus": "pending-reboot",
"parameterName": "statement_timeout"
},
{
"parameterApplyStatus": "pending-reboot",
"parameterName": "wlm_json_configuration"
},
{
"parameterApplyStatus": "pending-reboot",
"parameterName": "require_ssl"
},
{
"parameterApplyStatus": "pending-reboot",
"parameterName": "use_fips_ssl"
}
],
"parameterGroupName": "auditclusterparamgroup",
"parameterApplyStatus": "pending-reboot"
}
],
"allowVersionUpgrade": true,
"automatedSnapshotRetentionPeriod": 1,
"numberOfNodes": 1,
"vpcSecurityGroups": [
{
"status": "active",
"vpcSecurityGroupId": "sg-1234d441"
}
],
"iamRoles": [
{
"iamRoleArn": "arn:aws:iam::951234567838:role/RedshiftS3ReadOnly",
"applyStatus": "in-sync"
}
],
"clusterIdentifier": "sumologicdevbi",
"clusterSubnetGroupName": "redshift"
},
"requestID": "ec7759c5-5541-11e8-947b-614ed503d341",
"eventID": "4b0a0389-b04e-4553-8946-e71d0c3cfd46",
"eventType": "AwsApiCall",
"recipientAccountId": "951234567838"
}
```
### Sample queries
```sumo title="Top Users"
dir="ltr">_sourceCategory=*/AWS/Redshift/Audit LOG
| parse regex "^\'(?