Enable "slow_query_log" Flag for MySQL Database Servers

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)

Ensure that the "slow_query_log" database flag is enabled for your Google Cloud MySQL database instances in order to simplify the task of finding inefficient or time-consuming SQL queries for your MySQL databases. By default, the "slow_query_log" database flag is not enabled for Google Cloud MySQL instances.

Performance
efficiency

The slow query log feature designed for MySQL databases enables you to log queries that exceed a predefined time limit. By enabling the "slow_query_log" flag, you can keep an eye on your MySQL database performance, allowing you to identify which queries need optimization. Optionally, you can integrate these logs with Google Cloud Operations service (formerly Stackdriver) to create and configure alerts that can send you notifications when there are too many slow queries and your database performance is downgraded.

Note: Some database flag settings can affect instance availability and/or stability, and eventually remove the MySQL instance from the Google Cloud SQL Service Level Agreement (SLA).


Audit

To determine if "slow_query_log" flag is enabled for your MySQL database instances, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Cloud SQL Instances dashboard at https://console.cloud.google.com/sql/instances.

04 Click inside the Filter tree box, select Type and MySQL then press Enter, to list only the MySQL database instances provisioned for the selected GCP project.

05 Click on the name (ID) of the database instance that you want to examine.

06 In the navigation panel, select Overview to access the configuration details of the selected instance.

07 In the Configuration section, under Database flags, check the configuration value set for the slow_query_log database flag. If slow_query_log is set to off, the "slow_query_log" database flag is currently disabled for the selected Google Cloud MySQL database instance, therefore the database configuration is not compliant.

08 Repeat step no. 5 – 7 to check the "slow_query_log" flag configuration for other MySQL database instances available within the selected project.

09 Repeat steps no. 2 – 8 for each project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the Google Cloud Platform (GCP) projects available in your Google Cloud account:

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project identifiers:

PROJECT_ID
cc-web-project-112233
cc-gov-project-123123

03 Run sql instances list command (Windows/macOS/Linux) using custom filtering to describe the name of each MySQL database instance provisioned for the selected Google Cloud project:

gcloud sql instances list
	--project cc-web-project-112233
	--filter='DATABASE_VERSION:MYSQL*'
	--format="(NAME)"

04 The command output should return the requested database instance name(s):

NAME
cc-web-mysql-instance
cc-int-mysql-instance
cc-app-mysql-instance

05 Run sql instances describe command (Windows/macOS/Linux) using the name of the MySQL database instance that you want to examine as identifier parameter and custom query filters to describe the "slow_query_log" flag configuration value set for the selected database instance:

gcloud sql instances describe cc-web-mysql-instance
	--format=json | jq '.settings.databaseFlags[] | select(.name=="slow_query_log")|.value'

06 The command output should return the requested flag configuration value:

"off"

If the sql instances describe command output returns "off", the "slow_query_log" database flag is not enabled for the selected Google Cloud MySQL database instance, therefore the database configuration is not compliant.

07 Repeat step no. 5 and 6 to verify the "slow_query_log" flag configuration value for other MySQL database instances created for the selected project.

08 Repeat steps no. 3 – 7 for each project available within your Google Cloud account.

Remediation / Resolution

To enable the "slow_query_log" database flag for your Google Cloud Platform (GCP) MySQL database instances, perform the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Cloud SQL Instances dashboard at https://console.cloud.google.com/sql/instances.

04 Click inside the Filter tree box, select Type and MySQL then press Enter, to display only the MySQL database instances available for the selected project.

05 Click on the name/ID of the database instance that you want to reconfigure.

06 In the navigation panel, select Overview to access the configuration details of the selected instance.

07 Click on the Edit button from the dashboard top menu to access the instance edit mode.

08 In the Configuration options section, click on Flags to expand the panel with the database flags configured for the selected instance.

09 Find the slow_query_log flag and turn it on by selecting On from the flag configuration dropdown list. If the flag has not been set on the selected instance before, click Add item, choose the slow_query_log flag from the Choose one dropdown menu, and set its value to On. Click Close to close the panel.

10 Click Save to apply the configuration changes.

11 Repeat step no. 5 – 10 to configure the specified flag for other MySQL database instances available within the selected project.

12 Repeat steps no. 2 – 11 for each project deployed in your Google Cloud account.

Using GCP CLI

01 Run sql instances patch command (Windows/macOS/Linux) using the name of the MySQL database instance that you want to reconfigure as identifier parameters (see Audit section part II to identify the right resource), to enable the "slow_query_log" database flag for the selected database instance:

gcloud sql instances patch cc-web-mysql-instance
	--database-flags slow_query_log=on

02 Type Y to confirm the database configuration change:

The following message will be used for the patch API method.
{"name": "cc-web-mysql-instance", "project": "cc-web-project-112233", "settings": {"databaseFlags": [{"name": "slow_query_log", "value": "on"}]}}
WARNING: This patch modifies database flag values, which may require your instance to be restarted. Check the list of supported flags - https://cloud.google.com/sql/docs/mysql/flags - to see if your instance will be restarted when this patch is submitted.
Do you want to continue (Y/n)? Y

03 The output should return the sql instances patch command request status:

Patching Cloud SQL instance...done.
Updated [https://sqladmin.googleapis.com/sql/v1beta4/projects/cc-web-project-112233/instances/cc-web-mysql-instance].

04 Repeat step no. 1 – 3 to configure the necessary flag for other MySQL database instances provisioned for the selected project.

05 Repeat steps no. 1 – 4 for each project created within your Google Cloud account.

References

Publication date Apr 21, 2021

Unlock the Remediation Steps


Gain free unlimited access
to our full Knowledge Base


Over 750 rules & best practices
for AWS and Azure

You are auditing:

Enable "slow_query_log" Flag for MySQL Database Servers

Risk level: Medium