---
title: >-
  A log metric filter and alert should exist for SQL instance configuration
  changes
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > A log metric filter and alert should
  exist for SQL instance configuration changes
---

# A log metric filter and alert should exist for SQL instance configuration changes
 
## Description{% #description %}

It is recommended that a metric filter and alarm be set up for SQL instance configuration changes.

## Rationale{% #rationale %}

Monitoring changes to SQL instance configuration changes may reduce the time needed to detect and correct SQL server misconfigurations. Below are a few configurable options that may impact the security posture of an SQL instance: • Enable auto backups and high availability: Misconfiguration may adversely impact business continuity, disaster recovery, and high availability • Authorize networks: Misconfiguration may increase exposure to untrusted networks

### Impact{% #impact %}

Enabling logging may result in your project being charged for the additional logs usage.

## Remediation{% #remediation %}

### From the console{% #from-the-console %}

#### Create the prescribed log metric{% #create-the-prescribed-log-metric %}

1. Go to Logging/Logs-based Metrics by visiting [https://console.cloud.google.com/logs/metrics](https://cloud.google.com/logging/docs/logs-based-metrics/) and clicking **CREATE METRIC**.

1. Click the down arrow icon on the **Filter Bar** at the top right corner and select **Convert to Advanced Filter**.

1. Clear any text and add:

   ```gdscript3
   protoPayload.methodName="cloudsql.instances.update"
   ```

1. Click **Submit Filter**. Display logs appear based on the filter text.

1. In the **Metric Editor** menu on the right, fill out the name field. Set **Units** to `1` (default) and **Type** to `Counter`. This ensures that the log metric counts the number of log entries matching the user's advanced logs query.

1. Click **Create Metric**.

#### Create the prescribed alert policy{% #create-the-prescribed-alert-policy %}

1. Go to [https://console.cloud.google.com/logs/metrics](https://cloud.google.com/logging/docs/logs-based-metrics/). Under the **User-defined Metrics** section, identify the newly created metric.
1. Click the kebab icon in the rightmost column for the new metric and select **Create alert from Metric**.
1. Fill out the alert policy configuration and click **Save**. Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value ensures that a notification is triggered for every owner change in the project:

```mysql
   Set `Aggregator` to `Count`
   Set `Configuration`:
   - Condition: above
   - Threshold: 0
   - For: most recent value
```
Configure the desired notifications channels in the section **Notifications**.Name the policy and click **Save**.
### From the command line{% #from-the-command-line %}

1. Create the prescribed log metric using the following command:
   ```
   gcloud logging metrics create
   ```
[Reference for command usage](https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create)
1. Create the prescribed alert policy using the following command:
   ```
   gcloud alpha monitoring policies create
   ```
[Reference for command usage](https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create)

## References{% #references %}

1. [https://console.cloud.google.com/logs/metrics](https://cloud.google.com/logging/docs/logs-based-metrics/)
1. [https://cloud.google.com/monitoring/custom-metrics/](https://cloud.google.com/monitoring/custom-metrics/)
1. [https://cloud.google.com/monitoring/alerts/](https://cloud.google.com/monitoring/alerts/)
1. [https://cloud.google.com/logging/docs/reference/tools/gcloud-logging](https://cloud.google.com/logging/docs/reference/tools/gcloud-logging)
1. [https://cloud.google.com/storage/docs/overview](https://cloud.google.com/storage/docs/overview)
1. [https://cloud.google.com/sql/docs/](https://cloud.google.com/sql/docs/)
1. [https://cloud.google.com/sql/docs/mysql/](https://cloud.google.com/sql/docs/mysql/)
1. [https://cloud.google.com/sql/docs/postgres/](https://cloud.google.com/sql/docs/postgres/)
1. [https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create](https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create)
1. [https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create](https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create)