Shipping Snowflake Logs and Audit Data to Coralogix with OpenTelemetry
This tutorial demonstrates how to centralize logging for Snowflake by sending logs to Coralogix via OpenTelemetry.
Overview
Snowflake is a cloud-based data warehousing platform known for efficiently storing, processing, and analyzing vast amounts of data. It provides scalable data warehousing services that enable organizations to manage and retrieve data seamlessly in a cloud environment.
Snowflake does not directly integrate with Coralogix for exporting logs and audit-related data. However, you can follow this detailed guide to leverage the OpenTelemetry Collector. Using the OpenTelemetry Collector, you can extract Snowflake logs and audit information and transmit them to Coralogix. Coralogix processes this data for streamlined visualization and analysis within its platform.
Prerequisites
OpenTelemetry Collector installed and configured
Active Snowflake account with appropriate access (e.g., ACCOUNTADMIN)
Configuring the OpenTelemetry Collector
The OpenTelemetry Collector includes observability components that support Snowflake, such as the Snowflake Receiver for monitoring key metrics and the SQL Query Receiver for executing custom queries via a built-in Snowflake database driver. These tools provide insights into Snowflake's performance and resource utilization.
Snowflake’s built-in capabilities track and log user activities. Logs and audit data can be obtained using queries, integrated with the OpenTelemetry Collector’s SQL Query Receiver to enhance observability and auditing.
STEP 1: Obtaining your Snowflake account identifier
The account identifier uniquely identifies your Snowflake account within your organization. It is required for the connection string and is used to declare cloud platforms and regions.
To obtain your account identifier:
Go to your Snowflake console.
In the bottom left corner, copy the account URL.
Extract the account identifier from the account URL (e.g., xy12345.us-east-2.aws.snowflakecomputing.com
), following this format:
Refer to the Snowflake Account Identifiers Guide for more details.
STEP 2: Creating a connection string
The connection string is used to establish a connection to your Snowflake database. Format it as follows:
<username>
: Your Snowflake username.<password>
: Your Snowflake password.<account_identifier>
: Your Snowflake account identifier.
STEP 3: Writing the SQL query receiver configuration
Create the configuration for the SQL Query Receiver in your OpenTelemetry Collector configuration file (otel-collector-config.yaml
). Remember to attach the sqlquery receiver to a log pipeline:
exporters:
coralogix:
application_name: 'otel'
application_name_attributes:
- aws.ecs.task.family
- service.namespace
domain: ${CORALOGIX_DOMAIN}
logs:
headers:
X-Coralogix-Distribution: ecs-fargate-integration/0.0.1
metrics:
headers:
X-Coralogix-Distribution: ecs-fargate-integration/0.0.1
private_key: ${PRIVATE_KEY}
subsystem_name: 'integration'
subsystem_name_attributes:
- service.name
- aws.ecs.docker.name
- container_name
timeout: 30s
traces:
headers:
X-Coralogix-Distribution: ecs-fargate-integration/0.0.1
receivers:
sqlquery:
collection_interval: 21600s
driver: snowflake
datasource: "<username>:<password>@<ACCOUNT_IDENTIFIER>.snowflakecomputing.com/SNOWFLAKE/ACCOUNT_USAGE"
queries:
- sql: |
SELECT
OBJECT_CONSTRUCT(
'application', 'snowflake',
'environment', 'debug',
'log_type', 'login_history',
'EVENT_TIMESTAMP', EVENT_TIMESTAMP,
'EVENT_TYPE', EVENT_TYPE,
'USER_NAME', USER_NAME,
'CLIENT_IP', CLIENT_IP,
'REPORTED_CLIENT_TYPE', REPORTED_CLIENT_TYPE,
'FIRST_AUTHENTICATION_FACTOR', FIRST_AUTHENTICATION_FACTOR,
'IS_SUCCESS', IS_SUCCESS,
'ERROR_CODE', ERROR_CODE,
'ERROR_MESSAGE', ERROR_MESSAGE,
'EVENT_ID', EVENT_ID
) log,
EXTRACT(EPOCH FROM EVENT_TIMESTAMP) AS EPOCH_TIMESTAMP
FROM SNOWFLAKE.ACCOUNT_USAGE.LOGIN_HISTORY
WHERE EXTRACT(EPOCH FROM EVENT_TIMESTAMP) > ?
ORDER BY EPOCH_TIMESTAMP ASC
tracking_start_value: "0"
tracking_column: EPOCH_TIMESTAMP
logs:
- body_column: LOG
service:
pipelines:
logs:
receivers:
- sqlquery
exporters:
- coralogix
Configuration breakdown
The sqlquery
receiver configuration executes custom SQL queries against a specified database and collects the results. Key configurations include:
driver
: Specifies the database driver (snowflake
).datasource
: Connection string including username, password, and account identifier.collection_interval
: Frequency of query execution, change it to your preference (e.g., every 60 seconds).queries
: List of SQL queries to execute, defining:sql
: The query constructing a JSON object from LOGIN_HISTORY columns. The tracking value is passed as a parameter using the?
placeholder.tracking_start_value
andtracking_column
: Settings for tracking query progress usingEPOCH_TIMESTAMP
.
logs
: Defines how query results are processed as logs, utilizingLOG
as the body column.
Note
We recommend to create a new column called EPOCH_TIMESTAMP
derived from EXTRACT(EPOCH FROM EVENT_TIMESTAMP)
. Using the table's EVENT_ID
does not show a continuous sequence, and tracking_column
only works on numberic value_type
(e.g. int
or double
). Also with ascending order (ORDER BY EPOCH_TIMESTAMP ASC
), the collector uses the last result's row tracking_column
value as the parameterized value for the next query. Additionally when the collector is restarted, the tracking value will be reset to the tracking_start_value
, thus re-querying all the data. You can additional conditional logic to the query to prevent this (e.g. only pull from 6hrs ago: EVENT_TIMESTAMP >= DATEADD(hour, -6, CURRENT_TIMESTAMP())
).
STEP 4: Deployment and validation
Add
sqlquery
receiver to OpenTelemetry Collector Config: Integratesqlquery
receiver into deployment configurations (e.g., Kubernetes, ECS, EC2).Deploy OpenTelemetry Collector: Apply configuration changes and deploy OpenTelemetry Collector.
Validate Configuration: Ensure correct log collection, confirming single
sqlquery
receiver instance to prevent duplicate records.
STEP 5: [Optional] Expanding SQL configurations
Repeat SQL configurations (sqlquery.queries
) for all Snowflake tables storing logs and audit data.
ECS task definition
{
"containerDefinitions": [
{
"name": "otel-collector",
"image": "otel/opentelemetry-collector-contrib",
"cpu": 0,
"portMappings": [
{
"name": "otel-collector-4317-tcp",
"containerPort": 4317,
"hostPort": 4317,
"protocol": "tcp",
"appProtocol": "grpc"
},
{
"name": "otel-collector-4318-tcp",
"containerPort": 4318,
"hostPort": 4318,
"protocol": "tcp",
"appProtocol": "grpc"
}
],
"essential": true,
"command": [
"--config",
"env:SSM_CONFIG"
],
"environment": [
{
"name": "CORALOGIX_DOMAIN",
"value": "us2.coralogix.com"
}
],
"mountPoints": [],
"volumesFrom": [],
"secrets": [
{
"name": "SSM_CONFIG",
"valueFrom": "<ARN_TO_SECRETS_MANAGER>"
},
{
"name": "PRIVATE_KEY",
"valueFrom": "<ARN_TO_SECRETS_MANAGER>"
}
],
"user": "0",
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-group": "<ENV>-coralogix-open-telemetry",
"awslogs-create-group": "true",
"awslogs-region": "<REGION>",
"awslogs-stream-prefix": "snowflake"
}
},
"systemControls": []
}
],
"family": "staging-coralogix-open-telemetry",
"networkMode": "awsvpc",
"revision": 22,
"volumes": [],
"status": "ACTIVE",
"requiresAttributes": [
{
"name": "com.amazonaws.ecs.capability.logging-driver.awslogs"
},
{
"name": "ecs.capability.execution-role-awslogs"
},
{
"name": "com.amazonaws.ecs.capability.docker-remote-api.1.19"
},
{
"name": "ecs.capability.secrets.asm.environment-variables"
},
{
"name": "com.amazonaws.ecs.capability.docker-remote-api.1.17"
},
{
"name": "com.amazonaws.ecs.capability.task-iam-role"
},
{
"name": "com.amazonaws.ecs.capability.docker-remote-api.1.18"
},
{
"name": "ecs.capability.task-eni"
},
{
"name": "com.amazonaws.ecs.capability.docker-remote-api.1.29"
}
],
"placementConstraints": [],
"compatibilities": [
"EC2",
"FARGATE"
],
"requiresCompatibilities": [
"FARGATE"
],
"cpu": "1024",
"memory": "3072",
"runtimePlatform": {
"cpuArchitecture": "X86_64",
"operatingSystemFamily": "LINUX"
},
"tags": [
{
"key": "project",
"value": "<PROJECT_NAME>"
}
]
}
Validation
Navigate to Explore > Logs in Coralogix to view your centralized Snowflake logs.
Support
Need help?
Our customer success team is available 24/7 via in-app chat or email at support@coralogix.com.