|
| 1 | +--- |
| 2 | +id: snowflake-logs |
| 3 | +title: Snowflake Logs |
| 4 | +sidebar_label: Snowflake Logs |
| 5 | +description: The Sumo Logic app for Snowflake Logs allows you to gain real-time insights into key metrics, query performance, and overall health of Snowflake environments to optimize operations, support informed decisions, and maximize Snowflake's potential. |
| 6 | +--- |
| 7 | + |
| 8 | +import useBaseUrl from '@docusaurus/useBaseUrl'; |
| 9 | + |
| 10 | +<img src={useBaseUrl('img/integrations/security-threat-detection/snowflake.png')} alt="Thumbnail icon" width="150"/> |
| 11 | + |
| 12 | +The Sumo Logic app for Snowflake Logs offers a powerful analytics solution designed to help you fully leverage the Snowflake cloud data platform. Known for its scalability and advanced data warehousing capabilities and analytics, Snowflake supports data-driven decision-making at scale. This app provides real-time visibility into key metrics, query performance, and the overall health of Snowflake environments. By analyzing Snowflake logs, you can monitor system performance, track login activity, optimize data management, and maintain better control over your data warehouse. |
| 13 | + |
| 14 | +With centralized monitoring and actionable insights, the app enables you to streamline operations, make informed decisions, and maximize the value of their Snowflake data assets. |
| 15 | + |
| 16 | +:::info |
| 17 | +This app includes [built-in monitors](#snowflake-logs-monitors). For details on creating custom monitors, refer to the [Create monitors for Snowflake Logs app](#create-monitors-for-snowflake-logs-app). |
| 18 | +::: |
| 19 | + |
| 20 | +## Log types |
| 21 | + |
| 22 | +This app uses Sumo Logic’s [Snowflake Logs Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/snowflake-logs-source/) to collect the data from the Snowflake Logs platform. |
| 23 | + |
| 24 | +### Sample log messages |
| 25 | + |
| 26 | +<details> |
| 27 | +<summary>Login History</summary> |
| 28 | + |
| 29 | +```json |
| 30 | +{ |
| 31 | + "CLIENT_IP": "52.44.184.81", |
| 32 | + "CLIENT_PRIVATE_LINK_ID": null, |
| 33 | + "CONNECTION": null, |
| 34 | + "ERROR_CODE": null, |
| 35 | + "ERROR_MESSAGE": null, |
| 36 | + "EVENT_ID": "1023469238922246", |
| 37 | + "EVENT_TIMESTAMP": "2025-06-12T01:14:02.745-04:00", |
| 38 | + "EVENT_TYPE": "LOGIN", |
| 39 | + "FIRST_AUTHENTICATION_FACTOR": "SAML2_ASSERTION", |
| 40 | + "IS_SUCCESS": "YES", |
| 41 | + "RELATED_EVENT_ID": "0", |
| 42 | + "REPORTED_CLIENT_TYPE": "SNOWFLAKE_UI", |
| 43 | + "REPORTED_CLIENT_VERSION": "9.15.2", |
| 44 | + "SECOND_AUTHENTICATION_FACTOR": "DUO_PUSH", |
| 45 | + "USER_NAME": "John" |
| 46 | +} |
| 47 | +``` |
| 48 | +</details> |
| 49 | + |
| 50 | +<details> |
| 51 | +<summary>Sessions</summary> |
| 52 | + |
| 53 | +```json |
| 54 | +{ |
| 55 | + "AUTHENTICATION_METHOD":"Password", |
| 56 | + "CLIENT_APPLICATION_ID":"Go 1.14.0", |
| 57 | + "CLIENT_APPLICATION_VERSION":"1.14.0", |
| 58 | + "CLIENT_BUILD_ID":"", |
| 59 | +"CLIENT_ENVIRONMENT":"{\"APPLICATION\":\"Go\",\"OS\":\"linux\",\"OS_VERSION\":\"gc-amd64\",\"OCSP_MODE\":\"FAIL_OPEN\",\"GO_VERSION\":\"go1.23.9 X:boringcrypto\"}", |
| 60 | + "CLIENT_VERSION":"0", |
| 61 | + "CLOSED_REASON":"LOGOUT", |
| 62 | + "CREATED_ON":"2025-06-12T01:59:56.812-07:00", |
| 63 | + "LOGIN_EVENT_ID":"41338407433", |
| 64 | + "SESSION_ID":"2709153701236758", |
| 65 | + "USER_NAME":"JOhn" |
| 66 | +} |
| 67 | +``` |
| 68 | +</details> |
| 69 | + |
| 70 | +<details> |
| 71 | +<summary>Stages</summary> |
| 72 | + |
| 73 | +```json |
| 74 | +{ |
| 75 | + "COMMENT": null, |
| 76 | + "CREATED": "2025-06-12T03:37:20.787-04:00", |
| 77 | + "DELETED": "2025-06-12T03:42:25.544-04:00", |
| 78 | + "DIRECTORY_ENABLED": null, |
| 79 | + "ENDPOINT": null, |
| 80 | + "INSTANCE_ID": null, |
| 81 | + "LAST_ALTERED": "2025-06-12T03:42:25.544-04:00", |
| 82 | + "OWNER_ROLE_TYPE": null, |
| 83 | + "STAGE_CATALOG": "CDWQA", |
| 84 | + "STAGE_CATALOG_ID": "46", |
| 85 | + "STAGE_ID": "42409", |
| 86 | + "STAGE_NAME": "dhgfak", |
| 87 | + "STAGE_OWNER": null, |
| 88 | + "STAGE_REGION": null, |
| 89 | + "STAGE_SCHEMA": "DVT", |
| 90 | + "STAGE_SCHEMA_ID": "371", |
| 91 | + "STAGE_TYPE": "Internal Named", |
| 92 | + "STAGE_URL": null, |
| 93 | + "STORAGE_INTEGRATION": null |
| 94 | +} |
| 95 | +``` |
| 96 | +</details> |
| 97 | + |
| 98 | +<details> |
| 99 | +<summary>Data Transfer History</summary> |
| 100 | + |
| 101 | +```json |
| 102 | +{ |
| 103 | + "BYTES_TRANSFERRED": 15562, |
| 104 | + "END_TIME": "2025-06-12T01:00:00-04:00", |
| 105 | + "SOURCE_CLOUD": "aws", |
| 106 | + "SOURCE_REGION": "us-east", |
| 107 | + "START_TIME": "2025-06-12T00:00:00-04:00", |
| 108 | + "TARGET_CLOUD": "aws", |
| 109 | + "TARGET_REGION": "us-west", |
| 110 | + "TRANSFER_TYPE": "COPY" |
| 111 | +} |
| 112 | +``` |
| 113 | +</details> |
| 114 | + |
| 115 | +<details> |
| 116 | +<summary>Grants to User</summary> |
| 117 | + |
| 118 | +```json |
| 119 | +{ |
| 120 | + "CREATED_ON": "2025-06-12T09:44:40.468-04:00", |
| 121 | + "DELETED_ON": null, |
| 122 | + "GRANTED_BY": "JOHN", |
| 123 | + "GRANTED_TO": "USER", |
| 124 | + "GRANTEE_NAME": "SUMO", |
| 125 | + "ROLE": "TESTER" |
| 126 | +} |
| 127 | +``` |
| 128 | +</details> |
| 129 | + |
| 130 | +### Sample queries |
| 131 | + |
| 132 | +```sql title="Users Login Over Time" |
| 133 | +_sourceCategory="Labs/SnowflakeLogs" |
| 134 | +| Json "REPORTED_CLIENT_TYPE", "USER_NAME", "FIRST_AUTHENTICATION_FACTOR", "SECOND_AUTHENTICATION_FACTOR", "AUTHENTICATION_METHOD", "SESSION_ID", "STAGE_ID", "STAGE_TYPE", "TRANSFER_TYPE", "CLIENT_IP", "CREATED_ON", "ROLE", "GRANTED_TO", "GRANTEE_NAME", "GRANTED_BY", "QUERY_TEXT", "QUERY_TYPE", "ROLE_NAME", "EXECUTION_STATUS", "EXECUTION_TIME" as client_type, user_name, first_authentication, second_authentication, authentication_method, session_id, stage_id, stage_type, data_transfer_type, ip_address, date, role, granted_to, grantee_name, granted_by, query_text, query_type, role_name, status, execution_time nodrop |
| 135 | + |
| 136 | +// global filters |
| 137 | +| where isNull(stage_type) or stage_type matches "{{stage_type}}" |
| 138 | +| where isNull(authentication_method) or authentication_method matches "{{authentication_method}}" |
| 139 | +| where isNull(data_transfer_type) or data_transfer_type matches "{{data_transfer_type}}" |
| 140 | +| where isNull(client_type) or client_type matches "{{client_type}}" |
| 141 | +| where isNull(second_authentication) or second_authentication matches "{{2FA}}" |
| 142 | + |
| 143 | +// panel specific |
| 144 | +| where !isNull(client_type) |
| 145 | +| timeslice 1d |
| 146 | +| count by user_name, _timeslice |
| 147 | +| count as frequency by _timeslice |
| 148 | +| fillmissing timeslice |
| 149 | +``` |
| 150 | + |
| 151 | +```sql title="Breakdown by Session Closed Reason" |
| 152 | +_sourceCategory="Labs/SnowflakeLogs" |
| 153 | +| Json "AUTHENTICATION_METHOD", "SESSION_ID", "CLOSED_REASON", "TARGET_CLOUD", "SOURCE_CLOUD", "REPORTED_CLIENT_TYPE", "CLIENT_IP", "IS_SUCCESS", "USER_NAME", "ERROR_CODE", "ERROR_MESSAGE", "TRANSFER_TYPE", "SOURCE_REGION", "TARGET_REGION", "BYTES_TRANSFERRED" as authentication_method, session_id, session_closed_reason, target_cloud, source_cloud, client_type, ip_address, is_success, user_name, error_code, error_message, data_transfer_type, source_region, target_region, bytes_transferred nodrop |
| 154 | + |
| 155 | +// global filters |
| 156 | +| where isNull(session_closed_reason) or session_closed_reason matches "{{session_closed_reason}}" |
| 157 | +| where isNull(source_cloud) or source_cloud matches "{{source_cloud}}" |
| 158 | +| where isNull(target_cloud) or target_cloud matches "{{target_cloud}}" |
| 159 | +| where isNull(login_success) or login_success matches "{{login_success}}" |
| 160 | + |
| 161 | +// panel specific |
| 162 | +| where !isNull(authentication_method) |
| 163 | +| count by session_closed_reason, session_id |
| 164 | +| count as frequency by session_closed_reason |
| 165 | +| sort by frequency, session_closed_reason |
| 166 | +``` |
| 167 | + |
| 168 | +## Collection configuration and app installation |
| 169 | + |
| 170 | +import CollectionConfiguration from '../../reuse/apps/collection-configuration.md'; |
| 171 | + |
| 172 | +<CollectionConfiguration/> |
| 173 | + |
| 174 | +:::important |
| 175 | +Use the [Cloud-to-Cloud Integration for Snowflake Logs](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/snowflake-logs-source/) to create the source and use the same source category while installing the app. By following these steps, you can ensure that your Snowflake Logs app is properly integrated and configured to collect and analyze your Snowflake Logs data. |
| 176 | +::: |
| 177 | + |
| 178 | +### Create a new collector and install the app |
| 179 | + |
| 180 | +import AppCollectionOPtion1 from '../../reuse/apps/app-collection-option-1.md'; |
| 181 | + |
| 182 | +<AppCollectionOPtion1/> |
| 183 | + |
| 184 | +### Use an existing collector and install the app |
| 185 | + |
| 186 | +import AppCollectionOPtion2 from '../../reuse/apps/app-collection-option-2.md'; |
| 187 | + |
| 188 | +<AppCollectionOPtion2/> |
| 189 | + |
| 190 | +### Use an existing source and install the app |
| 191 | + |
| 192 | +import AppCollectionOPtion3 from '../../reuse/apps/app-collection-option-3.md'; |
| 193 | + |
| 194 | +<AppCollectionOPtion3/> |
| 195 | + |
| 196 | +## Viewing Snowflake Logs dashboards |
| 197 | + |
| 198 | +import ViewDashboards from '../../reuse/apps/view-dashboards.md'; |
| 199 | + |
| 200 | +<ViewDashboards/> |
| 201 | + |
| 202 | +### Snowflake Logs - Overview |
| 203 | + |
| 204 | +The **Snowflake Logs - Overview** dashboard provides a comprehensive view of key metrics and operational insights within your Snowflake environment. It enables real-time monitoring of user activity, system performance, and data transfer trends, helping stakeholders better understand overall usage and behavior. |
| 205 | +Key panels include Total Users, 2FA Enabled Users, Total Sessions, User Geolocation, and more, allowing you to track login activity, system utilization, and authentication patterns over time. By analyzing data by authentication methods, transfer types, and other factors, you can proactively manage resources, optimize processes, and improve operational efficiency. |
| 206 | + |
| 207 | +<img src={useBaseUrl('https://sumologic-app-data-v2.s3.us-east-1.amazonaws.com/dashboards/Snowflake-Logs/Snowflake+Logs+-+Overview.png')} alt="Entries Overview dashboard" /> |
| 208 | + |
| 209 | +### Snowflake Logs - Security |
| 210 | + |
| 211 | +The **Snowflake Logs - Security** dashboard offers in-depth visibility into security-related activities and potential threats within your Snowflake environment. It highlights key events such as failed login attempts, data transfers, and geolocation-based login patterns. With metrics like Failed Login Summary, Data Transfer by Source Cloud Platform, and Transfers Over 1GB, helping security teams identify anomalies, investigate incidents, and take proactive steps to mitigate risks effectively. |
| 212 | + |
| 213 | +<img src={useBaseUrl('https://sumologic-app-data-v2.s3.us-east-1.amazonaws.com/dashboards/Snowflake-Logs/Snowflake+Logs+-+Security.png')} alt="Audits Overview dashboard" /> |
| 214 | + |
| 215 | +## Create monitors for Snowflake Logs app |
| 216 | + |
| 217 | +import CreateMonitors from '../../reuse/apps/create-monitors.md'; |
| 218 | + |
| 219 | +<CreateMonitors/> |
| 220 | + |
| 221 | +### Snowflake Logs monitors |
| 222 | + |
| 223 | +| Name | Description | Trigger Type (Critical / Warning / MissingData) | Alert Condition | |
| 224 | +|:--|:--|:--|:--| |
| 225 | +| `Snowflake Logs - Data Transfer Limitation` | This alert is triggered when more than 1GB data transfer occurs in single session. | Critical | Count > 0 | |
| 226 | +| `Snowflake Logs - Logins from Embargoed Geo Locations` | This alert is triggered when logins are detected from sanctioned or embargoed regions, helping you to maintain adherence to legal and regulatory standards. | Critical | Count > 0| |
| 227 | + |
| 228 | +## Upgrade/Downgrade the Snowflake Logs app (Optional) |
| 229 | + |
| 230 | +import AppUpdate from '../../reuse/apps/app-update.md'; |
| 231 | + |
| 232 | +<AppUpdate/> |
| 233 | + |
| 234 | +## Uninstalling the Snowflake Logs app (Optional) |
| 235 | + |
| 236 | +import AppUninstall from '../../reuse/apps/app-uninstall.md'; |
| 237 | + |
| 238 | +<AppUninstall/> |
0 commit comments