This topic describes how to enable the new audit log feature for an ApsaraDB for Redis instance. The new audit log feature is integrated with Log Service and allows you to query, analyze, and export log data. You can use this feature to gain insights into the security and performance of the instance.

Prerequisites

  • The instance is an instance of ApsaraDB for Redis Community Edition or a performance-enhanced instance of ApsaraDB for Redis Enhanced Edition (Tair).
  • The database version of the ApsaraDB for Redis instance is Redis 4.0 or later, and the latest minor version is used. For more information about how to update the minor version and upgrade the major version of an instance, see Upgrade the major version and Update the minor version.
  • The AliyunLogFullAccess policy is attached to the RAM user that is used to enable the new audit log feature. This prerequisite must be met if you want to enable the feature by using the credentials of a RAM user. For more information, see Grant permissions to a RAM user.

Typical scenarios

ApsaraDB for Redis integrates with the features of Log Service to provide an audit log feature that is stable and flexible, simple, and efficient. This feature can be used in the following scenarios:

Typical scenario Description
Operation audit Helps security auditors discover information such as operator identity or data modification time, and identify internal risks such as abuse of permissions and execution of invalid commands.
Security compliance Assists business systems complying with the audit requirements in security compliance.

Precautions

  • After you enable the audit log feature for an instance, ApsaraDB for Redis audits and logs the write operations that are performed on the instance. The instance may encounter a performance decrease of 5% to 15% and a specific amount of latency jitter. The performance decrease and the latency jitter vary based on the amount of data that is written or audited.
    Notice
    • Your application may write a large amount of data into an instance. For example, your application frequently runs the INCR command to count. To prevent a performance decrease in such a scenario, we recommend that you enable the audit log feature only for troubleshooting issues or auditing the security of the instance.
    • The number of read operations is often large. If the audit information of read operations is recorded, the instance performance may deteriorate. To prevent this issue, ApsaraDB for Redis records audit information only for write operations.
  • The log retention period that you specify for an instance is applied to the instance and all the other instances that reside in the same region. Other settings that you specify for an instance are applied only to the instance. For example, if you enable the audit log feature for an instance, the audit log feature is enabled only for the instance.

Pricing

You are charged for the audit log feature based on the storage usage and retention period of audit logs. The price varies with the region that you select. For more information, see Billable items and prices.

Note The free trial version of the audit log feature was phased out on June 11, 2021. For more information, see [Notice] Official version of the audit log feature for ApsaraDB for Redis released.

Procedure

  1. Log on to the ApsaraDB for Redis console.
  2. In the top navigation bar of the page, select the region in which the instance is deployed.
  3. On the Instances page, click the ID of the instance.
  4. In the left-side navigation pane, choose Logs > Audit Log.
  5. Specify a log retention period.
    Figure 1. Specify a log retention period
    Specify a log retention period
    Note You are charged for the audit log feature based on the storage usage and retention period of audit logs. The log retention period that you specify can range from 1 to 365 days. After you specify a log retention period for an instance, the log retention period is applied to the instance and all the other instances that reside in the same region.
  6. Click Enable Audit Logs.
  7. In the message that appears, read the content and click OK.
    Note The audit log feature depends on Log Service. If Log Service is not activated for your Alibaba Cloud account, you must activate Log Service. For more information, see What is Log Service?

FAQ

  • How do I disable the audit log feature for an instance?

    Log on to the ApsaraDB for Redis console and go to the Audit Log page of the instance. In the upper-right corner of the page, click Service Settings. Then, you can disable the audit log feature.

  • How do I download all audit logs?
    For more information, see Download logs. To download all audit logs, take note of the following items:
    Note
    • To download all audit logs, you must specify the redis_audit_log_standard Logstore and specify the project name in the following format: nosql-{ID of your Alibaba Cloud account}-{Region}. Example: nosql-17649847257****-cn-hangzhou.
    • To download all audit logs, you must select Download All Logs with Cloud Shell or Download All Logs Using Command Line Tool. If you select Download Log in Current Page, you can download only the audit logs that are displayed on the current page.
  • Why does the audit log feature support only write operations but not read operations?

    In most scenarios, the number of read operations is larger than the number of write operations. The auditing for read operations can cause a serious performance decrease and a large number of audit logs need to be generated and stored for read operations. In this case, ApsaraDB for Redis may discard specific audit logs to ensure service stability. Due to these issues, the audit log feature does not support read operations.

  • If I specify different log retention periods for two instances in the same region that have the new audit log feature enabled, which log retention period is applied to all the instances in the region?

    The last log retention period that you specify is applied.

  • Why do I find audit logs whose client IP addresses are not the IP address of the client on which my application runs?

    The audit logs contain write operations logs of the control class. You can filter relevant information.