This topic describes how to enable a new version of the audit log feature for an ApsaraDB for Redis instance. A new version of the audit log feature is integrated with Log Service and allows you to query, analyze, and export log data. You can use this feature to gain insights into the security and performance of the instance.

Prerequisites

  • The instance is an instance of ApsaraDB for Redis Community Edition or a performance-enhanced instance of ApsaraDB for Redis Enhanced Edition (Tair). For more information about performance-enhanced instances, see Performance-enhanced instances.
  • The instance runs the latest minor version in Redis 4.0 or later. For more information about how to upgrade the minor and major versions of an instance, see Upgrade to a major version and Upgrade the minor version.
  • The AliyunLogFullAccess policy is attached to a Resource Access Management (RAM) user if you want to enable the audit log feature by using the credentials of the RAM user. For more information, see Grant permissions to a RAM user.

Background information

Log Service is an all-in-one logging service that is developed by Alibaba Cloud based on a large number of big data scenarios. For more information, see What is Log Service? You can use Log Service to collect, consume, push, query, and analyze log data without the need to write code. Log Service helps you improve O&M efficiency. Some features of Log Service are integrated into ApsaraDB for Redis. This allows ApsaraDB for Redis to provide the audit log feature, which is stable, flexible, efficient, and easy to use.

Precautions

  • After you enable the audit log feature for an instance, ApsaraDB for Redis audits and logs the write operations that are performed on the instance. The instance may encounter a performance decrease of 5% to 15% and a specific amount of latency jitter. The performance decrease and the latency jitter vary based on the amount of data that is written or the amount of data that is audited.
    Notice If your application writes a large amount of data into an instance, we recommend that you enable the audit log feature only when you troubleshoot issues or audit the security of the instance. This helps you prevent a performance decrease. For example, if you frequently run the INCR command to count numbers, you can enable the audit log feature.
  • The log retention period that you specify for an instance is applied to the instance and all the other instances that reside in the same region. The other settings that you specify for an instance are applied only to the instance. For example, if you enable the audit log feature for an instance, the audit log feature is enabled only for the instance.
  • The previous version of the audit log feature is phased out. If the previous version of the audit log feature is enabled for an instance, you must enable a new version of the audit log feature by following the instructions that are provided in this topic. For more information about the previous version of the audit log feature, see Enable an earlier version of the audit log feature.

Billing

You are charged for the audit log feature based on the storage usage and retention period of audit logs. The fees that you must pay vary based on the region that you select. For more information, see Billing items and pricing.

Note The free trial version of the audit log feature was deprecated on June 11, 2021. For more information, see [Notice] Official version of the audit log feature for ApsaraDB for Redis released.

Procedure

  1. Log on to the ApsaraDB for Redis console.
  2. In the top navigation bar of the page, select the region where the instance is deployed.
  3. On the Instances page, click the ID of the instance.
  4. In the left-side navigation pane, choose Logs > Audit Log.
  5. Specify a log retention period.
    Figure 1. Specify a log retention period
    Specify a log retention period
    Note You are charged for the audit log feature based on the storage usage and retention period of audit logs. The log retention period that you specify must range from 7 days to 365 days. After you specify a log retention period for an instance, the log retention period is applied to the instance and all the other instances that reside in the same region.
  6. Click Enable Audit Logs.
  7. In the message that appears, read the message and click OK.
    Note The audit log feature depends on Log Service. If Log Service is not activated for your Alibaba Cloud account, you must activate Log Service as prompted. For more information, see What is Log Service?

FAQ

  • How do I disable the audit log feature for an instance?

    Log on to the ApsaraDB for Redis console and go to the Audit Log page of the instance. In the upper-right corner of the page, click Service Settings. Then, you can disable the audit log feature.

  • How do I download all audit logs?
    For more information about how to download all audit logs, see Download logs.
    Note
    • To download all audit logs, you must specify the redis_audit_log_standard Logstore and specify the project name in the following format: nosql-{User ID}-{Region}. Example: nosql-17649847257****-cn-hangzhou.
    • To download all audit logs, you must select Download All Logs with Cloud Shell or Download All Logs Using Command Line Tool. If you select Download Log in Current Page, you can download only the audit logs that are displayed on the current page.
  • Why does the audit log feature support only write operations but not read operations?

    In most scenarios, the number of read operations is larger than the number of write operations. If the audit log feature supports read operations, the audit on read operations can cause a serious performance decrease and a large number of audit logs is generated and stored for read operations. In this case, ApsaraDB for Redis may discard some audit logs to ensure service stability. Due to these issues, the audit log feature does not support read operations.

  • If I specify different log retention periods for two different instances that have the official version of the audit log feature enabled in the same region, which log retention period is applied to all the instances in the region?

    The last log retention period that you specify is applied.

  • Why do I find audit logs whose client IP addresses are not the IP address of the client on which my application runs?

    The audit log feature provides audit logs for the write operations on administration systems. The client IP addresses of these audit logs are not the IP address of the client on which your application runs. These audit logs will be filtered out in the future.