Log Service allows you to import data from other cloud resources. After you enable the SQL Explorer feature in the ApsaraDB RDS console, you can import SQL audit logs to Log Service. Then, you can query, ship, and transform the logs in real time in the Log Service console. You can also analyze log data, visualize analysis results, and configure alert rules for logs. This topic describes the assets, billing method, and limits that are related to RDS SQL audit logs.

Supported log types

RDS SQL audit logs record all the operations that are performed on the ApsaraDB RDS database. Log Service collects SQL audit logs based on network listening, which consumes only a few CPU resources of the system and does not affect the execution of SQL statements. RDS SQL audit logs include the following types of operation data:
  • Database logon and logoff.
  • Data definition language (DDL) operations: SQL statements that define the database structure, such as CREATE, ALTER DROP, TRUNCATE, and COMMENT.
  • Data manipulation language (DML) operations: SQL statements that perform operations, such as SELECT, INSERT, UPDATE, and DELETE.
  • Other operations that are performed by executing SQL statements, such as rollback and control.
  • SQL execution latency, execution results, and the number of affected rows.

Assets

  • Custom projects and Logstores
    Notice Do not delete the projects or Logstores that are associated with RDS SQL audit logs. Otherwise, the logs cannot be pushed to Log Service.
  • Dedicated dashboards
    By default, Log Service generates three dashboards after you enable the SQL Explorer feature.
    Note Changes to dedicated dashboards may affect the usability of the dashboards. We recommend that you do not make changes to dedicated dashboards. You can create a custom dashboard to visualize log analysis results. For more information, see Create a dashboard.
    Dashboard Description
    RDS Operation Center Displays the access statistics about active databases. The statistics include the number of databases, number of tables, and number of execution errors. The statistics also include the total number of inserted rows, total number of updated rows, total number of deleted rows, and total number of queried rows.
    RDS Audit Performance Center Displays the performance metrics that are related to operations and maintenance (O&M) reliability. These metrics include the SQL statements that are most frequently executed, peak query bandwidth, peak insertion bandwidth, peak update bandwidth, peak deletion bandwidth, average execution time of all SQL statements, average execution time of SQL statements for data queries, average execution time of SQL statements for data updates, and average execution time of SQL statements for data deletion.
    RDS Audit Security Center Displays the security metrics of the ApsaraDB RDS databases. These metrics include the number of errors, number of logon failures, number of major deletion events, number of major modification events, and number of times risky SQL statements are executed. The metrics also include the distribution of execution errors by type, the distribution of external clients that have errors, and the clients that have the largest number of errors.

Billing

  • After you enable the SQL Explorer feature for ApsaraDB RDS for MySQL instances, you are charged for the instances that you use on an hourly basis. The hourly fee is calculated by using the following formula: Hourly fee = Amount of consumed audit logs × Unit price.
    Note If you purchase an ApsaraDB RDS instance of Enterprise Edition, you can use the SQL Explorer feature free of charge.
  • After logs are shipped to Log Service, you are charged for the storage space that the log data occupies and the number of read and write operations. You are also charged when you read, transform, and ship the data. For more information, see Pay-as-you-go.

Limits

  • You can import SQL audit logs only from the following types of ApsaraDB RDS instances to Log Service:

    ApsaraDB RDS for MySQL instances: All editions except Basic Edition are supported.

  • You can import SQL audit logs from Apsara RDS instances to Log Service only after you enable the SQL Explorer feature for the ApsaraDB RDS instances.
  • The Log Service project that stores RDS SQL audit logs must reside in the same region as the ApsaraDB RDS instance.
  • All regions except on-premises clouds are supported.