RDS Audit Center is jointly launched by the Alibaba Cloud Log Service team and the ApsaraDB RDS team. You can use RDS Audit Center to view the status of SQL audit log collection from ApsaraDB RDS instances in real time, manage collection configurations in a centralized manner, and perform various operations on collected logs. For example, you can audit and analyze the logs, and configure alerts for the logs.

Introduction

RDS Audit Center supports the following features:

RDS Audit Center
  • Collection management
    • Allows you to manage the collection status of SQL audit logs in a centralized manner.
    • Automatically collects SQL audit logs from existing ApsaraDB RDS instances and the instances that will be created in the future.
    • Allows you to manage projects and Logstores in a centralized manner.
  • Log auditing
    • Provides real-time storage, query, and analysis of SQL audit logs.
    • Provides various reports. You can subscribe to these reports and receive them through emails or DingTalk group messages.
    • Provides a wide range of built-in alert rules, supports flexible configurations of alert policies, and sends alert messages in a timely and accurate manner.

Supported log types

RDS SQL audit logs record all the operations that are performed on the ApsaraDB RDS database. Log Service collects SQL audit logs based on network listening, which consumes only a few CPU resources of the system and does not affect the execution of SQL statements. RDS SQL audit logs include the following types of operation data:
  • Database logon and logoff.
  • Data definition language (DDL) operations: SQL statements that define the database structure, such as CREATE, ALTER DROP, TRUNCATE, and COMMENT.
  • Data manipulation language (DML) operations: SQL statements that perform operations, such as SELECT, INSERT, UPDATE, and DELETE.
  • Other operations that are performed by executing SQL statements, such as rollback and control.
  • SQL execution latency, execution results, and the number of affected rows.

Assets

  • Custom projects and Logstores
    Notice Do not delete the projects or Logstores that are associated with RDS SQL audit logs. Otherwise, the logs cannot be pushed to Log Service.
  • Dedicated dashboards
    By default, Log Service generates three dashboards after you enable the SQL Explorer feature.
    Note Changes to dedicated dashboards may affect the usability of the dashboards. We recommend that you do not make changes to dedicated dashboards. You can create a custom dashboard to visualize log analysis results. For more information, see Create a dashboard.
    Dashboard Description
    RDS Operation Center Displays the access statistics about active databases. The statistics include the number of databases, number of tables, and number of execution errors. The statistics also include the total number of inserted rows, total number of updated rows, total number of deleted rows, and total number of queried rows.
    RDS Audit Performance Center Displays the performance metrics that are related to operations and maintenance (O&M) reliability. These metrics include the SQL statements that are most frequently executed, peak query bandwidth, peak insertion bandwidth, peak update bandwidth, peak deletion bandwidth, average execution time of all SQL statements, average execution time of SQL statements for data queries, average execution time of SQL statements for data updates, and average execution time of SQL statements for data deletion.
    RDS Audit Security Center Displays the security metrics of the ApsaraDB RDS databases. These metrics include the number of errors, number of logon failures, number of major deletion events, number of major modification events, and number of times risky SQL statements are executed. The metrics also include the distribution of execution errors by type, the distribution of external clients that have errors, and the clients that have the largest number of errors.

Billing

  • The log collection feature of RDS Audit Center is dependent on the SQL Explorer feature of ApsaraDB RDS for MySQL. You are charged for the SQL Explorer feature, and the fees are billed to the Alibaba Cloud account of your ApsaraDB RDS for MySQL instance. For more information, see Pricing, billable items, and billing methods.
    Note If your ApsaraDB RDS for MySQL instance runs the RDS Enterprise Edition, you can use the SQL Explorer feature free of charge.
  • After SQL audit logs are collected to Log Service, you are charged for different items, such as the storage space of the logs, number of requests, read traffic, data transformation, and data shipping. For more information, see Pay-as-you-go.

Limits

  • Log Service can collect SQL audit logs only from the following types of ApsaraDB RDS instances:

    ApsaraDB RDS for MySQL instances: All available RDS editions are supported, except the RDS Basic Edition.

  • The log collection feature of RDS Audit Center is dependent on the SQL Explorer feature of ApsaraDB RDS for MySQL.

    When you enable the collection of SQL audit logs in RDS Audit Center, the system automatically enables the SQL Explorer feature of ApsaraDB RDS for MySQL.

  • The Log Service project that is used to store SQL audit logs collected from an ApsaraDB RDS instance must reside in the same region as the instance.
  • All regions are supported, except Local Regions.

Log collection methods

Log Service can collect SQL audit logs from ApsaraDB RDS instances by using one of the following methods:
Note If SQL audit logs are collected by using Method 1 or Method 3, you can apply the collection configurations that you create for one method to another method. If SQL audit logs are collected by using Method 2, you cannot use the collection configurations that you create for Method 1 or Method 3. You must separately create collection configurations.
  • Method 1: RDS Audit Center
    • To collect SQL audit logs by using Method 1, log on to the Log Service console. In the Log Application section, click RDS Audit Center.
    • If you want to collect SQL audit logs from ApsaraDB RDS instances that are created within the same Alibaba Cloud account as Log Service, we recommend that you use this method.
  • Method 2: Log Audit Service
    • To collect SQL audit logs by using Method 2, log on to the Log Service console. In the Log Application section, click Log Audit Service.
    • If you want to collect SQL audit logs from ApsaraDB RDS instances that are created within a different Alibaba Cloud account than Log Service or from ApsaraDB RDS instances that are deployed in different regions, we recommend that you use this method.
  • Method 3: Import Data - RDS SQL Audit
    • To collect SQL audit logs by using Method 3, log on to the Log Service console. In the Import Data section, click RDS SQL Audit.
    • This method is an alternative to Method 1.
Operation Import Data - RDS SQL Audit RDS Audit Center Log Audit Service
Specify an ApsaraDB RDS instance to collect logs Supported Supported Supported
Specify a Logstore to store logs Supported Supported Not supported
Collect SQL audit logs from ApsaraDB RDS instances that are deployed in different regions Not supported Not supported Supported
Collect SQL audit logs from ApsaraDB RDS instances that are created within a different Alibaba Cloud account than Log Service Not supported Not supported Supported
Automatic collection Not supported Supported Supported
Manual collection Supported Supported Not supported
View collection status in dashboards Not supported Supported Not supported