You can manually enable the log collection feature or configure the automatic collection feature in the RDS Audit Center application. You can manually enable the log collection feature for only one RDS instance at a time. You can configure the automatic collection feature for multiple RDS instances. After you configure the automatic collection feature, Log Service automatically collects the audit logs of the existing and new RDS instances that meet the specified conditions. This topic describes how to enable the log collection feature in the RDS Audit Center application.

Prerequisites

  • If you want to manually enable the log collection feature for an RDS instance, you must create a Log Service project and a Logstore in the region where the RDS instance resides. For more information, see Create a project and a Logstore.
  • If you use a RAM user, you must grant the RAM user the permissions to manage the RDS Audit Center application. For more information, see Grant operation permissions to a RAM user.

Initial configurations

Notice
  • The Alibaba Cloud account that you use to complete authorization must have the AliyunRamFullAccess permission.
  • You need to perform this operation only once.
  1. Log on to the Log Service console.
  2. In the Log Application section, click RDS Audit Center.
  3. Grant permissions to the AliyunLogArchiveRole role as prompted.
    After you perform this operation, Alibaba Cloud automatically creates a system role named AliyunLogArchiveRole that the RDS Audit Center application can assume to access the resources of other Alibaba Cloud services. AliyunLogArchiveRole
  4. Grant permissions to the AliyunServiceRoleForSLSAudit role as prompted.
    After you perform this operation, Alibaba Cloud automatically creates a service-linked role named AliyunServiceRoleForSLSAuditRDS that the RDS Audit Center application can assume to collect RDS audit logs. For more information, see Manage the AliyunServiceRoleForSLSAudit service-linked role.
    Notice Both the RDS Audit Center application and the Log Audit Service application assume the AliyunServiceRoleForSLSAudit service-linked role to collect logs from cloud services. If you complete authorization in the Log Audit Service application, you do not need to perform authorization again.
    AliyunServiceRoleForAudit service-linked role

Manually enable the log collection feature for an RDS instance

  1. Log on to the Log Service console.
  2. In the Log Application section, click RDS Audit Center.
  3. On the Data Import tab, find the RDS instance that you want to manage. Then, click Enable in the Actions column.
  4. In the Select Destination dialog box, select a destination project and a destination Logstore. Then, click OK.

    After the log collection feature is enabled, Log Service collects the audit logs of the RDS instance.

    Collection status

Configure automatic collection

  1. Log on to the Log Service console.
  2. In the Log Application section, click RDS Audit Center.
  3. On the Data Import tab, click Configure Automatic Collection.
  4. Click the Condition icon.
  5. Specify conditions for log collection.
    You can select Alibaba Cloud account ID, Region, Instance ID, Instance Name, Database Type, Database Version, or Tag from the Object drop-down list and then specify a condition.

    In standard mode, multiple conditions are associated by the AND operator. In advanced mode, you can combine and nest conditions based on your business requirements.

  6. Set parameters to configure automatic collection.
    Parameter Description
    Automatic Collection Type Select an automatic collection type. Valid values:
    • Custom Logstore: Log Service automatically collects the audit logs of the RDS instances that meet the specified conditions and saves the collected logs to the related destination Logstores.

      If a destination project or destination Logstore does not exist, Log Service automatically creates a project or Logstore.

    • Collection Remains Unchanged: If you select Collection Remains Unchanged, you do not need to set the Region, Project, Logstore, or Conflict Policy parameter.
      • If you have not enabled the log collection feature, the automatic collection feature is not automatically enabled for the RDS instances even if the RDS instances meet the specified conditions.
      • If you have enabled the log collection feature, the related destination Logstores remain unchanged even if the RDS instances meet the specified conditions.
    Region Log Service automatically selects regions based on the regions where the RDS instances that meet the specified conditions reside. You cannot modify this parameter.
    Project A project named rds-xxx-${Alibaba Cloud account ID}-${region} is automatically created in the regions where the RDS instances that meet the specified conditions reside. Example: rds-test-12345674523-cn-hangzhou.
    Logstore In the rds-xxx-${Alibaba Cloud account ID}-${region} project, a Logstore named rds_log is automatically created.
    Conflict Policy If the new destination Logstores are inconsistent with the destination Logstores that are in use, Log Service selects destination Logstores based on one of the following conditions:
    • Ignore: Audit logs are sent to the destination Logstores that are in use.
    • Overwrite: Audit logs are sent to the new destination Logstores.

    The following configurations show an example about how to configure automatic collection:

    • The audit logs of the ApsaraDB RDS for MySQL instances that have the env==prod tag are sent to the rds_log Logstore of the rds-prod-${Alibaba Cloud account ID}-${region} project.
    • The audit logs of the ApsaraDB RDS for MySQL instances that have the env==test tag are sent to the rds_log Logstore of the rds-test-${Alibaba Cloud account ID}-${region} project.
    • The audit logs of other RDS instances are sent to the destination Logstores that are in use.
    Automatic collection of RDS audit logs
  7. Click the End icon.
  8. In the upper-right corner of the page, click Save.

Related operations

Operation Description
Manage RDS instances In the RDS Instances section of the Data Import tab, you can view all RDS instances that belong to your Alibaba Cloud account. You can also view the regions where the RDS instances reside and the collection statuses of the RDS instances.
Disable the log collection feature In the RDS Instances section of the Data Import tab, find the RDS instance for which you want to disable the log collection feature. Then, click Disable in the Actions column.
Modify destination projects and destination Logstores In the RDS Instances section of the Data Import tab, find the RDS instance for which you want to modify the destination project and destination Logstore. Then, click Change in the Actions column.
Manage destination projects and destination Logstores In the Destination Logstores section of the Data Import tab, you can view the Logstores that are used to store RDS audit logs and modify the retention period of log data in destination Logstores.

What to do next

After RDS audit logs are collected and sent to a destination Logstore, you can perform the following operations:
  • On the Search tab, select the destination Logstore to query and analyze logs. For more information, see Query logs.
  • On the Audit Operations Center tab, Audit Security Center tab, or Audit Performance Center tab, select the destination Logstore and view the related dashboard.