All Products
Search
Document Center

ApsaraDB RDS:Use the SQL Audit feature

Last Updated:Sep 18, 2023

This topic describes how to use the SQL Audit feature on an ApsaraDB RDS for SQL Server instance. You can use the SQL Audit feature to view the details of the SQL statements that are executed on your RDS instance and audit the SQL statements on a regular basis. After you enable the SQL Audit feature, the performance of your RDS instance is not affected.

Usage notes

  • You cannot view the SQL audit logs that are generated before you enable the SQL Audit feature.

  • After you enable the SQL Audit feature, the performance of your RDS instance is not affected.

  • The retention period of SQL audit logs is 30 days.

  • The retention period of SQL audit log files is two days. The system automatically deletes the SQL audit log files that are stored for longer than two days.

  • The maximum length that the SQL Audit feature allows for each SQL statement is 2,000 bytes. The part that exceeds 2,000 bytes cannot be recorded.

  • The SQL Audit feature on an ApsaraDB RDS for SQL Server instance is provided by the minor engine of SQL Server and the maximum number of SQL audit logs that can be cached in memory is 4 MB. If a large number of SQL statements are executed, a small amount of SQL audit logs may be lost.

Billing rules

The SQL Audit feature is disabled by default. The SQL Audit feature is charged per hour.

You are charged an hourly fee for the SQL Audit feature based on the size of the log files and log file retention period. The fee varies based on the region in which your RDS instance resides.

  • USD 0.15 per GB-hour: China (Hong Kong), US (Silicon Valley), and US (Virginia).

  • USD 0.18 per GB-hour: Singapore, Japan (Tokyo), Germany (Frankfurt), UAE (Dubai), Australia (Sydney), Malaysia (Kuala Lumpur), India (Mumbai), Indonesia (Jakarta), and UK (London).

  • USD 0.12 per GB-hour: all regions except the preceding regions.

Enable the SQL Audit feature

Note

If you enable the audit log collection feature for your RDS instance in the CloudLens for RDS application of Log Service, the SQL Audit feature is automatically enabled for the RDS instance. For more information, see CloudLens for RDS.

  1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
  2. In the left-side navigation pane, click Data Security.

  3. On the SQL Audit tab, click Enable SQL Audit.

  4. In the message that appears, click OK.

    After you enable the SQL Audit feature, you can query SQL statements based on filter criteria such as the time, database, user, and keyword.

Disable the SQL Audit feature

If you no longer require the SQL Audit feature, you can disable the feature to reduce costs.

Warning

After the SQL Audit feature is disabled, all SQL audit logs including historical SQL audit logs are deleted. Before you disable the SQL Audit feature, we recommend that you export the SQL audit logs to your computer. If you enable the SQL Audit feature again, SQL audit logs are recorded from the time when the SQL Audit feature is enabled again.

  1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
  2. In the left-side navigation pane, click Data Security.

  3. On the page that appears, click the SQL Audit tab. Then, click Export File to export the SQL audit content.

    You can view and download the exported SQL audit data in Files. Then, save the exported SQL audit data to your computer.

    Note

    If a message indicating that the file cannot be downloaded in a secure manner is displayed, you must configure the security settings of your browser to allow downloads from the ApsaraDB RDS console.

  4. After you export the SQL audit logs to your computer, click Disable SQL Audit.

  5. In the message that appears, click OK.

    Note

    If you enable the audit log collection feature for your RDS instance in the CloudLens for RDS application of Log Service, the SQL Audit feature is automatically enabled for the RDS instance. Therefore, you must also disable the audit log collection feature for the RDS instance. For more information, see CloudLens for RDS.