All Products
Search
Document Center

ApsaraDB RDS:Use the SQL Audit feature

Last Updated:Jan 05, 2024

If you want to monitor and manage SQL statements that are executed on an ApsaraDB RDS for PostgreSQL instance, you can use the SQL Audit feature to record and track the execution of SQL statements. This feature records SQL statements from database kernels, the execution time, the number of executions, and the execution results of the SQL statements. Instance performance is not affected.

Precautions

  • You cannot view the SQL statements that are executed before the SQL Audit feature is enabled.

  • After you enable the SQL Audit feature, the performance of your RDS instance is not affected.

  • The retention period of SQL audit logs is 30 days.

  • The maximum size per SQL statement is 8,000 bytes. If the size of an SQL statement exceeds 8,000 bytes, the excess bytes cannot be logged.

  • The SQL statements that fail to be executed are not recorded in audit logs. Instead, they are recorded in error logs. For more information, see View the logs of an ApsaraDB RDS for PostgreSQL instance.

Billing

  • The SQL Audit feature is disabled by default. After you enable the SQL Audit feature, you are charged per hour for using this feature on the RDS instance.

    The fee that is charged per hour for the SQL Audit feature varies based on the region where your RDS instance resides:

    • USD 0.15 per GB per hour: China (Hong Kong), US (Silicon Valley), and US (Virginia).

    • USD 0.18 per GB per hour: Singapore, Japan (Tokyo), Germany (Frankfurt), UAE (Dubai), Australia (Sydney), Malaysia (Kuala Lumpur), India (Mumbai), Indonesia (Jakarta), and UK (London).

    • USD 0.12 per GB per hour: all regions except the preceding regions.

  • After the SQL Explorer and Audit feature is enabled, the system stops billing for the SQL Audit feature. You are charged for the SQL Explorer and Audit feature based on Database Autonomy Service (DAS) Professional Edition. For more information, see Billing rules of the previous version.

    Note

    Click the SQL Audit tab. In the dialog box that appears, click One click upgrade. The SQL Explorer feature is upgraded to the SQL Explorer and Audit feature.

Enable the SQL Explorer and Audit feature

The SQL Explorer and Audit feature is supported for ApsaraDB RDS for PostgreSQL instances. The search capability is enhanced to support data export. The full SQL analysis, SQL insight-comparison view, and SQL insight-source analysis capabilities are supported. You can view the items and billing differences between the SQL Audit feature and the SQL Explorer and Audit feature in the dialog box that appears when you click the SQL Audit tab.

Important

The SQL Explorer and Audit feature is supported for ApsaraDB RDS for PostgreSQL instances that run RDS High-availability Edition and reside in the following regions: China (Hangzhou), China (Shanghai), China (Beijing), China (Shenzhen), China (Zhangjiakou), Singapore, Malaysia (Kuala Lumpur), and Indonesia (Jakarta).

  1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
  2. In the left-side navigation pane, click Data Security.

  3. Click the SQL Audit tab. In the SQL insight and audit dialog box that appears, click One click upgrade.

    Note

    When you enable this feature, auto-renewal is enabled for this feature by default to ensure the availability and security of your database service.

Enable the SQL Audit feature

If you do not want to enable the SQL Explorer and Audit feature and want to use the SQL Audit feature, perform the following operations:

Note

If you enable the audit log collection feature for your RDS instance in the CloudLens for RDS application of Log Service, the SQL Audit feature is automatically enabled for the RDS instance. For more information, see CloudLens for RDS.

  1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
  2. In the left-side navigation pane, click Data Security.

  3. Click the SQL Audit tab. In the SQL insight and audit dialog box, click Cancel.

  4. Click Enable now.

    Note

    If you are using the original ApsaraDB RDS console, click Enable SQL Audit.

    开启SQL审计新

  5. In the message that appears, click OK.

After you enable the SQL Audit feature, you can query SQL statements based on filter criteria such as the time, database, user, and keyword.

Note

The system collects SQL audit logs from databases and saves the SQL audit logs as CSV files to a log server. You can use the rds_max_log_files parameter to specify the maximum number of SQL audit log files that can be retained.

Disable the SQL Audit feature

If you no longer require the SQL Audit feature, you can disable the feature to reduce costs.

Warning

After the SQL Audit feature is disabled, all SQL audit logs including historical SQL audit logs are deleted, and you cannot export the SQL audit logs. If you enable the SQL Audit feature again, SQL audit logs are recorded from the time when the SQL Audit feature is enabled.

  1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
  2. In the left-side navigation pane, click Data Security.

  3. Click the SQL Audit tab. In the SQL insight and audit dialog box, click Cancel.

  4. Click Disable SQL Audit.

    关闭SQL审计

  5. In the message that appears, click OK.

    Note

    If you enable the audit log collection feature for your RDS instance in the CloudLens for RDS application of Log Service, the SQL Audit feature is automatically enabled for the RDS instance. Therefore, you must also disable the audit log collection feature for the RDS instance. For more information, see CloudLens for RDS.

References

If you use Database Management (DMS) to log on to an RDS instance, you can use the operation audit feature in the DMS console to view the records of operations that are performed on the RDS instance. For more information, see Audit operations.