This topic describes how to use the SQL Audit feature on an ApsaraDB RDS for PostgreSQL instance. This feature allows you to audit the executed SQL statements on a regular basis and view the details about the executed SQL statements. After you enable the SQL Audit feature, the performance of the RDS instance is not affected.

Precautions

  • You cannot view the SQL statements that are executed before the SQL Audit feature is enabled.
  • After you enable the SQL Audit feature, the performance of the RDS instance is not affected.
  • The retention period of SQL audit logs is 30 days.
  • The exported SQL audit log files can be retained for two days. After the retention period elapses, the system deletes the SQL audit log files.
  • The maximum size per SQL statement is 8,000 bytes. If the size of an SQL statement exceeds 8,000 bytes, the excessive bytes cannot be logged.

Billing

  • The SQL Audit feature is disabled by default. After you enable the SQL Audit feature, you are charged per hour for using this feature on the RDS instance.
    The fee charged per hour varies in different Alibaba Cloud regions:
    • USD 0.15/GB-hour: China (Hong Kong), US (Silicon Valley), and US (Virginia).
    • USD 0.18/GB-hour: Singapore (Singapore), Japan (Tokyo), Germany (Frankfurt), UAE (Dubai), Australia (Sydney), Malaysia (Kuala Lumpur), India (Mumbai), Indonesia (Jakarta), and UK (London).
    • USD 0.12/GB-hour: all regions except the preceding regions.
  • After the SQL Explorer and Audit feature is enabled, ApsaraDB RDS stops billing the Use the SQL Explorer and Audit feature on an ApsaraDB RDS for PostgreSQL instance feature. The pricing of the SQL Explorer and Audit feature is based on the pricing of Database Autonomy Service (DAS) Professional Edition. For more information, see Pricing of DAS Professional Edition.

Enable the SQL Explorer and Audit feature

The SQL Explorer and Audit feature is supported for ApsaraDB RDS for PostgreSQL instances. The SQL detail search item is enhanced, and items such as Full SQL analysis, SQL insight-comparison view, and SQL insight-source analysis are added. You can view the item and billing differences between the SQL Audit feature and the SQL Explorer and Audit feature in the dialog box that appears when you click the SQL Audit tab. For more information, see Use the SQL Explorer and Audit feature on an ApsaraDB RDS for PostgreSQL instance.

  1. Visit the RDS instance list, select a region above, and click the target instance ID.
  2. In the left-side navigation pane, click Data Security.
  3. Click the SQL Audit tab. In the SQL insight and audit dialog box, click One click upgrade.
    Note When you enable this feature, auto-renewal is enabled for this feature by default to ensure the availability and security of your database service.

Enable the SQL Audit feature

If you do not want to enable the SQL Explorer and Audit feature and want to use the SQL Audit feature, perform the following operations:

  1. Visit the RDS instance list, select a region above, and click the target instance ID.
  2. In the left-side navigation pane, click Data Security.
  3. Click the SQL Audit tab. In the SQL insight and audit dialog box, click Cancel.
  4. Click Enable now.
    Note If you are using the original ApsaraDB RDS console, click Enable SQL Audit.
    Enable the SQL Audit feature in the new ApsaraDB RDS console
  5. In the message that appears, click OK.

After the SQL Audit feature is enabled, you can query SQL statements based on the specified search criteria, such as the time range, databases, users, and keywords.

Note The system collects SQL audit logs from databases and saves the SQL audit logs as CSV files to a log server. You can use the rds_max_log_files parameter to specify the maximum number of SQL audit log files that can be retained.

Disable SQL Audit

If you no longer use the SQL Audit feature, you can disable the feature to reduce costs.

Note After the SQL Audit feature is disabled, all SQL audit logs including historical SQL audit logs are deleted. If the RDS instance runs RDS High-availability Edition, we recommend that you export SQL audit logs as files to your computer before you disable the SQL Audit feature. If the RDS instance runs RDS Basic Edition, you cannot export SQL audit logs as files.
  1. Visit the RDS instance list, select a region above, and click the target instance ID.
  2. In the left-side navigation pane, click Data Security.
  3. Click the SQL Audit tab. In the SQL insight and audit dialog box, click Cancel.
  4. Click Export File to export and store the SQL audit logs as a file to your computer.
  5. After the SQL audit logs are exported as a file to your computer, click Disable SQL Audit.
    Disable SQL Audit
  6. In the message that appears, click OK.