SQL Explorer and Audit records every SQL statement executed on your ApsaraDB RDS for PostgreSQL instance directly from the database kernel, capturing the execution account, source IP address, and execution details with no impact on instance performance.
Use SQL Explorer and Audit to:
Query and export a complete history of SQL activity for compliance audits.
Diagnose SQL health, identify slow queries, and analyze traffic patterns.
Track who executed what, when, and from where.
The feature has two components:
| Component | Purpose | Typical use |
|---|---|---|
| Audit | Query and export SQL execution history, including database, status, and duration | Compliance auditing, activity tracking |
| SQL Explorer | Diagnose SQL health, troubleshoot performance, and analyze service traffic | Performance tuning, capacity planning |
Prerequisites
Before you begin, ensure that you have:
A DAS Enterprise Edition subscription. Only the latest version available in your region can be enabled
(For RAM users) The AliyunRDSReadOnlyWithSQLLogArchiveAccess permission to use the Audit feature. See Use RAM to manage ApsaraDB RDS permissions
To grant a RAM user permissions for search and export only, create a custom policy. See Grant a RAM user permissions to use the search feature of SQL Explorer and Audit.
Billing
SQL Explorer and Audit is billed as part of DAS Enterprise Edition. After you enable this feature, billing for the legacy SQL Audit (Database Audit) feature stops.
For pricing details, see Billing details.
PgBouncer limitation
If PgBouncer connection pooling is enabled on your RDS instance, SQL statements routed through PgBouncer are not recorded by SQL Explorer and Audit.
Audit log kernel parameter behavior
Enabling or disabling audit logs changes the log_statement kernel parameter:
| Action | log_statement value |
|---|---|
| Enable audit logs | all |
| Disable audit logs | ddl |
You can also toggle audit logs through the ModifySqlLogConfig API operation.
Enable SQL Explorer and Audit
Only the latest version of SQL Explorer and Audit supported by your instance can be enabled.
Go to the Instances page. In the top navigation bar, select the region of your RDS instance, then click the instance ID.
In the left-side navigation pane, choose Autonomy Services > SQL Explorer and Audit.
Click Enable Audit Logs, select the features to enable, and click Submit.
Verify
After enabling, the SQL Explorer and Audit page displays the Audit and SQL Explorer tabs. Run a test query on your instance and confirm that it appears in the audit log within a few minutes.
Use SQL Explorer and Audit
Go to the Instances page. In the top navigation bar, select the region of your RDS instance, then click the instance ID.
In the left-side navigation pane, choose Autonomy Services > SQL Explorer and Audit.
Choose a tab based on your goal:
Audit -- Search, filter, and export SQL execution history. See Audit.
SQL Explorer -- Analyze SQL performance, diagnose issues, and review traffic. See SQL Explorer.
Change the data storage duration
Reducing the storage duration causes DAS to immediately delete all audit logs that exceed the new duration. Export your logs before reducing the storage duration.
Go to the Instances page. In the top navigation bar, select the region of your RDS instance, then click the instance ID.
In the left-side navigation pane, choose Autonomy Services > SQL Explorer and Audit.
Click Service Settings.
Change the storage duration and click Submit.
SQL Explorer and Audit data is stored by DAS and does not occupy the storage space of your RDS instance.
Disable SQL Explorer and Audit
Disabling this feature deletes all associated audit logs. Export and save your logs before proceeding. If you re-enable the feature later, logs are recorded only from that point forward.
Go to the Instances page. In the top navigation bar, select the region of your RDS instance, then click the instance ID.
In the left-side navigation pane, choose Autonomy Services > SQL Explorer and Audit.
Click Export. Select the fields and time range for the export. If your service uses hot and cold tiered storage, also select a CSV Separator.
After the export completes, click Task list and download the exported file.
Click Service Settings, clear all feature checkboxes, and click Submit.
About 1 hour after disabling, the system releases the storage space previously used by SQL Explorer and Audit data.
If audit log collection is enabled for your RDS instance through CloudLens for RDS in Simple Log Service, SQL Explorer and Audit is re-enabled automatically. Disable audit log collection in CloudLens for RDS as well.
FAQ
Why don't failed SQL statements appear in the audit log?
For ApsaraDB RDS for PostgreSQL, failed SQL statements are recorded in the instance error log, not the audit log. To view failed statements, see View logs.
Why does the database name in the log list differ from the one in my SQL statement?
The log list shows the database name from the active session, while the SQL statement contains the database name you specified explicitly. In cross-database queries or dynamic SQL, these two values can differ.
Where is the SQL Audit entry in the console?
The former SQL Audit entry has been renamed to SQL Explorer and Audit.
Can I enable an older version of SQL Audit?
No. Only the latest version of SQL Explorer and Audit supported by your instance can be enabled. See Product series and supported features.