Use the SQL Audit feature on an ApsaraDB RDS for PostgreSQL instance - ApsaraDB RDS

This topic describes how to use the SQL Audit feature on an ApsaraDB RDS for PostgreSQL instance. This feature allows you to audit the executed SQL statements on a regular basis and view the details of the executed SQL statements. After you enable the SQL Audit feature, the performance of your RDS instance is not affected.

Precautions

You cannot view the SQL statements that are executed before the SQL Audit feature is enabled.
After you enable the SQL Audit feature, the performance of your RDS instance is not affected.
The retention period of SQL audit logs is 30 days.
The maximum size per SQL statement is 8,000 bytes. If the size of an SQL statement exceeds 8,000 bytes, the excess bytes cannot be logged.

Billing

The SQL Audit feature is disabled by default. After you enable the SQL Audit feature, you are charged per hour for using this feature on the RDS instance.
The fee that is charged per hour for the SQL Audit feature varies based on the region where your RDS instance resides:
- USD 0.15 per GB per hour: China (Hong Kong), US (Silicon Valley), and US (Virginia).
- USD 0.18 per GB per hour: Singapore (Singapore), Japan (Tokyo), Germany (Frankfurt), UAE (Dubai), Australia (Sydney), Malaysia (Kuala Lumpur), India (Mumbai), Indonesia (Jakarta), and UK (London).
- USD 0.12 per GB per hour: all regions except the preceding regions.
After the SQL Explorer and Audit feature is enabled, ApsaraDB RDS stops billing for the SQL Audit feature. The fees that you must pay for the SQL Explorer and Audit feature are billed to Database Autonomy Service (DAS) Professional Edition. For more information, see Billing overview.

Enable the SQL Explorer and Audit feature

The SQL Explorer and Audit feature is supported for ApsaraDB RDS for PostgreSQL instances. The Search item is enhanced, and items such as Export, Full SQL analysis, SQL insight-comparison view, and SQL insight-source analysis are added. You can view the items and billing differences between the SQL Audit feature and the SQL Explorer and Audit feature in the dialog box that appears when you click the SQL Audit tab. For more information, see Use the SQL Explorer and Audit feature on an ApsaraDB RDS for PostgreSQL instance.

Important The SQL Explorer and Audit feature is supported for RDS instances that run RDS High-availability Edition and reside in the following regions: China (Hangzhou), China (Shanghai), China (Beijing), China (Shenzhen), China (Zhangjiakou), Singapore, Malaysia (Kuala Lumpur), and Indonesia (Jakarta). For more information, see Use the SQL Explorer and Audit feature on an ApsaraDB RDS for PostgreSQL instance.

Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
In the left-side navigation pane, click Data Security.
Click the SQL Audit tab. In the SQL insight and audit dialog box, click One click upgrade.
Note When you enable this feature, auto-renewal is enabled for this feature by default to ensure the availability and security of your database service.
- If you want to disable auto-renewal, you can choose Expenses > Renewal Management in the top navigation bar. For more information, see the "Disable auto-renewal" section in Enable auto-renewal for an ApsaraDB RDS for PostgreSQL instance.
- If you want to configure billable items, you must enable DAS Professional Edition and connect DAS to your RDS instance. For more information, see Overview and Connect an Alibaba Cloud database instance to DAS.

Enable the SQL Audit feature

If you do not want to enable the SQL Explorer and Audit feature and want to use the SQL Audit feature, perform the following operations:

Note If you enable the audit log collection feature for your RDS instance in the CloudLens for RDS application of Log Service, the SQL Audit feature is automatically enabled for the RDS instance. For more information, see CloudLens for RDS.

Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
In the left-side navigation pane, click Data Security.
Click the SQL Audit tab. In the SQL Explorer and Audit dialog box, click Cancel.
Click Enable now.
Note If you are using the original ApsaraDB RDS console, click Enable SQL Audit.
In the message that appears, click OK.

After you enable the SQL Audit feature, you can query SQL statements based on filter criteria such as the time, database, user, and keyword.

Note The system collects SQL audit logs from databases and saves the SQL audit logs as CSV files to a log server. You can use the rds_max_log_files parameter to specify the maximum number of SQL audit log files that can be retained.

Disable the SQL Audit feature

If you no longer require the SQL Audit feature, you can disable the feature to reduce costs.

Warning After the SQL Audit feature is disabled, all SQL audit logs including historical SQL audit logs are deleted, and you cannot export the SQL audit logs. If you enable the SQL Audit feature again, SQL audit logs are recorded from the time when the SQL Audit feature is enabled.

Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
In the left-side navigation pane, click Data Security.
Click the SQL Audit tab. In the SQL Explorer and Audit dialog box, click Cancel.
Click Disable SQL Audit.
In the message that appears, click OK.
Note If you enable the audit log collection feature for your RDS instance in the CloudLens for RDS application of Log Service, the SQL Audit feature is automatically enabled for the RDS instance. Therefore, you must also disable the audit log collection feature for the RDS instance. For more information, see CloudLens for RDS.