This topic describes how to use the SQL Audit feature on an ApsaraDB RDS for SQL Server instance. You can use the SQL Audit feature to view the details of the SQL statements that are executed on your RDS instance and audit the SQL statements on a regular basis. After you enable the SQL Audit feature, the performance of your RDS instance is not affected.

Precautions

  • You cannot view the SQL audit logs that are generated before you enable the SQL Audit feature.
  • After you enable the SQL Audit feature, the performance of your RDS instance is not affected.
  • The retention period of SQL audit logs is 30 days.
  • The retention period of SQL audit log files that are exported is two days. ApsaraDB RDS automatically deletes the SQL audit log files that are stored for longer than two days.
  • The maximum length that the SQL Audit feature allows for each SQL statement is 2,000 bytes. The part that exceeds 2,000 bytes cannot be logged.
  • The SQL Audit feature is disabled by default. The SQL Audit feature is charged per hour.
    The fee that is charged per hour for the SQL Audit feature varies based on the region where your RDS instance resides:
    • USD 0.15 per GB per hour: China (Hong Kong), US (Silicon Valley), and US (Virginia).
    • USD 0.18 per GB per hour: Singapore (Singapore), Japan (Tokyo), Germany (Frankfurt), UAE (Dubai), Australia (Sydney), Malaysia (Kuala Lumpur), India (Mumbai), Indonesia (Jakarta), and UK (London).
    • USD 0.12 per GB per hour: all regions except the preceding regions.
  • The SQL Audit feature on an ApsaraDB RDS for SQL Server instance is provided by the minor engine of SQL Server and the maximum number of SQL audit logs that can be buffered in memory is 4 MB. If a large number of SQL statements are executed to query data, a small amount of SQL audit logs may be lost. As a result, the data query process may slow down due to the larger memory buffer.

Enable the SQL Audit feature

Note If you enable the audit log collection feature for your RDS instance in the CloudLens for RDS application of Log Service, the SQL Audit feature is automatically enabled for the RDS instance. For more information, see CloudLens for RDS.
  1. Access RDS Instances, select a region at the top, and then click the ID of the target RDS instance.
  2. In the left-side navigation pane, click Data Security.
  3. On the SQL Audit tab, click Enable SQL Audit.
  4. In the message that appears, click OK.

After you enable the SQL Audit feature, you can query SQL statements based on filter criteria such as the time, database, user, and keyword.

Disable the SQL Audit feature

If you no longer require the SQL Audit feature, you can disable the feature to reduce costs.

Warning After the SQL Audit feature is disabled, all SQL audit logs including historical SQL audit logs are deleted. Before you disable the SQL Audit feature, we recommend that you export the SQL audit logs to your computer. If you enable the SQL Audit feature again, SQL audit logs are recorded from the time when the SQL Audit feature is enabled.
  1. Access RDS Instances, select a region at the top, and then click the ID of the target RDS instance.
  2. In the left-side navigation pane, click Data Security.
  3. On the SQL Audit tab, click Export File to export the SQL audit logs to your computer.
  4. After you export the SQL audit logs to your computer, click Disable SQL Audit.
  5. In the message that appears, click OK.
    Note If you enable the audit log collection feature for your RDS instance in the CloudLens for RDS application of Log Service, the SQL Audit feature is automatically enabled for the RDS instance. Therefore, you must also disable the audit log collection feature for the RDS instance. For more information, see CloudLens for RDS.