This topic describes how to use the SQL Audit feature on an ApsaraDB RDS for SQL Server instance. You can use the SQL Audit feature to view the details about the SQL statements that are executed on your RDS instance and audit the SQL statements on a regular basis. After you enable the SQL Audit feature, the performance of your RDS instance is not affected.

Precautions

  • You cannot view the SQL audit logs that are generated before you enable the SQL Audit feature.
  • After you enable the SQL Audit feature, the performance of your RDS instance is not affected.
  • The retention period of SQL audit logs is 30 days.
  • The retention period of SQL audit log files that are exported is two days. ApsaraDB RDS automatically deletes the SQL audit log files that are stored for longer than two days.
  • The maximum length that the SQL Audit feature allows for each SQL statement is 2,000 bytes. The part that exceeds 2,000 bytes cannot be logged.
  • The SQL Audit feature is disabled by default. The SQL Audit feature is charged per hour.
    The fee that is charged per hour for the SQL Audit feature varies based on the region where your RDS instance resides:
    • USD 0.15 per GB-hour: China (Hong Kong), US (Silicon Valley), and US (Virginia).
    • USD 0.18 per GB-hour: Singapore (Singapore), Japan (Tokyo), Germany (Frankfurt), UAE (Dubai), Australia (Sydney), Malaysia (Kuala Lumpur), India (Mumbai), Indonesia (Jakarta), and UK (London).
    • USD 0.12 per GB-hour: all regions except the preceding regions.
  • The SQL Audit feature on an ApsaraDB RDS for SQL Server instance is provided by the minor engine of SQL Server and the maximum number of SQL audit logs that can be buffered in memory is 4 MB. If a large number of SQL statements are executed to query data, a small amount of SQL audit logs may be lost. If you want to allow SQL audit logs to be buffered in the storage of your RDS instance to keep all the SQL audit logs, you must submit a ticket to modify the default configuration.

Enable the SQL Audit feature

  1. Access RDS Instances, select a region at the top, and then click the ID of the target RDS instance.
  2. In the left-side navigation pane, click Data Security.
  3. On the SQL Audit tab, click Enable SQL Audit.
  4. In the message that appears, click OK.

After you enable the SQL Audit feature, you can query SQL statements based on filter criteria such as the time, database, user, and keyword.

Disable the SQL Audit feature

If you no longer require the SQL Audit feature, you can disable the feature to reduce costs.

Note After the SQL Audit feature is disabled, all SQL audit logs including historical SQL audit logs are deleted. Before you disable the SQL Audit feature, we recommend that you export the SQL audit logs to your computer.
  1. Access RDS Instances, select a region at the top, and then click the ID of the target RDS instance.
  2. In the left-side navigation pane, click Data Security.
  3. On the SQL Audit tab, click Export File to export the SQL audit logs to your computer.
  4. After you export the SQL audit logs to your computer, click Disable SQL Audit.
  5. In the message that appears, click OK.