ApsaraDB for Redis provides the new version of the audit log feature. The new version is integrated with Log Service and allows you to query, analyze online, and export log data. This helps you gain insights into the security and performance of ApsaraDB for Redis instances.

Prerequisites

  • The instance is an ApsaraDB for Redis Community Edition instance or a performance-enhanced instance of the ApsaraDB for Redis Enhanced Edition (Tair). For more information about performance-enhanced instances, see Performance-enhanced instances.
  • The engine version of the instance is Redis 4.0 or later, and the latest minor version is used. For more information about how to update the minor version and upgrade the engine version of an instance, see Upgrade the major version and Update the minor version.
  • The AliyunLogFullAccess permission is granted to the Resource Access Management (RAM) user that is used to enable the new audit log feature. This requirement must be met if you want to enable the feature by using the credentials of a RAM user. For more information, see Grant permissions to a RAM user.
  • The AliyunLogFullAccess or AliyunLogReadOnlyAccess permission is granted to a RAM user. This requirement must be met if you want to use the RAM user to access audit logs. For more information, see Grant permissions to a RAM user.
    All permissions or read-only permissions on Log Service are granted to the RAM user. This requirement must be met if you want to create Logstore-level custom policies. For more information, see Create a custom policy. The following code displays policy content.
    • All permissions:
      {
        "Version": "1",
        "Statement": [
          {
            "Action": "log:*",
            "Resource": "acs:log:*:*:project/nosql-*",
            "Effect": "Allow"
          }
        ]
      }
    • Read-only permissions:
      {
        "Version": "1",
        "Statement": [
          {
              "Action": [
                "log:Get*",
                "log:List*"
              ],
            "Resource": "acs:log:*:*:project/nosql-*",
            "Effect": "Allow"
          }
        ]
      }

Scenarios

ApsaraDB for Redis integrates the features of Log Service to provide an audit log feature that is stable, flexible, simple, and efficient. This feature can be used in the scenarios described in the table. For more information about Log Service, see What is Log Service?

Scenario Description
Operation audit Helps security auditors check information such as operator identity or data modification time to identify internal risks such as permission abuse and execution of invalid commands.
Security compliance Assists business systems in meeting the audit requirements in security compliance.

Precautions

  • After you enable the audit log feature for an instance, ApsaraDB for Redis audits the write operations that were performed on the instance and logs the audit information. During the process, the instance may encounter a performance degrade of 5% to 15% and a specific amount of latency jitter. The performance decrease and the latency jitter vary based on the amount of data that is written or audited.
    Notice
    • Your application may write a large amount of data to an instance. For example, your application frequently runs the INCR command to count. To prevent a performance decrease in such a scenario, we recommend that you enable the audit log feature only for troubleshooting issues or auditing instance security.
    • The number of read operations is often large. If the audit information of a large number of read operations is recorded, the instance performance may deteriorate. To prevent this issue, ApsaraDB for Redis records audit information only for write operations.
  • The specified log retention period for an instance is applicable to the instance and all the other instances that reside in the same region as the instance. Other settings of the instance are applied only to the instance. For example, if you enable the audit log feature for an instance, the audit log feature takes effect only on the instance.

Billing

You are charged for the audit log feature based on storage usage and log retention period. The price varies based on regions that you select. For more information, see Billable items and prices.

Note The free trial version of the audit log feature has been phased out on June 11, 2021. For more information, see [Notice] Official version of the audit log feature for ApsaraDB for Redis released.

Procedure

  1. Log on to the ApsaraDB for Redis console and go to the Instances page. In the top navigation bar, select the region in which the instance is deployed. Then, find the instance and click the instance ID.
  2. In the left-side navigation pane, choose Logs > Audit Log.
  3. Specify a log retention period.
    Note This configuration is applicable to the instance and all instances that reside in the same region as the instance. Audit logs are billed based on storage usage and log retention period. Valid values for the log retention period are 1 to 365. Unit: days.
  4. Click Estimate Fees and Enable Audit Logs.
  5. In the dialog box that appears, estimate log fees, read the prompt, and then click Enable.
    Note The audit log feature depends on Log Service. If Log Service is not activated for your Alibaba Cloud account, you are prompted for activating Log Service. For more information, see What is Log Service?

Related API operations

Operation Description
ModifyAuditLogConfig Enables or disables the audit log feature and specifies a retention period for audit logs.
DescribeAuditLogConfig Queries the audit log configurations of an ApsaraDB for Redis instance. The configurations include whether the audit log feature is enabled and the retention period of audit logs.
DescribeAuditRecords Queries the audit logs of an ApsaraDB for Redis instance.

FAQ

  • How do I disable the audit log feature for an instance?

    Log on to the ApsaraDB for Redis console and go to the Audit Log page of the instance. In the upper-right corner of the page, click Service Settings. Then, you can disable the audit log feature.

  • How do I download all audit logs?
    For more information, see Download logs. To download all audit logs, take note of the following items:
    • To download all audit logs, you must specify the redis_audit_log_standard Logstore and specify the project name in the following format: nosql-{ID of your Alibaba Cloud account}-{Region}. Example: nosql-17649847257****-cn-hangzhou.
    • To download all audit logs, you must select Download All Logs with Cloud Shell or Download All Logs Using Command Line Tool. If you select Download Log in Current Page, you can download only the audit logs that are displayed on the current page.
  • Why does the audit log feature support write operations but not read operations?

    In most scenarios, the number of read operations is larger than the number of write operations. The auditing for read operations can cause a serious performance degrade. In addition, a large number of audit logs need to be generated and stored for read operations. As such, ApsaraDB for Redis may discard specific audit logs to ensure service stability. Due to these issues, the audit log feature does not support read operations.

  • If I specify different log retention periods for two instances in the same region that have the new audit log feature enabled, which log retention period is applied to all the instances in the region?

    The last log retention period that you specify is applied.

  • Why do I find audit logs whose client IP addresses are not the IP address of the client on which my application runs?

    The audit logs record write operations of the control class. You can filter out this type of information.