Data Management (DMS) provides the operation audit feature to help you retain, report on, and analyze database activity across your DMS environment. Use it to:
Retain a full audit trail of SQL statements, tickets, and logon events
Report on operations at the database, instance, or global level
Analyze activity to troubleshoot security incidents and meet compliance requirements
Modules and log retention
Modules
The operation audit feature consists of two modules.
| Module | Scope | Includes |
|---|---|---|
| Operation Logs | All operations performed in DMS | Management operations (instance management, user management, database account management), configuration operations (global DMS configuration, database ticket configuration), SQL Console statements, tickets, logon information |
| Operation Audit | Operations performed on databases in DMS | SQL Console statements, tickets, instance information |
In the Operation Audit module, only DMS administrators, database administrators (DBAs), ticket submitters, and stakeholders involved in the ticket approval process can view ticket details.
Log retention period
Log retention depends on the control mode and sensitive data protection status of each database instance.
| Condition | Retention period |
|---|---|
| Instance managed in Stable Change or Security Collaboration mode, OR sensitive data protection is enabled | 3 years |
| Instance managed in Flexible Management mode AND sensitive data protection is disabled | 1 day |
To extend the retention period, change the control mode or enable sensitive data protection. See Change the control mode of an instance and Enable the sensitive data protection feature.
Changing the control mode affects which historical logs remain visible:
Flexible Management to another mode: The retention period changes from 1 day to 3 years, effective from the day of the change. Logs generated while the instance was in Flexible Management mode cannot be viewed.
Stable Change or Security Collaboration to Flexible Management: Only logs from the previous day remain visible. Logs from earlier dates may be deleted and cannot be viewed.
Access the operation audit feature
The entry point and scope of audit data depend on your role and where you navigate in the DMS console.
| Auditing scope | What you see | How to navigate | Supported roles |
|---|---|---|---|
| Database | Operations on the current database only | On the SQL Console tab, move the pointer over the  icon in the upper-right corner and select Operation Audit. Alternatively, right-click the database in the instance list and choose Audit > Operation Audit. | DMS administrator, security administrator, DBA, instance owner, regular user (regular users see only their own operations) |
| Instance | Operations on the current instance only | In the instance list, right-click the database and choose Audit > Operation Audit. | DMS administrator, security administrator, DBA, instance owner, regular user (regular users see only their own operations) |
| Global | All operations across DMS | In the top navigation bar, move the pointer over Security and Specifications and click Operation Audit. | DMS administrator, security administrator, DBA |
Download operation records
The following steps download all SQL statements executed in the SQL Console over the previous 30 days.
Prerequisites
Before you begin, make sure you have:
Access to DMS console V5.0
A role with global audit access (DMS administrator, security administrator, or DBA)
Steps
Log on to the DMS console V5.0.
Move the pointer over the
icon in the upper-left corner and choose All functions > Security and Specifications > Operation Audit.NoteIn normal mode, choose Security and Specifications > Operation Audit in the top navigation bar.
Click SQL window list.
Set Time to Last One Month and click Search.
Click the
icon to download the results as an XLSX file.NoteTo preview and export more results, set Items Per Page to 100 before downloading.
Export operation logs
DMS provides two ways to export operation logs depending on your workflow.
| Method | How |
|---|---|
| API | Call the GetOpLog operation |
| Simple Log Service | See Export operation logs of DMS to Simple Log Service |
What's next
You can download operation logs only by calling the GetOpLog operation.
Set up continuous log export to Simple Log Service for long-term retention and SIEM integration.