This topic describes how to use the SQL Audit feature on an ApsaraDB RDS for PostgreSQL instance. This feature allows you to audit the executed SQL statements on a regular basis and view the details about the executed SQL statements. After you enable the SQL Audit feature, the performance of the RDS instance is not affected.

Precautions

  • You cannot view the SQL statements that are executed before the SQL Audit feature is enabled.
  • After you enable the SQL Audit feature, the performance of the RDS instance is not affected.
  • The retention period of SQL audit logs is 30 days.
  • The exported SQL audit log files can be retained for two days. After the retention period elapses, the system deletes the SQL audit log files.
  • The maximum size per SQL statement is 8,000 bytes. If the size of an SQL statement exceeds 8,000 bytes, the excessive bytes cannot be logged.
  • The SQL Audit feature is disabled by default. After you enable the SQL Audit feature, you are charged per hour for using this feature on the RDS instance.
    The fee charged per hour varies in different Alibaba Cloud regions:
    • USD 0.15/GB: China (Hong Kong), US (Silicon Valley), and US (Virginia).
    • USD 0.18/GB: Singapore (Singapore), Japan (Tokyo), Germany (Frankfurt), UAE (Dubai), Australia (Sydney), Malaysia (Kuala Lumpur), India (Mumbai), Indonesia (Jakarta), and UK (London).
    • USD 0.12/GB: all regions except the preceding regions.
  • The SQL Audit feature has been upgraded to the SQL Explorer and Audit feature. If the Performance Insight feature of Database Autonomy Service (DAS) is enabled for the RDS instance, the fees for the SQL Explorer and Audit feature are billed to DAS Professional Edition rather than the RDS instance. For more information, see Performance insight and Pricing of DAS Professional Edition.

Enable the SQL Audit feature

  1. Visit the RDS instance list, select a region above, and click the target instance ID.
  2. In the left-side navigation pane, click Data Security.
  3. On the SQL Audit tab, click Enable now.
    Enable the SQL Audit feature in the new ApsaraDB RDS console
  4. In the message that appears, click OK.

After the SQL Audit feature is enabled, you can query SQL statements based on the specified search criteria, such as the time range, databases, users, and keywords.

Note The system collects SQL audit logs from databases and saves the SQL audit logs as CSV files to a log server. You can use the rds_max_log_files parameter to specify the maximum number of SQL audit log files that can be retained.

Disable the SQL Audit feature

If you no longer use the SQL Audit feature, you can disable the feature to reduce costs.

Note After the SQL Audit feature is disabled, all SQL audit logs including historical SQL audit logs are deleted. If the RDS instance runs the RDS High-availability Edition, we recommend that you export SQL audit logs as files to your computer before you disable the SQL Audit feature. If the RDS instance runs the RDS Basic Edition, you cannot export SQL audit logs as files.
  1. Visit the RDS instance list, select a region above, and click the target instance ID.
  2. In the left-side navigation pane, click Data Security.
  3. On the SQL Audit tab, click Export File to export the SQL audit logs as a file to your computer.
  4. After the SQL audit logs are exported as a file to your computer, click Disable SQL Audit.
    Disable the SQL Audit feature
  5. In the message that appears, click OK.