All Products
Search

This Product

    Data Security Center:Configure and enable audit mode

    Document Center

    Data Security Center:Configure and enable audit mode

    Last Updated:Nov 18, 2025

    The data audit feature of Data Security Center (DSC) lets you analyze database activities by viewing audit logs. This helps you track potentially malicious activities or unauthorized access and investigate the causes of security incidents. Before you can use the data audit feature, you must configure an audit mode. DSC then collects audit logs from the relevant databases based on your configured mode. This topic describes how to configure auditing.

    Prerequisites

    • You have activated the Free Edition of Data Security Center or purchased an Enterprise instance of Data Security Center.For more information, see Free Edition of Data Security Center or Purchase DSC.

    • You have authorized data assets. For more information, see Asset authorization.

    • To enable the data audit feature for an ApsaraDB for OceanBase instance, you must first enable SQL Audit for the target tenant of the OceanBase instance. For more information, see SQL Audit.

      Important

      After you enable SQL Audit for the target tenant of a target OceanBase instance, you can enable the audit mode for the instance as described in this topic. After the audit mode is enabled, all databases under tenants for which SQL Audit is enabled can use the data audit service.

    Background information

    The audit mode for a newly authorized instance is disabled by default. You must enable and configure an audit mode for your data assets. DSC can then collect operation logs for the corresponding data assets and store them as audit logs. Based on these audit logs and audit alert rules, DSC detects threats such as data breaches, vulnerabilities, and SQL injections, and then reports alert information.

    Audit modes

    Native log collection mode

    DSC supports the native log collection audit mode:

    • Supported data asset types: OSS and Alibaba Cloud native databases. This mode does not support self-managed databases or Redis.

    • How it works: DSC automatically establishes a data collection link with the corresponding product to collect logs. The logs record all Data Query Language (DQL), Data Manipulation Language (DML), and Data Definition Language (DDL) operations. This information is output by the database kernel and consumes very little CPU. For more information, see the FAQ section in this topic.

      Warning

      In this audit mode, the priority policy for cloud products is business first. This policy may cause a small number of logs to be lost when the business payload is high.

    • Billing: Additional collection fees apply. For more information about billing, see Additional fees for cloud products connected to DSC.

    Enable native log collection

    Step 1: Grant SLS permissions to access data assets

    Native log collection requires you to grant Simple Log Service (SLS) permissions to access cloud resources.

    1. Log on to the Data Security Center console.

    2. In the navigation pane on the left, choose Data Auditing > Native Data Auditing.

    3. On the Asset Management > Asset Configurations tab, click Authorize Now.

    4. On the RAM Quick Authorization page, click Authorize.

      image

    Step 2: Enable an audit mode

    1. On the Asset Configurations tab, select a cloud product type, such as RDS.

    2. In the asset list, find the target asset and select Cloud-native Audit Log Collection in the Audit Mode column.

    Configure audit alerts

    • By default, DSC provides built-in audit policies for data assets, including database audit policies, OSS audit policies, and MaxCompute audit policies. DSC also supports custom audit policies. After you enable audit alert rules, you can detect risks such as abnormal operations, data breaches, vulnerability attacks, and SQL injections based on audit logs. For more information, see Configure and enable audit alert rules.

    • After you enable audit alert rules, DSC reports information about behaviors that hit the rule conditions to DSC's audit alerts. You can analyze and handle related risks based on the alert information and audit logs. For more information, see View and handle audit alerts.

    FAQ

    Q: Does enabling native log collection affect database performance? If so, what is the impact?

    A: Yes, it does, but the impact is minimal and almost unnoticeable.

    The specific resource consumption is as follows:

    • CPU and memory: The consumption is extremely low and can be ignored.

    • Storage space: This is mainly used to store audit information. However, the data audit feature of DSC uses storage space provided by DSC and does not use the storage space of your database instance.

    • Network: There is no impact on network performance.

    • Disk performance: There is no impact on disk performance because audit data is stored in DSC, not on the disk of the database instance.

    Q: How do I set a whitelist for audit alerts?

    A: You can add the IP addresses and accounts that are used to log on to data assets to a whitelist. DSC does not generate audit alerts for data assets that are accessed from whitelisted accounts or IP addresses. This can effectively reduce invalid alerts. For more information, see Manage a whitelist.

    References

    • After you configure the audit mode for a data asset, you can view the audit logs for that asset on the Log Analysis page. For more information, see View audit logs.

    • Audit logs for online queries are saved in the storage space provided by Data Security Center. You can view the current storage capacity usage and manage storage rules for online and archived logs. For more information, see Manage log storage.