Enable cloud-native audit log collection and configure traffic collection (agent) to collect database audit logs - Data Security Center

Data Security Center (DSC) provides the data auditing feature, which allows you to view audit logs to analyze database activities. This helps you identify database security events and locate the cause, such as unauthorized access to databases or malicious database activities. You must configure the data auditing mode before DSC can collect the audit logs of databases in the specified data auditing mode. This topic describes how to configure data auditing.

Prerequisites

The free edition of DSC is activated or DSC Enterprise Edition is purchased. For more information, see Activate the free edition of DSC or Purchase DSC.
Asset authorization is complete. For more information, see Asset authorization.
If you want to enable the data audit feature for an ApsaraDB for OceanBase instance, the SQL audit feature for the target tenant of the OceanBase instance is enabled. For more information, see SQL audit.
Important
After you enable the SQL audit feature for the target tenant of the OceanBase instance, you can follow the instructions in this topic to enable the data audit feature for the OceanBase instance. After you enable the data audit feature, all databases under the tenant for which the SQL audit feature is enabled can use the data audit feature.

Background information

By default, the data auditing mode is disabled for newly authorized instances. You must enable and configure the data auditing mode for a database before DSC can record activities related to the database to audit logs. Then, audit logs are analyzed based on audit alert rules to identify data leaks, vulnerabilities, and SQL injections in assets and generate alerts.

Introduction to the data auditing modes

Cloud-native audit log collection mode

DSC supports the cloud-native audit log collection mode.

Supported asset types: Object Storage Service (OSS) and Alibaba Cloud databases. Self-managed databases and Redis databases are not supported.
Working principle: DSC automatically connects to the destination service to collect logs. The collected logs include information about all DQL, DML, and DDL operations that are executed. The system obtains the information that consumes a small amount of CPU resources from database kernels. For more information, see the FAQ.
Warning
This data auditing mode prioritizes workloads over data auditing. A small amount of log data may be lost when the loads of your workloads are high.
Billing rules: Log collection fees are charged. For more information, see Additional fees for data assets connected to DSC.

Enable cloud-native audit log collection

Step 1: Authorize Simple Log Service to access assets

To use the cloud-native audit log collection mode, you must authorize Simple Log Service to access cloud resources.

Log on to the DSC console.
In the left-side navigation pane, choose Data Detection and Response > Data Auditing.
On the Asset Configurations tab of the Asset Management tab, click Authorize Now.
On the RAM Quick Authorization page, click Authorize.

Step 2: Enable the data auditing mode

On the Asset Configurations tab, select the cloud service type of the asset that you want to manage from the Current Data Type drop-down list. For example, you can select RDS.
Find the asset and select Cloud-native Audit Log Collection in the Audit Mode column.
You can also select multiple assets, click the Batch Modify Audit Mode drop-down list below the asset list, and then select the required audit mode.

Configure audit alert rules

DSC provides default audit alert rules for assets, including database audit alert rules, OSS audit alert rules, and MaxCompute audit alert rules. You can also create custom audit alert rules. After audit alert rules are enabled, DSC can identify abnormal activities, data leaks, vulnerabilities, and SQL injections in data assets based on audit logs. For more information, see Configure and enable audit alert rules.
After you enable an audit alert rule, DSC generates alerts on operations that hit the audit alert rule. You can view the alerts on the Audit Alerts page of DSC. You can handle risks based on the alerts and log analysis results. For more information, see View and handle audit alerts.

FAQ

Does the cloud-native audit log collection mode have an impact on database performance? If so, how significant is the impact?

Yes, the cloud-native audit log collection mode has an impact on database performance, but the impact is extremely minimal and almost imperceptible.

Impact on the following resources:

CPU and memory: The resource consumption is extremely low and almost negligible.
Storage space: The storage space of database instances is not affected because the audit data is stored in the storage space provided by DSC, not in database instances.
Network: Network performance is not affected.
Disk performance: Disk performance is not affected because the audit data is stored on the DSC side rather than on the disks of database instances.

How do I configure an audit alert whitelist?

You can add the IP addresses and accounts of the assets that you want to manage to the whitelist. DSC does not generate audit alerts for data assets whose accounts or IP addresses are added to the whitelist. This helps reduce invalid alerts. For more information, see Manage a whitelist.

References

After you set the data auditing mode for an asset, the Log Analysis page displays the audit log of the asset. For more information, see View audit logs.
Audit logs that can be queried online are stored in the DSC Logstore. You can view the storage usage of the Logstore and manage the storage rules for online logs and archived logs. For more information, see Log storage management.