Log Service provides the CloudLens for RDS application. You can use the application to check the collection status of SQL audit logs for ApsaraDB RDS instances in real time and manage collection configurations in a centralized manner. You can also audit and analyze collected logs and configure alerts for the logs.

Features

CloudLens for RDS provides the following features:

CloudLens for RDS
  • Collection management
    • Allows you to manage the collection status of SQL audit logs for ApsaraDB RDS instances in a centralized manner.
    • Automatically collects SQL audit logs from existing ApsaraDB RDS instances and new instances.
    • Allows you to manage projects and Logstores in a centralized manner.
  • Log audit
    • Allows you to store, query, and analyze SQL audit logs of ApsaraDB RDS instances in real time.
    • Provides various reports. You can subscribe to these reports and configure settings to receive the reports by using emails or DingTalk group messages.
    • Provides various built-in alert rules, supports flexible configurations for alert policies, and sends alert messages in a timely and accurate manner.

Supported log types

The SQL audit logs of an ApsaraDB RDS database record all operations that are performed on the database. The logs are obtained by the system based on network protocol analysis, which consumes only a small amount of CPU resources and does not affect the execution of SQL statements. The SQL audit logs record the following operations and related information:
  • Database logons and logoffs.
  • DDL operations: SQL statements that define a database structure. Examples: CREATE, ALTER DROP, TRUNCATE, and COMMENT.
  • DML operations: SQL statements that perform specific operations. Examples: SELECT, INSERT, UPDATE, and DELETE.
  • Other operations that are performed by executing SQL statements. Examples: rollback and control.
  • The execution latency, execution results, and number of affected rows of SQL statements.

Assets

  • Custom projects and Logstores
    Notice Do not delete the projects or Logstores that are used for the SQL audit logs shipped from ApsaraDB RDS. Otherwise, subsequent logs cannot be shipped to Log Service.
  • Dedicated dashboards
    By default, Log Service generates three dashboards for the feature.
    Note We recommend that you do not make changes to the dedicated dashboards because the dashboards may be upgraded or updated at all times. You can create a custom dashboard to visualize query results. For more information, see Create a dashboard.
    Dashboard Description
    RDS Operation Center Displays statistics about access to databases and active databases. The statistics include the number of databases on which the operations are performed, number of tables on which the operations are performed, and number of execution errors. The statistics also include the total number of inserted rows, total number of updated rows, total number of deleted rows, and total number of obtained rows.
    RDS Performance Center Displays the metrics that are related to O&M reliability. The metrics include the peak bandwidth for all SQL statements that are executed, peak bandwidth for SQL statements that query data, peak bandwidth for SQL statements that insert data, peak bandwidth for SQL statements that update data, and peak bandwidth for SQL statements that delete data. The metrics also include the average execution time of all SQL statements, average execution time of SQL statements that query data, average execution time of SQL statements that update data, and average execution time of SQL statements that delete data.
    RDS Security Center Displays the metrics that are related to database security. The metrics include the number of errors, number of logon failures, number of bulk deletion events, number of bulk modification events, and number of times that risky SQL statements are executed. The metrics also include the distribution of error operations by type, distribution of clients that have errors on the Internet, and clients that have the largest number of errors.

Billing

  • The log collection feature of CloudLens for RDS depends on the SQL Explorer feature of ApsaraDB RDS for MySQL. The charges that are incurred by the SQL Explorer feature are included into your ApsaraDB RDS bills. For more information, see Billable items, billing methods, and pricing.
    Note If your ApsaraDB RDS for MySQL instance runs RDS Enterprise Edition, you are not charged for the SQL Explorer feature.
  • After you use Log Service to collect the SQL audit logs of ApsaraDB RDS instances, you are charged for data storage, read traffic, requests, data transformation, and data shipping. For more information, see Pay-as-you-go.

Limits

  • Log Service can collect SQL audit logs only from the following types of ApsaraDB RDS instances:

    ApsaraDB RDS for MySQL instances: All available RDS editions are supported, except RDS Basic Edition.

  • The log collection feature of CloudLens for RDS depends on the SQL Explorer feature of ApsaraDB RDS for MySQL.

    After you enable the log collection feature for ApsaraDB RDS for MySQL instances in CloudLens for RDS, the system automatically enables the SQL Explorer feature of the ApsaraDB RDS for MySQL instances.

  • The Log Service project that is used to store SQL audit logs collected from an ApsaraDB RDS instance must reside in the same region as the instance.
  • All regions are supported, except Local Regions.

Log collection methods

Log Service can collect SQL audit logs from ApsaraDB RDS instances by using one of the following methods:
Note If SQL audit logs are collected by using Method 1 or Method 3, you can apply the collection configurations that you create for one method to the other method. If SQL audit logs are collected by using Method 2, you cannot use the collection configurations that you create for Method 1 or Method 3. You must separately create collection configurations.
  • Method 1: CloudLens for RDS
    • To collect SQL audit logs by using Method 1, log on to the Log Service console. In the Log Application section, click CloudLens for RDS.
    • If you want to collect SQL audit logs from ApsaraDB RDS instances that belong to the same Alibaba Cloud account, we recommend that you use this method.
  • Method 2: Log Audit Service
    • To collect SQL audit logs by using Method 2, log on to the Log Service console. In the Log Application section, click Log Audit Service.
    • If you want to collect SQL audit logs from ApsaraDB RDS instances across Alibaba Cloud accounts or regions, we recommend that you use this method.
  • Method 3: Import Data - RDS SQL Audit
    • To collect SQL audit logs by using Method 3, log on to the Log Service console. In the Import Data section, click RDS SQL Audit - Cloud Products.
    • This method is an alternative to Method 1.
Attribute Import Data - RDS SQL Audit Method 1: CloudLens for RDS Log Audit Service
Specify an ApsaraDB RDS instance to collect logs Supported Supported Supported
Specify a Logstore to store logs Supported Supported Not supported
Collect SQL audit logs from ApsaraDB RDS instances across regions Not supported Not supported Supported
Collect SQL audit logs from ApsaraDB RDS instances across Alibaba Cloud accounts Not supported Not supported Supported
Automatic collection Not supported Supported Supported
Manual collection Supported Supported Not supported
View collection status in dashboards Not supported Supported Not supported

Precautions

If you enable a CloudLens application, Log Service automatically checks whether a project whose name is in the aliyun-product-data-<Alibaba Cloud account ID>-cn-heyuan format exists within your Alibaba Cloud account. If the project does not exist, Log Service automatically creates the project.

If you want to delete the project, open the Cloud Shell and run the aliyunlog log delete_project --project_name=aliyun-product-data-<Alibaba Cloud account ID>-cn-heyuan --region-endpoint=cn-heyuan.log.aliyuncs.com command. Replace Alibaba Cloud account ID based on your business scenario.
Notice If you delete the project, all CloudLens applications become unavailable. Proceed with caution.