All Products
Search
Document Center

ApsaraDB RDS:SQL Explorer and Audit

Last Updated:Jun 04, 2026

For security compliance audits, performance analysis, and troubleshooting, SQL Explorer and Audit records and analyzes SQL statements executed on your RDS PostgreSQL instance. It automatically captures statements from the database kernel, including the execution account, source IP address, and execution details, with no impact on instance performance.

Prerequisites

  • You have purchased DAS Enterprise Edition.

    SQL Explorer and Audit requires DAS Enterprise Edition. You can only enable the highest version available in your region. Supported regions vary by version.

  • RAM users require the AliyunRDSReadOnlyWithSQLLogArchiveAccess permission for the audit feature. Grant this permission through Use RAM to manage ApsaraDB RDS permissions.

    Note

    You can also grant search and export permissions through a custom RAM policy.

Billing

Pricing is covered in Billing details.

Note

Enabling SQL Explorer and Audit stops billing for the legacy SQL Audit (Database Audit) feature. The new version is billed as part of DAS Enterprise Edition.

Features

  • Audit: Query and export SQL execution history, including database, status, and execution time.

    Note
    • Enabling or disabling the audit log modifies the log_statement kernel parameter.

      • Enabling the audit log sets log_statement = all.

      • Disabling the audit log sets log_statement = ddl.

    • You can also use the ModifySqlLogConfig API to enable or disable the audit log.

  • SQL Explorer: Diagnose SQL health, troubleshoot performance issues, and analyze SQL traffic.

Limitations

If PgBouncer connection pooling is enabled, SQL statements routed through PgBouncer are not recorded.

Enable SQL Explorer and Audit

Note

You can only enable the latest version that your instance supports.

  1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.

  2. In the left-side navigation pane, choose Autonomy Services > SQL Explorer and Audit.

  3. Click Enable Audit Logs, select the features you want to enable, and click Submit.

    The enablement page has two sections: Audit Scenario offers SQL Log (cold storage) and Log Index (hot storage), each with a configurable retention period. Insight Scenario offers SQL Explorer (global SQL workload analysis, abnormal SQL detection, traffic replay) and Security Audit (audit alerts and rule management).

Use SQL Explorer and Audit

  1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.

  2. In the left-side navigation pane, choose Autonomy Services > SQL Explorer and Audit. Use the Audit and SQL Explorer features as needed.

Change data retention period

Warning

Reducing the retention period immediately deletes SQL audit logs beyond the new limit. Export and save your logs before reducing the retention period.

  1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.

  2. In the left-side navigation pane, choose Autonomy Services > SQL Explorer and Audit.

  3. Click Service Settings.

  4. On the Service Settings page, modify the retention period and click Submit.

    Note

    SQL Explorer and Audit data is stored by DAS and does not occupy your instance's storage space.

Disable SQL Explorer and Audit

Warning

Disabling SQL Explorer and Audit deletes all logs. Export and save your logs before disabling. Re-enabling records logs only from the re-enablement time.

  1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.

  2. In the left-side navigation pane, choose Autonomy Services > SQL Explorer and Audit.

  3. In the Logs area, click Export.

    Select the fields and time range to export. If your service uses both hot and cold storage, you must select a CSV Separator.

  4. Configure the export task. After completion, click Task list to download and save the file.

  5. Click Service Settings to disable SQL Explorer and Audit.

    If DAS Enterprise Edition is enabled, clear all SQL Explorer and Audit feature checkboxes, then click Submit.

    Important
    • About one hour after disabling, the system releases the storage space for its data.

    • If audit log collection is enabled through CloudLens for RDS (Simple Log Service), SQL Explorer and Audit is automatically enabled. You must also disable audit log collection in CloudLens for RDS.

FAQ

Q: Why can't I find failed SQL statements for my RDS PostgreSQL instance?

A: Failed SQL statements are recorded in the error log, not the audit log. Check the error log through View logs.

Q: Why does the database name in the log list differ from the one in the SQL statement?

A: This discrepancy can occur due to user input or query designs like cross-database queries or dynamic SQL.

Q: Why has the SQL Audit entry disappeared from the instance console?

A: Due to a feature update, the entry for the latest version has been renamed to SQL Explorer and Audit.

Q: Can I still enable the old version of SQL Audit?

A: No. You can only enable the latest version supported by your instance. Product series and supported features.