For security compliance audits, performance analysis, and troubleshooting, SQL Explorer and Audit records and analyzes SQL statements executed on your RDS PostgreSQL instance. It automatically captures statements from the database kernel, including the execution account, source IP address, and execution details, with no impact on instance performance.
Prerequisites
-
You have purchased DAS Enterprise Edition.
SQL Explorer and Audit requires DAS Enterprise Edition. You can only enable the highest version available in your region. Supported regions vary by version.
-
RAM users require the AliyunRDSReadOnlyWithSQLLogArchiveAccess permission for the audit feature. Grant this permission through Use RAM to manage ApsaraDB RDS permissions.
NoteYou can also grant search and export permissions through a custom RAM policy.
Billing
Pricing is covered in Billing details.
Enabling SQL Explorer and Audit stops billing for the legacy SQL Audit (Database Audit) feature. The new version is billed as part of DAS Enterprise Edition.
Features
-
Audit: Query and export SQL execution history, including database, status, and execution time.
Note-
Enabling or disabling the audit log modifies the
log_statementkernel parameter.-
Enabling the audit log sets
log_statement = all. -
Disabling the audit log sets
log_statement = ddl.
-
-
You can also use the ModifySqlLogConfig API to enable or disable the audit log.
-
-
SQL Explorer: Diagnose SQL health, troubleshoot performance issues, and analyze SQL traffic.
Limitations
If PgBouncer connection pooling is enabled, SQL statements routed through PgBouncer are not recorded.
Enable SQL Explorer and Audit
You can only enable the latest version that your instance supports.
Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
-
In the left-side navigation pane, choose .
-
Click Enable Audit Logs, select the features you want to enable, and click Submit.
The enablement page has two sections: Audit Scenario offers SQL Log (cold storage) and Log Index (hot storage), each with a configurable retention period. Insight Scenario offers SQL Explorer (global SQL workload analysis, abnormal SQL detection, traffic replay) and Security Audit (audit alerts and rule management).
Use SQL Explorer and Audit
Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
-
In the left-side navigation pane, choose Autonomy Services > SQL Explorer and Audit. Use the Audit and SQL Explorer features as needed.
Change data retention period
Reducing the retention period immediately deletes SQL audit logs beyond the new limit. Export and save your logs before reducing the retention period.
Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
-
In the left-side navigation pane, choose .
-
Click Service Settings.
-
On the Service Settings page, modify the retention period and click Submit.
NoteSQL Explorer and Audit data is stored by DAS and does not occupy your instance's storage space.
Disable SQL Explorer and Audit
Disabling SQL Explorer and Audit deletes all logs. Export and save your logs before disabling. Re-enabling records logs only from the re-enablement time.
Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
-
In the left-side navigation pane, choose .
-
In the Logs area, click Export.
Select the fields and time range to export. If your service uses both hot and cold storage, you must select a CSV Separator.
-
Configure the export task. After completion, click Task list to download and save the file.
-
Click Service Settings to disable SQL Explorer and Audit.
If DAS Enterprise Edition is enabled, clear all SQL Explorer and Audit feature checkboxes, then click Submit.
Important-
About one hour after disabling, the system releases the storage space for its data.
-
If audit log collection is enabled through CloudLens for RDS (Simple Log Service), SQL Explorer and Audit is automatically enabled. You must also disable audit log collection in CloudLens for RDS.
-