When you need to investigate slow queries, trace unauthorized access, or meet compliance requirements, manually collecting SQL execution records is impractical. SQL Explorer and Audit automatically captures all SQL statements executed by the database kernel -- including the execution account, source IP address, and execution details -- with negligible impact on instance performance.
SQL Explorer and Audit provides two capabilities:
Audit: Query and export execution records of historical SQL statements, including database name, execution status, and running time.
SQL Explorer: SQL health diagnostics, performance issue troubleshooting, and service traffic analysis.
Supported instances
The RDS instance must use the subscription or pay-as-you-go billing method. Serverless ApsaraDB RDS for SQL Server instances are not supported.
To allow a Resource Access Management (RAM) user to use the Audit feature, grant the AliyunRDSReadOnlyWithSQLLogArchiveAccess permission to the user.
Custom policies can also grant a RAM user the permissions required for the audit feature, including the export function.
Billing
After you enable SQL Explorer and Audit, billing for the original SQL Audit (Database Audit) feature stops. SQL Explorer and Audit is billed as part of Database Autonomy Service (DAS) Enterprise Edition. For more information, see Billing.
Enable SQL Explorer and Audit
Go to the Instances page. In the top navigation bar, select the region of your RDS instance, then click the instance ID.
In the left-side navigation pane, choose Autonomy Services > SQL Explorer and Audit.
Click Enable Audit Logs, select the features to enable, and click Submit.
Click OK in the confirmation dialog box.
After SQL Explorer and Audit is enabled, use the Audit and SQL Explorer features on the SQL Explorer and Audit page as needed.
Change the data storage duration
Reducing the storage duration causes DAS to immediately delete audit logs that exceed the new duration. Export and save audit logs before you reduce the storage duration.
Go to the Instances page. In the top navigation bar, select the region of your RDS instance, then click the instance ID.
In the left-side navigation pane, choose Autonomy Services > SQL Explorer and Audit.
Click Service Settings.
In the Service Settings dialog, adjust the Audit Retention duration and click Submit.
SQL Explorer and Audit data is stored by DAS. It does not occupy the storage space of your database instance.
Disable SQL Explorer and Audit
Disabling SQL Explorer and Audit deletes all logs. Export and save logs before you disable the feature. If you re-enable the feature later, logs are recorded only from the time of re-enabling.
Step 1: Export logs
Go to the Instances page. In the top navigation bar, select the region of your RDS instance, then click the instance ID.
In the left-side navigation pane, choose Autonomy Services > SQL Explorer and Audit.
Click Export.
Select the fields and time range for the export. If you use a hybrid of hot and cold storage, select a CSV Separator.
After the export completes, click Tasks to download and save the exported file.
Step 2: Disable the feature
Click Service Settings.
Clear all SQL Explorer and Audit feature checkboxes and click Submit.
The system releases the storage space occupied by SQL Explorer and Audit data approximately one hour after you disable the feature.
FAQ
How do I view historical SQL execution records?
If SQL Explorer and Audit is enabled, use the Audit feature to view and export SQL execution records directly.
If the feature is not enabled, historical SQL records are not available. As an alternative, restore data to a specific point in time to compare SQL changes at different points and analyze modifications.
Enable SQL Explorer and Audit as early as possible to ensure continuous recording of SQL execution details for future analysis and audits.