In scenarios such as security compliance audits, performance analysis, and troubleshooting, we recommend you enable the SQL Explorer and Audit feature for your ApsaraDB RDS for SQL Server instance. After the feature is enabled, the RDS for SQL Server instance automatically records the SQL statements that are executed within the database engine and related information (such as the account, IP address, and execution details). The recorded information can be used to query SQL change history or perform data analysis and audit. Enabling and using this feature has negligible impact on the instance performance.
Overview
SQL Explorer and Audit provides the following sub-features:
Search (audit): queries and exports the SQL statements that are executed and the information about the SQL statements. The information includes the database, status, and execution duration of each SQL statement.
SQL Explorer: diagnoses the SQL statements, troubleshoots performance issues, and analyzes business traffic.
Prerequisites
The billing method of the RDS for SQL Server instance is subscription or pay-as-you-go. Serverless RDS for SQL Server instances do not support this feature.
Database Autonomy Service (DAS) Enterprise Edition is enabled by using your Alibaba Cloud account and the instance for which you want to enable SQL Explorer and Audit is located in a region supported by the DAS Enterprise Edtion.
NoteIf the Audit and SQL Explorer tabs are displayed when you click SQL Explorer and Audit in the left-side navigation pane on the instance details page, the SQL Explorer and Audit feature is enabled for the instance.
The AliyunRDSReadOnlyWithSQLLogArchiveAccess policy is attached to the RAM user whose credentials are used to use the search (audit) feature. For more information about how to grant permissions to a RAM user, see Use RAM to manage ApsaraDB RDS permissions.
Billing rules
After you enable the SQL Explorer and Audit feature, the system stops billing for the SQL Audit feature. The fees that you pay for the SQL Explorer and Audit feature are billed to DAS Enterprise Edition. For more information, see Billing details.
Enable SQL Explorer and Audit
Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
In the left-side navigation pane, choose Autonomy Services > SQL Explorer and Audit.
Click Enable DAS Enterprise Edition V3. Select the features that you want to enable and click Activate.
Click Use Now.
Use SQL Explorer and Audit
Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
In the left-side navigation pane, choose Autonomy Services > SQL Explorer and Audit. On the page that appears, use the Audit and SQL Explorer features based on your business requirements.
Modify the storage duration of data generated by the SQL Explorer and Audit feature
After you reduce the storage duration of the data that is generated by the SQL Explorer and Audit feature, DAS immediately deletes the SQL audit logs that are retained for a longer period of time than the storage duration. We recommend that you export and save SQL audit logs to your computer and then reduce the storage duration of the data that is generated by the SQL Explorer and Audit feature.
Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
In the left-side navigation pane, choose .
Click Service Settings.
In the Service Settings panel, modify the storage duration for different sub-features.
NoteThe storage that is occupied by the data generated by the SQL Explorer and Audit feature is provided by DAS and does not consume the storage of your database instance.
Disable the SQL Explorer and Audit feature
After you disable the SQL Explorer and Audit feature, all logs that are generated by the feature are deleted. We recommend that you export and save the logs that are generated by the SQL Explorer and Audit feature to your computer and then disable the SQL Explorer and Audit feature. If you enable the SQL Explorer and Audit feature again, logs that are generated by the feature are recorded from the point in time at which the SQL Explorer and Audit feature is enabled again.
Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
In the left-side navigation pane, choose
.In the Logs section, click Export.
In the dialog box that appears, configure the Exported Fields and Export Time Range parameters and click OK.
Configure the export task. After the task is complete, click Task list and download the file that you exported and save it to your computer.
Click Service Settings to disable the SQL Explorer and Audit feature.
If you activate DAS Enterprise Edition V3, you must deselect all sub-features of SQL Explorer and Audit and then click Submit.
ImportantThe storage used to store the data of the SQL Explorer and Audit feature is released about one hour after the feature is disabled.
FAQ
How do I view the execution history of SQL statements in my RDS for SQL Server instance?
If SQL Explorer and Audit is enabled for your instance, you can use the Audit feature to view and export the execution history of SQL statements. If SQL Explorer and Audit is not enabled for your instance, you cannot directly view the execution history of SQL statements. However, you can restore the data of your instance to different points in time and compare the data at the points in time to analyze the changes of SQL statements.
NoteWe recommend you enable SQL Explorer and Audit for your instance to record the execution details of SQL statements for further data analysis and audit.