All Products
Search

This Product

    Tair (Redis® OSS-Compatible):Audit logs

    Document Center

    Tair (Redis® OSS-Compatible):Audit logs

    Last Updated:Oct 22, 2025

    The audit log feature is based on Alibaba Cloud Simple Log Service (SLS) and records all write operations for Tair (Redis OSS-compatible) instances. This feature lets you query, analyze, and export audit logs. It helps security auditors detect abnormal data operations, identify who modified the data and when, and ensure that your business systems meet security and compliance requirements. The feature also helps developers and O&M engineers locate performance issues.

    Function overview

    After you enable audit logs, the system records audit information for write operations. It does not record audit information for read operations.

    Important

    In scenarios with high write payloads, such as the frequent use of the INCR command for counting, this feature may cause a 5% to 15% performance loss and some latency jitter. Enable this feature only for troubleshooting or security audits.

    If a command has too many parameters, is too long, or exceeds the total length limit, the command is truncated in the audit log. The format is similar to the SLOWLOG command.

    Typical scenarios

    Tair (Redis OSS-compatible) integrates features from Simple Log Service to provide a more stable, easy-to-use, flexible, and efficient audit log service. Typical scenarios are as follows:

    Typical scenario

    Description

    Operation review

    Helps security auditors identify the user or time of data modification. It also helps detect internal threats, such as permission abuse or execution of non-compliant commands.

    Security and compliance

    Helps business systems meet the audit requirements of security standards.

    Billing details

    You are charged on a pay-as-you-go basis for the storage space and retention period of audit logs. The billing standards vary by region. For more information, see Billing.

    Note

    After you disable the audit log feature, logs are still stored for the previously set Log Retention Period until they expire. Therefore, you will continue to incur audit log fees after you disable the feature.

    RAM user permissions

    If you use an Alibaba Cloud account, you can ignore this section. If you use a Resource Access Management (RAM) user to enable audit logs, you must grant the RAM user management permissions for Simple Log Service.

    • You can grant the AliyunLogFullAccess system policy to the RAM user. After you grant this permission, the RAM user can manage all Logstores. For more information, see Grant permissions.

    • You can also create a custom policy to allow the RAM user to manage only the audit logs of Tair (Redis OSS-compatible) instances.

      Example of a custom policy

      {
 "Version": "1",
 "Statement": [
  {
   "Action": "log:*",
   "Resource": "acs:log:*:*:project/nosql-*",
   "Effect": "Allow"
  }
 ]
}

    Procedure

    1. Log on to the console and go to the Instances page. In the top navigation bar, select the region in which the instance is deployed. Then, find the instance and click its ID.

    2. In the navigation pane on the left, choose Logs > Audit Logs.

    3. Set the log retention period.

      Note

      This setting applies to all instances for which audit logs are enabled in the current region. You are charged for audit logs based on storage capacity and retention period. You can set the retention period from 1 to 365 days.

    4. Click Estimate Cost And Enable.

    5. In the dialog box that appears, review the estimated cost, read the prompts, and then click Enable.

      Note

      If Simple Log Service is not activated, follow the prompts in the dialog box to activate it.

    FAQ

    • Q: How do I disable the audit feature for a specific instance?

      A: On the Audit Logs page, click Service Settings in the upper-right corner, and turn off auditing for all nodes.

    • Q: How do I download complete audit logs?

      A: For more information, see Download logs. When you download logs, note the following:

      • When you download logs, the target project name must be in the format nosql-{user_UID}-{Region}, for example, nosql-176498472******-cn-hangzhou. Then, select redis_audit_log_standard as the target Logstore.

      • To download all logs, set the download method to Download Via Cloud Shell or Download Via CLI. If you select Download Directly, only the logs displayed on the current page are downloaded.

    • Q: Why are only write operations audited, but not read operations?

      A: In most scenarios, read operations are more frequent. Auditing read operations would cause significant performance loss. Additionally, the large volume of data could cause log loss, even with a stable policy. For these reasons, read operations are not audited.

    • Q: The audit log retention period is a region-level setting. If I set the period to 7 days for one instance and then 14 days for a second instance in the same region, which setting will be used?

      A: The most recent setting is used.

    • Q: Why do some audit logs show a client IP address that does not belong to my business client?

      A: This is because audit logs also record internal management operations. You can filter out these logs.

    • Q: Why can't I enable audit logs for my instance even though it is compatible with Redis 4.0 or later?

      A: This may be because the minor version of the instance is too old. Update the minor version and proxy version and then try again.

    • Q: Why do some audit logs show the write IP address as 127.0.0.1?

      A: Logs with the IP address 127.0.0.1 can have two sources:

      • For instances that run a major version of 7.0 and a minor version earlier than 7.0.1.17, the client IP address for LUA script operations is recorded only after you update the instance to the latest minor version.

      • Internal management operations of the instance. The following table describes common internal operation logs:

        Log type

        Description

        Primary node eviction

        Data was evicted from the node.

        Primary node audit log drop event

        The start of an audit log drop event.

        Primary node audit log drop event

        The end of an audit log drop event.

        Primary node hot key log

        Information about hot keys, based on queries per second (QPS) or traffic, that are being accessed on the node.

        Primary node large key log

        Information about large keys, based on the number of sub-elements, that are stored on the node.

    Related API operations

    API

    Description

    ModifyAuditLogConfig - Modify audit log settings

    Enables or disables audit logs for an instance and sets the log retention period.

    DescribeAuditLogConfig - Query audit log configurations

    Queries configuration information, such as whether audit logs are enabled for an instance and the log retention period.

    DescribeAuditRecords - Query audit logs of an instance

    Queries the audit logs of an instance.