Audit logs record every data write, modification, and deletion operation on your Tair (Redis OSS-compatible) instance. Use them to investigate unexpected resource spikes, track data changes, or troubleshoot access issues.
The console displays a maximum of 2,000 log entries. To query larger result sets, use the Simple Log Service console.
Prerequisites
Before you begin, ensure that you have:
The audit log feature enabled on the instance
(RAM users only) Simple Log Service management permissions — see Grant RAM user permissions
Grant RAM user permissions
Skip this section if you log in with your Alibaba Cloud root account.
RAM users who access audit logs must have Simple Log Service management permissions. Grant one of the following:
AliyunLogFullAccess system policy — grants access to all Logstores. See Grant permissions.
A custom policy scoped to Tair (Redis OSS-compatible) audit logs only:
{ "Version": "1", "Statement": [ { "Action": "log:*", "Resource": "acs:log:*:*:project/nosql-*", "Effect": "Allow" } ] }
View audit logs
Log on to the Instances page. In the top navigation bar, select the region where the instance is deployed. Find the instance and click its ID.
In the left-side navigation pane, choose Logs > Audit Logs.
On the Audit Logs page, review the log entries for the instance.
Filter logs
Use filter conditions to narrow down log records.
Go to the Audit Logs page for your instance (see View audit logs).
In the filter section, set one or more of the following conditions:
| Filter condition | Description |
|---|---|
| Keyword | Filter by client IP address, command, account, or other extended fields. Enter the complete value — partial matches are not supported. For example, enter 192.168.*.1 (not 192.168), or AUTH (not au). If the keyword contains a colon (:), enclose it in double quotation marks, for example, "userId:1". |
| Type | redis_audit_log — logs from data shards. redis_proxy_audit_log — logs from proxy servers. Available only for instances using cluster architecture in proxy mode or read/write splitting architecture. For these instances, the default client address is the proxy IP. To retrieve the original client IP, set the ptod_enabled parameter to 1. See Set parameters. |
| Account | The account used to connect to the instance. The default account appears as null. |
| Client IP | The IP address of the client connecting to the instance. |
| DB | The database whose logs you want to query. |
Query logs by time range
Go to the Audit Logs page for your instance (see View audit logs).
Click Select Time Range and specify the time range.
API reference
| API | Description |
|---|---|
| ModifyAuditLogConfig | Enable or disable audit logs and set the log retention period. |
| DescribeAuditLogConfig | Query audit log configuration, including whether audit logs are enabled and the retention period. |
| DescribeAuditRecords | Query the audit logs of an instance. |
FAQ
How do I check the storage space used by audit logs?
Open the Instances page in the console and go to the Audit Logs page for the instance. The storage usage is displayed there.
Why do some logs show a client IP of 127.0.0.1?
Entries with the IP address 127.0.0.1 are generated by internal management operations, not by external clients. The following table lists common internal log types:
| Log type | Description |
|---|---|
| Primary node eviction | Eviction occurred on the node. |
| Primary node audit log drop event | An audit log drop event started (drop start). |
| Primary node audit log drop event | An audit log drop event ended (drop end). |
| Primary node hot key log | Hot keys detected on the node, identified by QPS (queries per second) or traffic. |
| Primary node large key log | Large keys detected on the node, identified by number of elements. |