How do I monitor and record operations on databases? - Data Management

Data Management (DMS) provides the operation audit feature based on the basic features of operation log management. You can use this feature to quickly troubleshoot database security issues with ease and audit operations that are performed on databases. You can also use this feature to view and manage the SQL statements that are used in the SQL Console, tickets, logon information, and operation logs.

Features

The following table describes the two modules of the operation audit feature in DMS: Operation Logs and Operation Audit.

Module	Description	Item
Operation Logs	Displays the logs of all the operations that are performed in DMS.	Includes the logs of management and configuration operations, SQL statements that are used in the SQL Console, tickets, and logon information.
Operation Audit	Displays all the operations that are performed on databases in DMS. Note This module provides a user interface (UI) for you to audit operations in a centralized manner. This also helps you troubleshoot database issues with ease.	Includes SQL statements that are used in the SQL Console, tickets, and logon information. Note Only DMS administrators, database administrators (DBAs), ticket submitters, and stakeholders involved in the ticket approval process can view the ticket details.

Log retention period

Three years: DMS retains logs for three years for database instances that are managed in Stable Change or Security Collaboration mode.
One day: DMS retains logs only for one day for database instances that are managed in Flexible Management mode.

Note

If you want to change the log retention period of an instance, you can change the control mode of the instance. For more information, see Change the control mode of an instance. Take note of the following items when you change the control mode of an instance:

If you change the control mode of an instance from Flexible Management to another mode, the log retention period of the instance is changed from one day to three years. The new log retention period takes effect from the day when the change occurs. Logs that are generated during the period when the instance is managed in Flexible Management mode cannot be viewed.
If you change the control mode of an instance from Stable Change or Security Collaboration to Flexible Management, you can view logs only for the previous day. Logs that were generated before the previous day might be deleted and cannot be viewed.

Procedure and supported roles

The following table describes the roles that you can assume to use the operation audit feature and how to go to the Operation Audit tab in the DMS console.

Auditing dimension	Limit	Entry to operation audit	Supported roles
Database	You can view and audit only the operations that are performed on the current database.	On the SQLConsole tab of the database that you want to audit, move the pointer over the icon in the upper-right corner and select Operation Audit. In the database instance list, click the database instance in which the database that you want to audit resides, right-click the database, and then choose Audit > Operation Audit.	You can be a DMS administrator, a security administrator, a DBA, an instance owner, or a regular user. Note If you are a regular user, you can view and audit only the operations that you performed on the current database.
Instance	You can view and audit only the operations that are performed on the current instance.	In the database instance list, click the database instance in which the database that you want to audit resides, right-click the database, and then choose Audit > Operation Audit.	You can be a DMS administrator, a security administrator, a DBA, an instance owner, or a regular user. Note If you are a regular user, you can view and audit only the operations that you performed on the current instance.
Global	You can view and audit all the operations that are performed in DMS.	In the top navigation bar of the DMS console, move the pointer over Security and Specifications and click Operation Audit.	You can be a DMS administrator, a security administrator, or a DBA.

Download operation records

The following section describes how to download all the SQL statements that were used in the SQL Console in the previous 30 days.

Log on to the DMS console V5.0.
Move the pointer over the icon in the upper-left corner and choose All functions > Security and Specifications > Operation Audit.
Note
If you use the DMS console in normal mode, choose Security and Specifications > Operation Audit in the top navigation bar.
Click SQL window list.
Set the Time parameter to Last One Month and click Search.
Then, the results are displayed.
Click the icon to download the results.
The results displayed on the current page are saved as an XLSX file.
Note
To preview and export more results, you can set the Items Per Page parameter to 100.

What to do next

You can download operation logs only by calling the GetOpLog operation. For more information, see GetOpLog.
You can export the operation logs of DMS to Simple Log Service. For more information, see Export operation logs of DMS to Simple Log Service.