All Products
Search

This Product

    Data Security Center:Enable and configure the data auditing mode

    Document Center

    Data Security Center:Enable and configure the data auditing mode

    Last Updated:Sep 27, 2024

    Data Security Center (DSC) provides the data auditing feature, which allows you to view audit logs to analyze database activities. This helps you identify database security events and locate causes, such as unauthorized access to databases or malicious database activities. You must configure the data auditing mode before DSC can collect the audit logs of databases in the specified data auditing mode. This topic describes how to configure data auditing.

    Prerequisites

    Background information

    By default, the data auditing mode is disabled for newly authorized instances. You must enable and configure the data auditing mode for a database before DSC can record activities related to the database to audit logs. Then, audit logs are analyzed based on audit alert rules to identify data leaks, vulnerabilities, and SQL injections in assets and generate alerts.

    Introduction to the data auditing modes

    Cloud-native audit log collection mode

    DSC supports cloud-native audit log collection and traffic collection (agent).

    • Supported asset types: Object Storage Service (OSS) and ApsaraDB for Redis (self-managed and Redis databases are not supported).

    • Working principle: DSC automatically connects to the destination service to collect logs.

      Warning

      This data auditing mode prioritizes workloads over data auditing. A small amount of log data may be lost when the loads of your workloads are high.

    Billing rules for the cloud-native audit log collection mode

    After the cloud-native audit log collection mode is enabled for a database, DSC automatically enables SQL Explorer and Audit for the database and creates a Logstore in Simple Log Service to store log data. SQL Explorer and Audit fees are charged by the database service and Logstore fees are charged by Simple Log Service.

    This topic uses an ApsaraDB RDS database as an example to describe how ApsaraDB RDS and Simple Log Service charge fees in cloud-native audit log collection mode. Other database services charge fees in cloud-native audit log collection mode based on similar billing rules.

    image

    1. After the ApsaraDB RDS instance has the cloud-native audit log collection mode enabled, DSC automatically enables SQL Explorer and Audit for the instance. Fees are charged by ApsaraDB RDS based on the billing rules of SQL Explorer and Audit. For more information, see Billable items.

    2. SQL Explorer and Audit also creates a Logstore in Simple Log Service to store the SQL logs of the ApsaraDB RDS instance. The default log retention period of this Logstore is 3 days. Storage fees are charged based on the billing rules of Simple Log Service. For more information, see Billing overview.

    3. DSC will deliver SQL logs in the Logstore to another Logstore created by DSC. The default log retention period of the DSC Logstore is 90 days. The Logstore fee is included in the DSC fee. For more information, see Purchase DSC.

    Enable cloud-native audit log collection

    Step 1: Authorize Simple Log Service to access assets

    To use the cloud-native audit log collection mode, you must authorize Simple Log Service to access cloud resources.

    1. Log on to the DSC console.

    2. In the left-side navigation pane, choose Data Auditing > Config.

    3. On the Asset Configurations tab of the Config page, click Authorize Now.

    4. On the Cloud Resource Access Authorization page, click Confirm Authorization Policy.

      image

    Step 2: Enable the data auditing mode

    1. On the Asset Configurations tab, select the cloud service type of the asset that you want to manage from the Current Data Type drop-down list. For example, you can select RDS.

    2. Find the asset and select Cloud-native Audit Log Collection in the Audit Mode column.

    3. In the Enable Cloud-native Audit Log Collection message, click OK.

      image

    Configure audit alert rules

    • DSC provides default audit alert rules for assets, including database audit alert rules, OSS audit alert rules, and MaxCompute audit alert rules. You can also create custom audit alert rules. After audit alert rules are enabled, DSC can identify abnormal activities, data leaks, vulnerabilities, and SQL injections in assets based on audit logs. For more information, see Configure and enable audit alert rules.

    • After audit alert rules are enabled, DSC reports activities that match the audit alert rules to the audit alerts module of DSC. You can handle the risks based on the alerts and audit logs. For more information, see View and handle audit alerts.

    References

    • After you configure the data auditing mode for an asset, you can view the audit logs of the asset on the Logs > Log Analysis page. For more information, see View audit logs.

    • Audit logs that can be queried online are stored in the DSC Logstore. You can view the storage usage of the Logstore and manage the storage rules for online logs and archived logs. For more information, see Log storage management.