Data Security Center (DSC) provides the data auditing feature, which allows you to view audit logs to analyze database activities. This helps you identify database security events and locate the cause, such as unauthorized access to databases or malicious database activities. You must configure the data auditing mode before DSC can collect the audit logs of databases in the specified data auditing mode. This topic describes how to configure data auditing.
Prerequisites
The free edition of DSC is activated or DSC Enterprise Edition is purchased. For more information, see Activate the free edition of DSC or Purchase DSC.
Asset authorization is complete. For more information, see Asset authorization.
Background information
By default, the data auditing mode is disabled for newly authorized instances. You must enable and configure the data auditing mode for a database before DSC can record activities related to the database to audit logs. Then, audit logs are analyzed based on audit alert rules to identify data leaks, vulnerabilities, and SQL injections in assets and generate alerts.
Introduction to the data auditing modes
Cloud-native audit log collection mode
DSC supports the cloud-native audit log collection mode.
Supported asset types: Object Storage Service (OSS) and Alibaba Cloud databases. Self-managed databases and Redis databases are not supported.
Working principle: DSC automatically connects to the destination service to collect logs.
WarningThis data auditing mode prioritizes workloads over data auditing. A small amount of log data may be lost when the loads of your workloads are high.
Billing rules: Log collection fees are charged. For more information, see Additional fees for data assets connected to DSC.
Enable cloud-native audit log collection
Step 1: Authorize Simple Log Service to access assets
To use the cloud-native audit log collection mode, you must authorize Simple Log Service to access cloud resources.
Log on to the DSC console.
In the left-side navigation pane, choose .
On the Asset Configurations tab of the Config tab, click Authorize Now.
On the Cloud Resource Access Authorization page, click Confirm Authorization Policy.
Step 2: Enable the data auditing mode
On the Asset Configurations tab, select the cloud service type of the asset that you want to manage from the Current Data Type drop-down list. For example, you can select RDS.
Find the asset and select Cloud-native Audit Log Collection in the Audit Mode column.
In the Enable Cloud-native Audit Log Collection message, click OK.
Configure audit alert rules
DSC provides default audit alert rules for assets, including database audit alert rules, OSS audit alert rules, and MaxCompute audit alert rules. You can also create custom audit alert rules. After audit alert rules are enabled, DSC can identify abnormal activities, data leaks, vulnerabilities, and SQL injections in data assets based on audit logs. For more information, see Configure and enable audit alert rules.
After you enable an audit alert rule, DSC generates alerts on operations that hit the audit alert rule. You can view the alerts on the Audit Alerts page of DSC. You can handle risks based on the alerts and log analysis results. For more information, see View and handle audit alerts.
References
After you set the data auditing mode for an asset, the Log Analysis page displays the audit log of the asset. For more information, see View audit logs.
Audit logs that can be queried online are stored in the DSC Logstore. You can view the storage usage of the Logstore and manage the storage rules for online logs and archived logs. For more information, see Log storage management.