Audit logs record detailed information about database activities. You can analyze audit logs to trace potential malicious activities or unauthorized access to a database and identify the causes of security events. Audit logs can help you meet compliance requirements. This topic describes how to view audit logs.
Prerequisites
The data auditing mode is enabled for data assets whose audit logs you want to and are authorized to view. For more information, see Enable and configure the data auditing mode.
Log overview
Log storage location
After you enable the data audit mode, Data Security Center (DSC) collects logs and stores the collected logs in Simple Log Service Logstores.
Project
Format:
sddp-${uid}-${regionId}
. Replace${uid}
with your Alibaba Cloud account ID. Replace${regionId}
with the ID of the region where a database resides.logstore
Database type
Database service
logstore
Relational database
RDS
rds_log
PolarDB
dsc_polardb_log
PolarDB-X
dsc_drds_log
OceanBase
dsc_oceanbase_log
Non-relational database
Redis
dsc_redis_log
MongoDB
dsc_mongodb_log
Unstructured database
OSS
dsc_oss_log
Big data
TableStore
dsc_ots_log
MaxCompute
dsc_odps_tunnel_log
AnalyticDB for MySQL
dsc_ads_log
AnalyticDB for PostgreSQL
dsc_gpdb_log
Self-managed database
MySQL
dsc_self_built_db_log
SQL Server
PostgreSQL
Oracle
Common log fields
Field | Description |
client_ip | The IP address of the client. |
clusterId | The cluster ID. |
collector_type | The type of log collection. |
db | The database name. |
db_type | The type of the database engine. |
effect_row | The number of affected rows. |
execute_time | The execution time. |
fail | The execution result. |
hash | The hash value. |
instance_id | The instance ID |
latency | The execution duration. Unit: microseconds. |
node_name | The node name. |
operate_type | The type of the operation. |
origin_time | The original time when the SQL statement was executed. |
region_id | The region ID. |
return_rows | The number of rows returned in the result set. |
sql | The SQL statement. |
thread_id | The thread ID. |
uid | The user ID. |
update_rows | The number of updated data rows. |
user | The logon username. |
View audit logs (new version)
Log on to the DSC console.
In the left-side navigation pane, click Log Analysis.
In the upper-right corner of the Log Analysis page, click New Version.
If Old Version is displayed in the upper-right corner of the page, skip this step.
In the left-side navigation pane of the Log Analysis page, click the name of the service that you want to manage. You can view the log storage location of the specified service.
In the right-side log section, search for and view the operation logs of a specific database or bucket by configuring parameters such as Region, Instance Name, Account, and Action Type.
You can also enter a query statement in the search box to analyze logs of a specific data asset. For more information, see Log search overview, Log analysis overview, and Query and analyze logs.
Query and analysis examples
Query the access details of a table in a database of an ApsaraDB RDS instance, including the access user, operation type, and operation result.
* and instance_id: rm-bp1******5u5w and db: s****p and table_name : sys_d*****it
Query the distribution of IP addresses that are used to access a table of an ApsaraDB RDS instance.
* and instance_id: rm-bp1*****5u5w and db: s****p and table_name : sys_d*****it | select user,client_ip,count(*) group by user,client_ip
Query outbound traffic over the Internet of all objects in a directory in an OSS bucket.
* and __topic__ : oss_access_log and bucket: examplebucket and host : "examplebucket.oss-cn-hangzhou.aliyuncs.com" not sync_request : cdn | select SUM(content_length_out) AS total_traffic_out_byte WHERE url_decode(object) LIKE 'exampledir/%'
View audit logs (old version)
References
Audit logs that can be queried online are stored in the storage provided by DSC. You can check the current storage usage and manage the retention rules for online and archived logs. For more information, see Manage log storage.
By default, DSC provides audit rules for data assets, including database audit rules, OSS audit rules, and MaxCompute audit rules. You can also create custom audit rules. After you enable audit alert rules, DSC can identify abnormal activities, data leaks, vulnerabilities, and SQL injections in data assets based on audit logs. For more information, see Configure and enable audit alert rules.
After you enable audit alert rules, DSC reports activities that match the audit alert rules to the audit alerts module of DSC. You can handle risks based on the alerts and audit logs. For more information, see View and handle audit alerts.