All Products
Search
Document Center

Data Security Center:View audit logs

Last Updated:Dec 13, 2024

Audit logs record detailed information about database activities. You can analyze audit logs to trace potential malicious activities or unauthorized access to a database and identify the causes of security events. Audit logs can help you meet compliance requirements. This topic describes how to view audit logs.

Prerequisites

The data auditing mode is enabled for data assets whose audit logs you want to and are authorized to view. For more information, see Enable and configure the data auditing mode.

Log overview

Log storage location

After you enable the data audit mode, Data Security Center (DSC) collects logs and stores the collected logs in Simple Log Service Logstores.

  • Project

    Format: sddp-${uid}-${regionId}. Replace ${uid} with your Alibaba Cloud account ID. Replace ${regionId} with the ID of the region where a database resides.

  • logstore

    Database type

    Database service

    logstore

    Relational database

    RDS

    rds_log

    PolarDB

    dsc_polardb_log

    PolarDB-X

    dsc_drds_log

    OceanBase

    dsc_oceanbase_log

    Non-relational database

    Redis

    dsc_redis_log

    MongoDB

    dsc_mongodb_log

    Unstructured database

    OSS

    dsc_oss_log

    Big data

    TableStore

    dsc_ots_log

    MaxCompute

    dsc_odps_tunnel_log

    AnalyticDB for MySQL

    dsc_ads_log

    AnalyticDB for PostgreSQL

    dsc_gpdb_log

    Self-managed database

    MySQL

    dsc_self_built_db_log

    SQL Server

    PostgreSQL

    Oracle

Common log fields

Field

Description

client_ip

The IP address of the client.

clusterId

The cluster ID.

collector_type

The type of log collection.

db

The database name.

db_type

The type of the database engine.

effect_row

The number of affected rows.

execute_time

The execution time.

fail

The execution result.

hash

The hash value.

instance_id

The instance ID

latency

The execution duration. Unit: microseconds.

node_name

The node name.

operate_type

The type of the operation.

origin_time

The original time when the SQL statement was executed.

region_id

The region ID.

return_rows

The number of rows returned in the result set.

sql

The SQL statement.

thread_id

The thread ID.

uid

The user ID.

update_rows

The number of updated data rows.

user

The logon username.

View audit logs (new version)

  1. Log on to the DSC console.

  2. In the left-side navigation pane, click Log Analysis.

  3. In the upper-right corner of the Log Analysis page, click New Version.

    If Old Version is displayed in the upper-right corner of the page, skip this step.

  4. In the left-side navigation pane of the Log Analysis page, click the name of the service that you want to manage. You can view the log storage location of the specified service.

    image

  5. In the right-side log section, search for and view the operation logs of a specific database or bucket by configuring parameters such as Region, Instance Name, Account, and Action Type.

    You can also enter a query statement in the search box to analyze logs of a specific data asset. For more information, see Log search overview, Log analysis overview, and Query and analyze logs.

    image

    Query and analysis examples

    • Query the access details of a table in a database of an ApsaraDB RDS instance, including the access user, operation type, and operation result.

      * and instance_id: rm-bp1******5u5w and db: s****p and table_name : sys_d*****it

      image

    • Query the distribution of IP addresses that are used to access a table of an ApsaraDB RDS instance.

      * and instance_id: rm-bp1*****5u5w and db: s****p and table_name : sys_d*****it | select user,client_ip,count(*) group by user,client_ip

      image

    • Query outbound traffic over the Internet of all objects in a directory in an OSS bucket.

      * and __topic__ : oss_access_log and bucket: examplebucket and host : "examplebucket.oss-cn-hangzhou.aliyuncs.com" not sync_request : cdn | select
        SUM(content_length_out) AS total_traffic_out_byte
      WHERE
        url_decode(object) LIKE 'exampledir/%'

      image

View audit logs (old version)

Log audit mode

  • Analysis mode: You can view the audit logs of a service within a specific time period. The audit logs record the time and details of actions, including the instance name, account, execution duration, and client IP address.

    Only ApsaraDB RDS, PolarDB, PolarDB for Xscale, ApsaraDB for MongoDB, ApsaraDB for OceanBase, self-managed databases, AnalyticDB for MySQL, and AnalyticDB for PostgreSQL support the analysis mode.

  • List mode: You can view the audit logs of a service by instance. The audit logs record the instance name, database name, account, client IP address, operation type, and number of affected rows.

    • You can view the audit logs of Tablestore, MaxCompute, and ApsaraDB for Redis only by instance. The Analysis mode and List mode tabs are unavailable in the DSC console. By default, the log list displays the logs of an instance.

    • You can view the audit logs of OSS only by bucket. The Analysis mode and List mode tabs are unavailable in the DSC console. By default, the log list displays the logs of an OSS bucket.

View the SQL statement statistics of a database

  1. Log on to the DSC console.

  2. In the left-side navigation pane, click Log Analysis.

  3. In the upper-right corner of the Log Analysis page, click Old Version.

    If New Version is displayed in the upper-right corner of the page, skip this step.

  4. On the Log Analysis page, view the trends and charts of the following SQL statements executed within the previous 12 hours, 1 day, 7 days, or 30 days: Select, Insert, Delete, Update, and Others.

    image

View audit logs within a specific time period

  1. Log on to the DSC console.

  2. In the left-side navigation pane, click Log Analysis.

  3. In the upper-right corner of the Log Analysis page, click Old Version.

    If New Version is displayed in the upper-right corner of the page, skip this step.

  4. On the Log Analysis page, click the name of the service that you want to manage in the left-side navigation pane.

  5. On the Analysis mode tab, view the audit logs of a specific cloud service.

    After you select a time period, DSC displays database activities in reverse chronological order. You can search for and view audit logs that meet specific conditions by configuring the parameters displayed in the console.

    image

  6. Find a log and click Details in the Actions column to view the details, including the client information, server information, and action information.

View logs of an instance

  1. Log on to the DSC console.

  2. In the left-side navigation pane, click Log Analysis.

  3. In the upper-right corner of the Log Analysis page, click Old Version.

    If New Version is displayed in the upper-right corner of the page, skip this step.

  4. On the Log Analysis page, click the name of the service that you want to manage in the left-side navigation pane.

  5. Click the List mode tab above the log list.

    You can view the audit logs of ApsaraDB for Redis, OSS, Tablestore, and MaxCompute only by instance. By default, the List mode tab is not displayed in the DSC console.

  6. View audit logs in list mode.

    You can search for and view audit logs that meet specific conditions by configuring the parameters displayed in the console.

    image

  7. Find a log and click Details in the Actions column to view the details, including the client information, server information, and action information.

Export audit logs

  1. Log on to the DSC console.

  2. In the left-side navigation pane, click Log Analysis.

  3. In the upper-right corner of the Log Analysis page, click Old Version.

    If New Version is displayed in the upper-right corner of the page, skip this step.

  4. In the left-side navigation pane of the Log Analysis page, click the name of the service that you want to manage.

  5. Select the required time period, configure other conditions, and then click Search.

  6. Click Export.

    After the operation is complete, you can export all logs displayed on the current page.

References

  • Audit logs that can be queried online are stored in the storage provided by DSC. You can check the current storage usage and manage the retention rules for online and archived logs. For more information, see Manage log storage.

  • By default, DSC provides audit rules for data assets, including database audit rules, OSS audit rules, and MaxCompute audit rules. You can also create custom audit rules. After you enable audit alert rules, DSC can identify abnormal activities, data leaks, vulnerabilities, and SQL injections in data assets based on audit logs. For more information, see Configure and enable audit alert rules.

  • After you enable audit alert rules, DSC reports activities that match the audit alert rules to the audit alerts module of DSC. You can handle risks based on the alerts and audit logs. For more information, see View and handle audit alerts.