Audit logs record detailed information about database activities. You can analyze audit logs to trace potential malicious activities or unauthorized access to a database and identify the causes of security events. Audit logs can help you meet compliance requirements. This topic describes how to view audit logs.
Prerequisites
The data audit mode is enabled for data assets whose audit logs you want to and are authorized to view. For more information, see Set and enable the data audit mode.
Log overview
Log storage location
After you enable the data audit mode, Data Security Center (DSC) collects logs and stores the collected logs in Simple Log Service Logstores.
Project
Format:
sddp-${uid}-${regionId}. Replace${uid}with your Alibaba Cloud account ID. Replace${regionId}with the ID of the region where a database resides.Logstore
Database type
Database service
Logstore
Relational database
ApsaraDB RDS
rds_log
PolarDB
dsc_polardb_log
PolarDB for Xscale
dsc_drds_log
ApsaraDB for OceanBase
dsc_oceanbase_log
Non-relational database
ApsaraDB for Redis
dsc_redis_log
ApsaraDB for MongoDB
dsc_mongodb_log
Unstructured database
Object Storage Service (OSS)
dsc_oss_log
Big data
Tablestore
dsc_ots_log
MaxCompute
dsc_odps_tunnel_log
AnalyticDB for MySQL
dsc_ads_log
AnalyticDB for PostgreSQL
dsc_gpdb_log
Self-managed database
MySQL
dsc_self_built_db_log
SQL Server
PostgreSQL
Oracle
Common log fields
Field | Description |
client_ip | The IP address of the client. |
clusterId | The ID of the cluster. |
collector_type | The type of log collection. |
db | The name of the database. |
db_type | The type of the database engine. |
effect_row | The number of affected rows. |
execute_time | The execution time. |
fail | The execution result. |
hash | The hash value. |
instance_id | The instance ID. |
latency | The execution duration. Unit: microseconds. |
node_name | The name of the node. |
operate_type | The type of the operation. |
origin_time | The original time when the SQL statement was executed. |
region_id | The region ID. |
return_rows | The number of rows returned in the result set. |
sql | The SQL statement. |
thread_id | The thread ID. |
uid | The user ID. |
update_rows | The number of updated data rows. |
user | The logon username. |
View the SQL statement statistics of a database
Log on to the DSC console.
In the left-side navigation pane, choose .
On the Log Analysis page, view the trends and charts of the following SQL statements executed within the previous 12 hours, 1 day, 7 days, or 30 days: Select, Insert, Delete, Update, and Others.
View audit logs (new version)
Log on to the DSC console.
In the left-side navigation pane, choose .
In the upper-right corner of the Log Analysis page, click New Version.
If Old Version is displayed in the upper-right corner of the page, skip this step.
In the left-side navigation pane of the Log Analysis page, click the name of the service that you want to manage. You can view the log storage location of the specified service.
In the right-side log section, search for and view the operation logs of a specific database or bucket by configuring parameters such as Region, Instance Name, Account, and Action Type.
You can also enter a query statement in the search box to analyze logs of a specific data asset. For more information, see Log search overview, Log analysis overview, and Query and analyze logs.
Query and analysis examples
Query the access details of a table in a database of an ApsaraDB RDS instance, including the access user, operation type, and operation result.
* and instance_id: rm-bp1******5u5w and db: s****p and table_name : sys_d*****it
Query the distribution of IP addresses that are used to access a table of an ApsaraDB RDS instance.
* and instance_id: rm-bp1*****5u5w and db: s****p and table_name : sys_d*****it | select user,client_ip,count(*) group by user,client_ip
Query outbound traffic over the Internet of all objects in a directory in an OSS bucket.
* and __topic__ : oss_access_log and bucket: examplebucket and host : "examplebucket.oss-cn-hangzhou.aliyuncs.com" not sync_request : cdn | select SUM(content_length_out) AS total_traffic_out_byte WHERE url_decode(object) LIKE 'exampledir/%'
View audit logs (old version)
Log audit mode
Analysis mode: You can view the audit logs of a service within a specific time period. The audit logs record the time and details of actions, including the instance name, account, execution duration, and client IP address.
Only ApsaraDB RDS, PolarDB, PolarDB for Xscale, ApsaraDB for MongoDB, ApsaraDB for OceanBase, self-managed databases, AnalyticDB for MySQL, and AnalyticDB for PostgreSQL support the analysis mode.
List mode: You can view the audit logs of a service by instance. The audit logs record the instance name, database name, account, client IP address, operation type, and number of affected rows.
You can view the audit logs of Tablestore, MaxCompute, and ApsaraDB for Redis only by instance. The Analysis mode and List mode tabs are unavailable in the DSC console. By default, the log list displays the logs of an instance.
You can view the audit logs of OSS only by bucket. The Analysis mode and List mode tabs are unavailable in the DSC console. By default, the log list displays the logs of an OSS bucket.
View audit logs within a specific time period
Log on to the DSC console.
In the left-side navigation pane, choose .
In the upper-right corner of the Log Analysis page, click Old Version.
If New Version is displayed in the upper-right corner of the page, skip this step.
In the left-side navigation pane of the Log Analysis page, click the name of the service that you want to manage.
On the Analysis mode tab, view the audit logs of a specific cloud service.
After you select a time period, DSC displays database activities in reverse chronological order. You can search for and view audit logs that meet specific conditions by configuring the parameters displayed in the console.
Find a log and click Details in the Actions column to view the details, including the client information, server information, and action information.
View logs of an instance
Log on to the DSC console.
In the left-side navigation pane, choose .
In the upper-right corner of the Log Analysis page, click Old Version.
If New Version is displayed in the upper-right corner of the page, skip this step.
On the Log Analysis page, click the name of the service that you want to manage in the left-side navigation pane.
Click the List mode tab above the log list.
You can view the audit logs of ApsaraDB for Redis, OSS, Tablestore, and MaxCompute only by instance. By default, the List mode tab is not displayed in the DSC console.
View audit logs in list mode.
You can search for and view audit logs that meet specific conditions by configuring the parameters displayed in the console.
Find a log and click Details in the Actions column to view the details, including the client information, server information, and action information.
Export audit logs
Log on to the DSC console.
In the left-side navigation pane, choose .
In the upper-right corner of the Log Analysis page, click Old Version.
If New Version is displayed in the upper-right corner of the page, skip this step.
In the left-side navigation pane of the Log Analysis page, click the name of the service that you want to manage.
Select the required time period, configure other conditions, and then click Search.
Click Export.
After the operation is complete, you can export all logs displayed on the current page.
References
Audit logs that can be queried online are stored in the storage provided by DSC. You can check the current storage usage and manage the retention rules for online and archived logs. For more information, see Manage log storage.
By default, DSC provides audit rules for data assets, including database audit rules, OSS audit rules, and MaxCompute audit rules. You can also create custom audit rules. After you enable audit alert rules, DSC can identify abnormal activities, data leaks, vulnerabilities, and SQL injections in data assets based on audit logs. For more information, see Configure and enable audit alert rules.
After you enable audit alert rules, DSC reports activities that match the audit alert rules to the audit alerts module of DSC. You can handle the risks based on the alerts and audit logs. For more information, see View and handle audit alerts.