Use the SQL Explorer and Audit feature

If you want to monitor and manage SQL statements that are executed on an ApsaraDB RDS for SQL Server instance in scenarios such as security compliance audit, performance analysis, and troubleshooting, you can use the SQL Explorer and Audit feature. The feature enables you to record and perform aggregate analysis on the execution statuses of SQL statements. After this feature is enabled, SQL statements from database kernels, the accounts that are used to execute the SQL statements, IP addresses, and execution details are automatically recorded. This does not affect the instance performance.

Prerequisites

Database Autonomy Service (DAS) Enterprise Edition is purchased by using your Alibaba Cloud account. For more information, see Enable and manage DAS Cost-efficient Edition and DAS Enterprise Edition.
After you enable DAS Enterprise Edition, you can use the SQL Explorer and Audit feature. In the ApsaraDB RDS console, you can enable only the most recent version of DAS Enterprise Edition that is supported in the current region. Different versions of DAS Enterprise Edition are supported in different regions. For more information, see Supported databases and regions.
The AliyunRDSReadOnlyWithSQLLogArchiveAccess policy is attached to the RAM user whose credentials are used to use the search feature. For more information about how to grant permissions to a RAM user, see Use RAM to manage ApsaraDB RDS permissions.
Note
You can also create a custom policy to grant the RAM user the permissions to use the search feature, including the log export feature. For more information, see Use custom policies to grant a RAM user the permissions to use the search and export features in the SQL Explorer and Audit module.

Billing rules

For more information, see Billing details.

Note

After you enable the SQL Explorer and Audit feature, the system stops billing for the SQL Audit feature. The fees that you must pay for the SQL Explorer and Audit feature are billed to DAS Professional Edition. For more information, see Use the SQL Audit feature.

Feature description

Search: queries and exports the SQL statements that are executed and the information about the SQL statements. The information includes the database, status, and execution duration of each SQL statement.
SQL Explorer: diagnoses the SQL statements, troubleshoots performance issues, and analyzes business traffic.

Enable the SQL Explorer and Audit feature

Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
In the left-side navigation pane, choose Autonomy Services > SQL Explorer and Audit.
If the SQL Explorer and Audit feature is disabled, click Enable. In the dialog box that appears, click Enable Professional Edition.
If you do not purchase DAS Professional Edition by using your Alibaba Cloud account, follow the instructions to purchase DAS Professional Edition. For more information, see Enable and manage DAS Cost-efficient Edition and DAS Enterprise Edition.
Note
- If the page that appears contains the Search and SQL Explorer tabs, the SQL Explorer and Audit feature is enabled.
- In the ApsaraDB RDS console, you can only enable the most recent version of DAS Enterprise Edition that is supported in the current region. The update to DAS Enterprise Edition introduces more flexible billing methods and reduces costs.

Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
In the left-side navigation pane, choose Autonomy Services > SQL Explorer and Audit to use the feature based on your business requirements.
- Search: queries and exports SQL statements and the related information, such as the database, status, and execution time. For more information, see Search (Audit).
- SQL Explorer: This feature is used to diagnose the health status of SQL statements, troubleshoot performance issues, and analyze business traffic. For more information, see SQL Explorer.

Modify the storage duration of data generated by the SQL Explorer and Audit feature

Warning

After you reduce the storage duration of the data that is generated by the SQL Explorer and Audit feature, DAS immediately deletes the SQL audit logs that are retained for a longer period of time than the storage duration. We recommend that you export and save SQL audit logs to your computer and then reduce the storage duration of the data that is generated by the SQL Explorer and Audit feature.

Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
In the left-side navigation pane, choose Autonomy Services > SQL Explorer and Audit.
Click Service Settings.
In the Service Settings dialog box, modify the storage duration and click OK.
If you have enabled DAS Enterprise Edition V3, you can modify the storage duration for different sub-features.
Note
The storage that is occupied by the data generated by the SQL Explorer and Audit feature is provided by DAS and does not consume the storage of your database instance.

Disable the SQL Explorer and Audit feature

Warning

After you disable the SQL Explorer and Audit feature, all logs that are generated by the feature are deleted. We recommend that you export and save the logs that are generated by the SQL Explorer and Audit feature to your computer and then disable the SQL Explorer and Audit feature. If you enable the SQL Explorer and Audit feature again, logs that are generated by the feature are recorded from the point in time at which the SQL Explorer and Audit feature is enabled again.

Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
In the left-side navigation pane, choose Autonomy Services > SQL Explorer and Audit.
In the Logs section of the Search tab, click Export.
In the dialog box that appears, configure the Exported Fields and Export Time Range parameters and click OK.
Download the log file that you exported and save it to your computer.
The methods for downloading SQL audit logs vary based on the versions of DAS Enterprise Edition. You can download the SQL audit logs based on the actual situation in the ApsaraDB RDS console.
- On the Search tab, click View Exported Logs to download the exported file.
- Download the exported log file on the Task list tab.
Click Service Settings. In the dialog box that appears, disable the SQL Explorer and Audit feature.
If you have enabled DAS Enterprise Edition V3, clear all sub-features of the SQL Explorer and Audit feature.
Note
If you enable the audit log collection feature for your RDS instance in the CloudLens for RDS application of Simple Log Service, the SQL Explorer and Audit feature is automatically enabled for the RDS instance. Therefore, you must also disable the audit log collection feature for the RDS instance. For more information, see CloudLens for RDS.