Query the audit logs of an instance by filter condition - Tair (Redis® OSS-Compatible)

After you enable the audit log feature for a Tair (Redis OSS-compatible) instance, you can query the audit logs for records of data write, modification, and deletion operations. You can also use audit logs to troubleshoot issues or analyze performance, for example, to investigate a sudden increase in instance resource consumption.

RAM user permissions

If you use an Alibaba Cloud account, you can ignore this section. If you use a Resource Access Management (RAM) user to enable audit logs, you must grant the RAM user management permissions for Simple Log Service.

You can grant the AliyunLogFullAccess system policy to the RAM user. After you grant this permission, the RAM user can manage all Logstores. For more information, see Grant permissions.
You can also create a custom policy to allow the RAM user to manage only the audit logs of Tair (Redis OSS-compatible) instances.
Example of a custom policy
```
{
 "Version": "1",
 "Statement": [
  {
   "Action": "log:*",
   "Resource": "acs:log:*:*:project/nosql-*",
   "Effect": "Allow"
  }
 ]
}
```

Background information

Audit logs provide detailed information that can help you view database request records, find the cause of a sudden increase in resource consumption for a Tair (Redis OSS-compatible) instance, or find records of data modifications or deletions.

View audit logs

Log on to the console and go to the Instances page. In the top navigation bar, select the region in which the instance is deployed. Then, find the instance and click its ID.
In the navigation pane on the left, choose Log Management > Audit Logs.
On the Audit Logs page, you can view the audit log details of the Redis instance.

Filter logs

You can use different filter conditions to find specific log records.

Log on to the console and go to the Instances page. In the top navigation bar, select the region in which the instance that you want to manage resides. Then, find the instance and click the instance ID.
In the navigation pane on the left, choose Logs > Audit Logs.

In the filter section of the Audit Logs page, set the filter conditions.

Table 1. Filter conditions

Filter condition	Description
Keyword	Filter logs by keyword. A keyword can be a client IP address, a command, an account, or other extended information. Note You must enter the complete information for the keyword. Examples: If you use an IPv4 address as the keyword, you must enter the complete address in dotted decimal notation, such as 192.168.*.1, not 192.168 or 1.1. If you use a command as the keyword, you must enter the full command, such as AUTH or auth, not au. If a keyword contains a colon (:), enclose the keyword in double quotation marks (""). Example: `"userId:1"`.
Type	The type of log: redis_audit_log: the audit logs of data shards. redis_proxy_audit_log: the audit logs of proxy servers. Note This parameter is available only if the instance uses the cluster architecture in proxy mode or the read/write splitting architecture. For these instances, the host address used to connect to the database is a proxy IP address by default. If you want to obtain the specific client IP address, set the ptod_enabled parameter to 1 in the parameter settings. For more information, see Set parameters.
Account	The account used to connect to the instance. The default account is displayed as null.
Client IP	The IP address of the client that connects to the instance.
DB	The database whose logs you want to query.

Query logs within a time range

You can use the time picker to find logs generated within a specific time range.

Log on to the console and go to the Instances page. In the top navigation bar, select the region in which the instance that you want to manage resides. Then, find the instance and click the instance ID.
In the left-side navigation pane, choose Logs > Audit Logs.
On the Audit Logs page, click Select Time Range.
Specify a time range to query audit logs.

Related API operations

API	Description
ModifyAuditLogConfig - Modify audit log settings	Enables or disables audit logs for an instance and sets the log retention period.
DescribeAuditLogConfig - Query audit log configurations	Queries configuration information, such as whether audit logs are enabled for an instance and the log retention period.
DescribeAuditRecords - Query audit logs of an instance	Queries the audit logs of an instance.

FAQ

Can I view more than 2,000 audit log entries?

The Audit Log page in the console displays a maximum of 2,000 audit log entries. To view more audit log entries, log on to the Simple Log Service console. For more information, see Query and Analysis Quick Guide.

How do I view the storage space used by audit logs?

You can view the amount of storage space used by audit logs on the Audit Log page in the console.

Why do some audit logs have a write IP of `127.0.0.1`?

Logs with the IP address 127.0.0.1 are generated by internal management operations on the instance.

The following table describes common internal operation logs.

Log type	Description
Primary node eviction	Indicates that data eviction occurred on the node.
Primary node audit log drop event	Indicates that an audit log drop event started (drop start).
Primary node audit log drop event	Indicates that an audit log drop event ended (drop end).
Primary node hot key log	Contains information about hot keys that are being accessed on the node. Hot keys are identified based on queries per second (QPS) or traffic.
Primary node large key log	Contains information about large keys stored on the node. Large keys are identified based on the number of elements.