You can use the CloudLens for RDS application to collect audit logs, error logs, and slow query logs for ApsaraDB RDS instances. Based on the collected logs, you can perform further operations, including audit, analysis, and alerting operations. CloudLens for RDS allows you to manually enable the log collection feature or configure the automatic log collection feature. You can manually enable the log collection feature to collect audit logs, error logs, and slow query logs for a specific ApsaraDB RDS instance. You can also configure the automatic log collection feature to collect audit logs, error logs, and slow query logs for existing and new ApsaraDB RDS instances that meet the specified conditions. This topic describes how to enable the log collection feature of CloudLens for RDS, as well as related operations.
Prerequisites
If you want to manually enable the log collection feature for an ApsaraDB RDS instance, you must create a Simple Log Service project and a Logstore in the region where the instance resides. For more information, see the Step 1: Create a project and a Logstore section of the Getting Started topic.
If you use a RAM user, you must grant the RAM user the required permissions to manage CloudLens for RDS. For more information, see Grant permissions on CloudLens for RDS to a RAM user.
Manually enable the log collection feature for an ApsaraDB RDS instance
You can use CloudLens for RDS to collect audit logs, error logs, and slow query logs for ApsaraDB RDS instances. The operations that are required to enable the log collection feature for these logs are similar. In this example, the log collection feature is enabled for audit logs.
- Log on to the Log Service console.
In the Log Application section, click the Cloud Service Lens tab and click CloudLens for RDS.
If you enable CloudLens for RDS for the first time, you must complete authorization as prompted.
A system role named AliyunLogArchiveRole is automatically created. CloudLens for RDS assumes this role to write logs.
A service-linked role AliyunServiceRoleForSLSAudit is automatically created. CloudLens for RDS assumes this role to collect audit logs for ApsaraDB RDS instances. For more information, see Manage the AliyunServiceRoleForSLSAudit service-linked role.
On the RDS Cluster Access tab of the Access Management page, find the desired ApsaraDB RDS instance and click Enable in the Audit Logs column.
In the Enable Audit Logs Collect dialog box, select a destination project and Logstore. Then, click Confirm.
After the log collection feature is enabled, Simple Log Service starts to collect audit logs for the ApsaraDB RDS instance.
Configure automatic log collection
You can use CloudLens for RDS to collect audit logs, error logs, and slow query logs for ApsaraDB RDS instances. The operations that are required to enable the log collection feature for these logs are similar. In this example, the log collection feature is enabled for audit logs.
- Log on to the Log Service console.
On the Cloud Service Lens tab in the Log Application section, click CloudLens for RDS.
On the Access Management page, click the Automatic Collection tab.
Turn on Automatic Collection Configuration.
Click the Condition, Automatic Collection Configurations, and End icons to complete settings in sequence. Then, click Save in the upper-right corner. Condition is optional. Automatic Collection Configurations and End are required.
Condition
You can select Alibaba Cloud Account ID, Region, Instance ID, Instance Name, Database Type, Database Version, or Tag from the Object drop-down list and then specify a condition.
In the lower-left corner of the Condition dialog box, you can switch between Advanced Mode and Standard Mode. In standard mode, multiple conditions are associated by the AND operator. In advanced mode, you can combine and nest conditions based on your business requirements. For more information about the rules that are configured for conditional nodes, see Match modes of a conditional node.
Automatic Collection Configurations
Parameter
Description
Automatic Collection Type
Select an automatic collection type. Valid values:
Custom Logstore: Simple Log Service automatically collects audit logs for ApsaraDB RDS instances that meet the specified conditions to the destination Logstore.
If the destination project or Logstore does not exist, Simple Log Service automatically creates a project or Logstore.
Collection Remains Unchanged: If you select Collection Remains Unchanged, you do not need to set the Region, Project, Logstore, and Conflict Policy parameters.
If you do not enable the log collection feature for the ApsaraDB RDS instances that meet the specified conditions, the automatic log collection feature is not automatically enabled for the instances.
If you have enabled the log collection feature for the ApsaraDB RDS instances that meet the specified conditions, the destination Logstore remains unchanged.
Region
The region where the ApsaraDB RDS instances reside is displayed by default. You cannot change the setting.
Project
A project named in the
rds-xxx-${Alibaba Cloud account ID}-${Region}format is automatically created for the region where the ApsaraDB RDS instances reside. Example: rds-test-117918634953****-cn-hangzhou.Logstore
A Logstore named
rds_logis automatically created in the project named in therds-xxx-${Alibaba Cloud account ID}-${Region}format.Conflict Policy
If the specified Logstore is inconsistent with the existing Logstore, Simple Log Service performs either of the following operations:
Ignore: uses the existing Logstore.
Overwrite: uses the specified Logstore.
Examples:
The audit logs of the ApsaraDB RDS for MySQL instances that have the
env==prodtag are sent to therds_logLogstore in the project named in therds-prod-${Alibaba Cloud account ID}-${Region}format.The audit logs of the ApsaraDB RDS for MySQL instances that have the
env==testtag are sent to therds_logLogstore in the project named in therds-test-${Alibaba Cloud account ID}-${Region}format.The audit logs of other ApsaraDB RDS instances are sent to the existing Logstore.
Related operations
Operation | Description |
Manage ApsaraDB RDS instances | On the RDS Cluster Access tab of the Access Management page, you can view all ApsaraDB RDS instances that belong to your Alibaba Cloud account. You can also view other information such as the regions where the instances reside and the collection status of the instances. |
Disable the log collection feature | On the RDS Cluster Access tab of the Access Management page, you can find the ApsaraDB RDS instance that you want to manage and click Disable in the column of related logs to disable the log collection feature of the logs. |
Search and analyze logs | You can find the ApsaraDB RDS instance that you want to manage, click Log Query in the Actions column, and then select the logs that you want to query and analyze. Then, you are navigated to the Logstore where the logs are stored. You can view the raw logs and query and analyze the logs. For more information, see Query and analyze logs. |
Manage destination projects and Logstores | On the Destination Logstore tab of the Access Management page, you can view the project and Logstore of the ApsaraDB RDS logs and modify the data retention period for the Logstore. |
Configure alerts | On the Anomaly Detection page, you can enable the alerting feature. For more information, see Create alert rules. |
View reports | On the Report Center page, you can select a Logstore to view reports on the Audit Operations Center, Audit Security Center, and Audit Performance Center tabs. |