All Products
Search

This Product

    :Enable the audit log feature

    Document Center

    :Enable the audit log feature

    Last Updated:May 27, 2024

    Tair provides the audit log feature based on Simple Log Service. This feature allows you to query, analyze, and export log data. Security auditors can use the feature to promptly detect unusual or unauthorized data manipulation activities, and rapidly pinpoint the identity of the user who altered the data and the exact time of alteration. Developers and O&M personnel can use the feature to identify performance-related issues. This feature also empowers business systems to meet security and compliance requirements.

    Prerequisites

    To enable the audit log feature, a Resource Access Management (RAM) user must have the permissions to manage Simple Log Service.

    • You can attach the AliyunLogFullAccess system policy to a RAM user. After the RAM user is granted the permissions defined in the system policy, the RAM user can manage all Logstores. For more information, see Grant permissions to a RAM user.

    • You can also customize a policy to restrict the RAM user to only manage the audit logs of Tair .

      Examples of custom policies

      {
 "Version": "1",
 "Statement": [
  {
   "Action": "log:*",
   "Resource": "acs:log:*:*:project/nosql-*",
   "Effect": "Allow"
  }
 ]
}

    Precautions

    • After you enable the audit log feature for your Tair instance, the system audits and logs the write operations that are performed on the instance. The instance may experience a performance decrease of 5% to 15% and some degree of latency and jitter. The performance decrease and the level of latency and jitter vary based on the amount of data that is written or audited.

      Important

      Your application may write large amounts of data to your Tair instance. For example, your application frequently runs the INCR command to increment values. To prevent a performance decrease in such a scenario, we recommend that you enable the audit log feature only for troubleshooting issues or auditing instance security.

    • Typically, a large number of read operations are performed. If audit information is recorded for a large number of read operations, the instance performance may deteriorate. To prevent this issue, Tair records audit information only for write operations.

    • When a command has a large number of parameters, the individual parameters are overly lengthy, or the total length of the command is excessively long, the command is not displayed in its entirety within the audit logs. The display format of the command is similar to that of the SLOWLOG command of Redis.

    Billing

    You are charged for the audit log feature based on the storage usage and log retention period. The price varies based on the region that you select. For more information, see Billable items.

    Procedure

    1. Log on to the Tair console and go to the Instances page. In the top navigation bar, select the region in which the instance that you want to manage resides. Then, find the instance and click the instance ID.

    2. In the left-side navigation pane, choose Logs > Audit Logs.

    3. Specify a log retention period.

      Important

      • The audit log retention period applies to all instances in the current region that have the audit log feature enabled.

      • The retention period of audit logs can range from 1 day to 365 days.

    4. Click Estimate Fees and Enable Audit Logs.

    5. In the dialog box that appears, estimate log fees, read the prompt, and then click Enable.

      Note

      The audit log feature depends on Log Service. If Simple Log Service is not activated for your Alibaba Cloud account, you are prompted to activate Simple Log Service.

    Related API operations

    API operation

    Description

    ModifyAuditLogConfig

    Enables or disables the audit log feature for a Tair instance and specifies a retention period for audit logs.

    DescribeAuditLogConfig

    Queries the audit log settings of a Tair instance. These settings include whether the audit log feature is enabled and the retention period of audit logs.

    DescribeAuditRecords

    Queries the audit logs of a Tair instance.

    FAQ

    How do I disable the audit log feature for an instance?

    On the Audit Logs page, click Service Settings in the upper-right corner to turn off the Audit Logs switch for all nodes.

    How do I download all audit logs?

    You can use multiple methods to download audit logs. For more information, see Download logs. When you download all audit logs, take note of the following items:

    • You must select the redis_audit_log_standard Logstore and specify the project name in the following format: nosql-{ID of your Alibaba Cloud account}-{Region}. Example: nosql-1764984********-cn-hangzhou.

    • You must select Download with Cloud Shell or Download with CLI. If you select Download, you can download only the audit logs that are displayed on the current page.

    Why does the audit log feature support only write operations but not read operations?

    In most scenarios, read operations constitute a high proportion of all operations. Auditing read operations can lead to significant performance degradation. In addition, a large number of audit logs need to be generated and stored for read operations. Therefore, the audit log feature does not support read operations.

    If I specify different log retention periods for two instances in the same region that have the audit log feature enabled, which log retention period is applied to all the instances in the region?

    The last log retention period that you specify is applied.

    Why do I find that the client IP addresses recorded in specific audit logs are not the same as the IP address of the client on which my application runs?

    The audit logs record write operations on the database system. You can filter out this type of information.