All Products
Search
Document Center

:Query audit logs

Last Updated:Feb 06, 2024

After you enable the audit log feature of Tair, you can query the records of data writes, updates, and deletions in audit logs. You can also troubleshoot issues such as sudden increases in resource consumption by Tair instances and optimize performance.

Prerequisites

  • The audit log feature is enabled. For more information, see Enable the audit log feature.

  • The RAM user that you use to access audit logs has the permissions to access Simple Log Service.

    • You can attach the AliyunLogReadOnlyAccess or AliyunLogFullAccess system policy to a RAM user. After the policy is attached, the RAM user can view all Logstores. For more information, see Grant permissions to a RAM user.

    • You can also customize a policy to allow a RAM user to view only the audit logs of Tair.

      Custom policy example

      {
       "Version": "1",
       "Statement": [
        {
              "Action": [
                "log:Get*",
                "log:List*"
              ],
         "Resource": "acs:log:*:*:project/nosql-*",
         "Effect": "Allow"
        }
       ]
      }

View audit logs

  1. Log on to the Tair console and go to the Instances page. In the top navigation bar, select the region in which the instance that you want to manage resides. Then, find the instance and click the instance ID.

  2. In the left-side navigation pane, choose Logs > Audit Log.

  3. On the Audit Log page, view the audit logs of the Tair instance.

Filter the audit logs of an instance

Tair allows you to view the audit logs that meet specified filter conditions.

  1. Log on to the Tair console and go to the Instances page. In the top navigation bar, select the region in which the instance that you want to manage resides. Then, find the instance and click the instance ID.

  2. In the left-side navigation pane, choose Logs > Audit Log.

  3. On the Audit Log page, specify conditions to filter audit logs.

    Table 1. Filter conditions

    Filter condition

    Description

    Keyword

    The keyword that is included in the audit logs you want to view. A keyword can be a client IP address, a command, a username, or other extended information.

    Note
    • The Keyword field supports exact match. You must enter complete information in the Keyword field. Examples:

      • If you want to specify an IPv4 address as a keyword, you must enter a complete IP address such as 192.168.1.1, not a partial IP address such as 192.168 or 1.1.

      • If you want to specify a command as a keyword, you must enter a complete command such as AUTH or auth, not a partial command such as au.

    • If a keyword contains a colon (:), you must enclose the keyword in a pair of double quotation marks (""). Example: "userId:1".

    Type

    The type of audit logs. Valid values:

    • redis_audit_log: the audit logs of data shards.

    • redis_proxy_audit_log: the audit logs of proxy nodes.

      Note

      This parameter is available only if the instance uses the read/write splitting architecture or the cluster architecture in proxy mode. By default, the Tair console displays the IP addresses of proxy nodes for cluster and read/write splitting instances. To obtain the IP address of your cluster or read/write splitting instance, set ptod_enabled to 1. For more information, see Modify the values of parameters for an instance.

    Account

    The account used to connect to the Tair instance. This field is empty by default. For more information about accounts, see Create and manage database accounts.

    Client ip

    The client IP address used to connect to the Tair instance.

    DB

    The database whose audit logs you want to query.

View the audit logs of an instance over a specified time range

You can use the time picker to specify a time range to query.

  1. Log on to the Tair console and go to the Instances page. In the top navigation bar, select the region in which the instance that you want to manage resides. Then, find the instance and click the instance ID.

  2. In the left-side navigation pane, choose Logs > Audit Log.

  3. On the Audit Log page, click Time Range.

  4. Specify a time range to query audit logs.

FAQ

Can I view more than 2,000 audit log entries?

The Audit Log page in the Tair console displays a maximum of 2,000 audit log entries. To view more audit log entries, log on to the Simple Log Service console. For more information, see Query and analyze logs.

Related operations

Operation

Description

ModifyAuditLogConfig

Enables or disables the audit log feature for a Tair instance and specifies a retention period for audit logs.

DescribeAuditLogConfig

Queries the audit log settings of a Tair instance. These settings include whether the audit log feature is enabled and the retention period of audit logs.

DescribeAuditRecords

Queries the audit logs of a Tair instance.

References