Use audit logs to analyze anomalous behavior in data assets-Data Security Center(DSC)-阿里云帮助中心

Audit logs record detailed information about database activities. By viewing audit logs, you can track potential malicious activities or unauthorized access to a database, investigate the causes of security events, and meet compliance requirements.

Prerequisites

Enable data audit for the supported data assets that you want to audit. For more information, see Enable data audit.

Logs

Log storage location

After you enable data audit, Data Security Center (DSC) collects and stores logs in a Simple Log Service (SLS) Logstore:

Project

The project name is in the sddp-${uid}-${regionId} format. In this format, ${uid} is the ID of your Alibaba Cloud account and ${regionId} is the ID of the region where the database is located.

Logstore

Category	Database type	Logstore
Relational database	RDS	rds_log
	PolarDB	dsc_polardb_log
	PolarDB-X	dsc_drds_log
	OceanBase	dsc_oceanbase_log
Non-relational database	Redis	dsc_redis_log
Non-relational database	MongoDB	dsc_mongodb_log
Unstructured database	OSS	dsc_oss_log
Big data	Tablestore	dsc_ots_log
	MaxCompute	dsc_odps_tunnel_log
	ADB-MYSQL	dsc_ads_log
	ADB-PG	dsc_gpdb_log
self-managed database	MySQL	dsc_self_built_db_log
	SQL Server
	PostgreSQL
	Oracle

Common fields

Field	Description
client_ip	The IP address of the client.
clusterId	The cluster ID.
collector_type	The log collection type.
db	The database name.
db_type	The database engine type.
effect_row	The number of affected rows.
execute_time	The execution time.
fail	The execution result.
hash	The hash value.
instance_id	The instance ID.
latency	The execution duration in microseconds.
node_name	The node name.
operate_type	The operation type.
origin_time	The original execution time of the SQL statement.
region_id	The region ID.
return_rows	The number of rows returned in the result set.
sql	The SQL statement.
thread_id	The thread ID.
uid	The user ID.
update_rows	The number of updated rows.
user	The logon username.

View data audit logs (new version)

Log on to the Data Security Center console.
In the navigation pane on the left, select Log Analysis.
On the Log Analysis page, click New Version in the upper-right corner.

If Switch to Old Version is displayed in the upper-right corner, skip this step.
In the left-side navigation bar of the Log Analysis page, click a product type to view its log storage location.

The available product types include RDS, PolarDB, PolarDB-X, Redis, MongoDB, OceanBase, and self-managed database. The number of connected instances for each type is displayed in parentheses.
In the log area on the right, you can search for and view the operation logs of the target database or bucket by using parameters such as region, instance, account, and operation type.

You can also enter query and analysis statements to analyze the logs of the target data asset based on the query syntax and analysis syntax. For more information, see Quick start for query and analysis.

Query and analysis examples
- View the access details for a table in a database of an RDS instance. The details include the access user, operation type, and operation result.
```
* and instance_id: rm-bp1******5u5w and db: s****p and table_name : sys_d*****it
```
  The query result displays the details of an audit log entry. Key fields include db_type (MySQL), operate_type (Select), sql (SELECT * FROM sys_data_limit LIMIT 20), latency (428), fail (0), and ret_code (0), and other fields such as user, table_name, and thread_id. You can use these fields to identify the access user, operation type, and operation result.
- View the distribution of IP addresses accessing a data table in an RDS instance.
```
* and instance_id: rm-bp1*****5u5w and db: s****p and table_name : sys_d*****it | select user,client_ip,count(*) group by user,client_ip
```
  After you enter the query statement, click Query/Analyze, and then click the Graph tab to view the aggregated results, including user, client_ip, and the corresponding number of accesses.
- Calculate statistics on the outbound traffic over the internet for all files in a directory of a specified bucket.
```
* and __topic__ : oss_access_log and bucket: examplebucket and host : "examplebucket.oss-cn-hangzhou.aliyuncs.com" not sync_request : cdn | select
  SUM(content_length_out) AS total_traffic_out_byte
WHERE
  url_decode(object) LIKE 'exampledir/%'
```
  Click the Graph tab to view the query result. The returned field total_traffic_out_byte has a value of 11749, which indicates that the outbound traffic from the specified directory is 11,749 bytes.

Download logs

DSC collects and stores logs in Simple Log Service (SLS). The DSC console integrates the log download feature of the SLS console. This allows you to download logs or query and analysis results to your local computer. The download procedure in the DSC console is similar to that in the SLS console. For more information, see Download logs by using the SLS console.

Data audit logs (old version)

Log modes

Analysis mode: View audit logs for a product from a time-based dimension. The audit logs record behavior details, such as the instance name, account, execution duration, and client IP address.

This feature is supported only for ApsaraDB RDS, PolarDB, PolarDB-X, MongoDB, OceanBase, self-managed databases, AnalyticDB, and AnalyticDB.
List mode: View audit logs for a product from an instance-based dimension. The audit logs record the instance name, database, account, client IP address, operation type, and the number of affected rows.
- For Tablestore, MaxCompute, and Redis, you can view audit logs only from an instance-based dimension. The Analysis mode and List mode tabs are not available in the console. By default, the log list for an instance is displayed.
- For OSS, you can view audit logs only from a bucket-based dimension. The Analysis mode and List mode tabs are not available in the console. By default, the log list for a bucket is displayed.

Database SQL operation statistics

Log on to the Data Security Center console.
In the navigation pane on the left, select Log Analysis.
On the Log Analysis page, click Switch to Old Version in the upper-right corner.

If New Version is displayed in the upper-right corner, skip this step.
On the Log Analysis page, view the trend charts for the number of SQL statements (Select, Insert, Delete, Update, and Others) that were executed in the last 12 hours, 1 day, 7 days, or 30 days.

View by time

Log on to the Data Security Center console.
In the navigation pane on the left, select Log Analysis.
On the Log Analysis page, click Switch to Old Version in the upper-right corner.

If New Version is displayed in the upper-right corner, skip this step.
On the Log Analysis page, in the product type navigation bar on the left, click the target product type.
On the Analysis mode tab, view the log records for the corresponding cloud product.

After you select a time range, DSC displays the audit logs in reverse chronological order. You can filter the logs by using various criteria.

Available filters include Time (Last 15 minutes, Last 30 minutes, Last 1 hour, Last 12 hours, Last 1 day, or Last 7 days), Region, Instance, Account, Client IP, Database Name, Operation Type, SQL Command, Execution Duration (in milliseconds), and Number of affected rows. The results list shows key information for each audit record. To view the complete information, click Details.
In the Actions column of a log record, click Details to view its details, including information about the client, server, and behavior.

View by instance

Log on to the Data Security Center console.
In the navigation pane on the left, select Log Analysis.
On the Log Analysis page, click Switch to Old Version in the upper-right corner.

If New Version is displayed in the upper-right corner, skip this step.
On the Log Analysis page, click the target product name in the navigation bar on the left.
Above the log list, click the List mode tab.

For Redis, OSS, Tablestore, and MaxCompute, you can view logs only by instance. By default, the List mode button is not displayed.
In list mode, view the log records.

You can search for and view audit logs that meet specific conditions based on the parameters displayed in the console.

In list mode, the left-side navigation bar categorizes data assets. You can switch between Analysis mode and List mode, and filter by a Time range. Use filters such as Region, Instance, Account, Client IP, Database Name, Operation Type, SQL Command, Execution Duration, and Number of affected rows, and then click Search. The results table displays key details for each log, including Instance, Instance Alias, Database, Account, Client IP, Operation Type, Number of affected rows, and Actions. To view a specific log, click Details.
In the Actions column of a log record, click Details to view its details, including information about the client, server, and behavior.

Export logs

Log on to the Data Security Center console.
In the navigation pane on the left, select Log Analysis.
On the Log Analysis page, click Switch to Old Version in the upper-right corner.

If New Version is displayed in the upper-right corner, skip this step.
In the product name navigation bar on the left side of the Log Analysis page, click the target product name.
Select a time range and specify other information. Then, click Search.
Click Export.

This action exports all log records from the current page.