Before auditing a database, you must add it to Database Audit. This topic describes how to add, modify, and delete database assets in Database Audit.
Background information
For a list of database types supported by Database Audit, see Supported Database Types.
Database Audit can audit database access traffic on an internal network only, not on a public network.
Add a database
Log on to Database Audit. For instructions, see Log on to the Database Audit system.
In the navigation pane on the left, choose .
On the Assets page, click Add.
In the Add Asset panel, configure the database parameters and click Save.
Add an RDS instance
Database Audit automatically discovers RDS instances within your configured VPC. To audit these instances, you only need to enable the audit feature. These automatically discovered instances are classified as the RDS asset type. You can also add an RDS database instance manually. A manually added RDS instance is classified as a user-created database asset.
Parameter
Description
Type
Select RDS, and then select the type and version of the RDS instance that you want to audit.
RDS database instance
From the drop-down list, select the ID of the RDS instance that you want to audit.
Name
Enter a name for the database asset. By default, the name of the selected RDS instance is used, but you can change it.
Address and port
After you select an RDS instance, the system automatically populates the IP address and port. You cannot modify this information during creation.
You can modify the IP address and port after the database asset is added. For instructions, see Modify a database asset.
NoteRDS instances do not support encrypted audit. You do not need to enable the Use SSL switch.
Add a PolarDB, PolarDB-X, AnalyticDB, OceanBase, or general-purpose database
Parameter
Description
Type
Select a database type and version under PolarDB, PolarDB-X, AnalyticDB, OceanBase, or General.
Name
Enter a name for the database asset.
Address and port
Enter the IP address and port of the database. You can click the
icon to add multiple entries. NoteIn scenarios such as Oracle Real Application Clusters (RAC) or MySQL read/write splitting, you can add multiple IP addresses and ports to audit the entire cluster.
Use SSL
The Use SSL switch is available only when you select MySQL as the database type. To use encrypted audit, the database must meet the following conditions:
The database type is user-created MySQL 5.6.
The encryption algorithm is AES256-SHA or AES128-SHA (one-way authentication).
If your MySQL database meets these conditions and is configured with an SSL certificate, you must enable the Use SSL switch and upload the certificate in the SSL key section. Otherwise, Database Audit cannot audit the encrypted traffic. If the database does not meet these conditions or is not configured with a certificate, you can leave this parameter unconfigured and leave the Use SSL switch disabled.
SSL key
After you enable the Use SSL switch, upload the certificate file for the target database. Click Upload Certificate File to select and upload the file.
You can import only certificates in PEM format. If your certificate is in a different format, you must first convert it to PEM format. For instructions on how to convert certificate formats, see How do I convert the format of a certificate?.
ImportantYou can obtain the certificate file from your database provider.
A successful parse of your uploaded certificate indicates that its RSA algorithm is supported. If an error occurs when parsing the certificate file, join the DingTalk group (ID: 44519396) to contact product and technical experts for assistance.
To apply Database Audit's built-in rules to the target database, select Associate built-in general rules upon saving.
The database is successfully added. The added database is displayed on the Assets page. You can also view the added database in the Assets area on the Overview page. After you add the database, you must also deploy the Database Audit agent on the database server to start collecting audit data. For more information, see Install Agent.
After you add the database asset, perform the following steps:
Deploy the Database Audit agent on the database's server. This allows Database Audit to collect access traffic from the target database. For instructions, see Install an agent.
Configure security rules for the database asset. This allows Database Audit to trigger alerts for audit records that match the rules.
Modify a database
If a database asset's configuration changes, you must update its information in Database Audit.
Log on to Database Audit. For instructions, see Log on to the Database Audit system.
In the navigation pane on the left, choose .
Find the database asset that you want to modify and click Modify.
In the Modify Asset panel, change the database configuration and click Save.
For a description of the database configuration parameters, see Step 4 in the Add a database section.
Delete a database
If you no longer need to audit a database, you can delete the user-created database asset from Database Audit. You cannot delete assets that are classified as RDS.
Log on to Database Audit. For instructions, see Log on to the Database Audit system.
In the navigation pane on the left, choose .
Find the database asset that you want to delete and click Delete.
In the confirmation message that appears, click OK to delete the database asset.