DocsICP FilingConsole
官方文档
首页

View audit logs

更新时间:
复制 MD 格式
产品详情
我的收藏

The audit log feature lets you query all audit data. This topic describes how to query audit logs in Database Audit and the Log Service console.

View audit logs in Database Audit

Step 1: Log on to Database Audit

  1. Log on to the Database Audit system. For more information, see Log on to the Database Audit system.

  2. In the left-side navigation pane, choose Query and Analysis > Audit Logs.

Step 2: Set query conditions

Set query conditions on the Audit Logs tab of the Audit Logs page.

  1. Select a time range.

  2. Specify keywords for the packet.

    To use multiple keywords, separate them with commas (,) or spaces. Commas act as an OR operator, and spaces act as an AND operator.

  3. Set more search criteria.

    The Audit Logs page displays common filter conditions by default. To use more filter conditions, click More, and then select and configure the conditions that you need. The following table describes the supported filter conditions.

    Note

    Filter conditions are combined with an AND operator.

    Filter conditions

    Parameter

    Description

    Audit ID

    A unique ID for an audit record. Each SQL packet has a unique audit ID. To enter multiple values, separate them with commas (,).

    Session ID

    A unique ID for a session record.

    SQL template ID

    The ID of the SQL template to query.

    Asset

    The asset or asset group to query.

    Database account

    The name of the account used to log on to the database.

    Client IP address

    The IP address of the client that connects to the database. IPv4 and IPv6 addresses are supported.

    Client port

    The port number of the client that connects to the database.

    Client MAC address

    The MAC address of the client.

    Server IP address

    The IP address of the database server. IPv4 and IPv6 addresses are supported.

    Server port

    The port number of the database server.

    Server MAC address

    The MAC address of the server.

    Database name/instance name

    The database name or instance name.

    Object

    A database object, such as a database, table, column, view, stored procedure, function, trigger, index, user, role, or permission.

    Client tool

    The client tool used to log on to the database.

    Hostname

    The hostname of the database server.

    OS user

    The username of the operating system.

    Affected rows

    The number of affected rows.

    Execution duration (μs)

    The execution duration of the SQL statement.

    Execution result description

    The description of the result after the SQL statement is executed, for example, ORA-00942: table or view does not exist.

    Result set

    The result set returned by a statement such as SELECT. By default, five rows of data are saved, up to a maximum size of 64 KB. You can go to the Asset Management page and click Edit Asset to modify the number of rows and the maximum size to be saved.

    Associated IP

    The associated IP address identified by the C/S application user identification feature.

    Associated account

    The associated account identified by the C/S application user identification feature.

    Operation type

    The operation type of the SQL statement, such as Select, Insert, or Update.

    Database type

    The type of the database.

    Execution status

    The execution status of the SQL statement. Valid values:

    • All (default)

    • Unknown

    • Succeeded

    • Failed

  4. (Optional) Save the query conditions.

    To save the query conditions, click Save.

    Saved conditions can be selected from the drop-down list for future queries.

  5. Click the 设置显示列图标 icon. In the Set Displayed Columns dialog box, select the columns you want to display in the results, and then click OK.

  6. Click Search to run the query.

    Note

    You can query up to 10,000 records at a time.

    After the query completes, you can view the results in the Log List.

Step 3: View audit log details

  • View details

    In the Log List, click Details in the Actions column. On the Audit Log Details page, you can view information such as Basic information, Client, Server, Request, Response, and Association information.

  • Set an alias

    Set client IP alias

    1. Click Set Alias next to Client IP address.

    2. On the Add IP Alias page, enter a Name, IP/Network, and Note, and then click Save.

    3. On the Auxiliary Function page, you can view the list of IP aliases on the IP Alias tab.

    Set database account alias

    1. Click Set Alias next to Database account.

    2. On the Add Account Alias page, enter a Name, Asset, Database account, and Note, and then click Save.

    3. On the Auxiliary Function page, you can view the list of account aliases on the Account Alias tab.

  • SQL template filtering

    On the SQL template tab in the Request section, view the SQL template for the packet. Click Filter This Template to add the SQL template to the filter conditions. Click Do Not Filter This Template to remove it from the filter conditions. For more information, see SQL template filtering.

  • C/S application user identification

    1. At the bottom of the Audit Log Details page, click Extract C/S app username.

    2. In the Add C/S application identification configuration dialog box, select an SQL template and Parameter Position, and then click OK.

      After you configure C/S application user identification, the system adds the configuration to the C/S application user identification list. For more information, see C/S application user identification.

  • Forensics

    1. At the bottom of the Audit Log Details page, click Forensics.

    2. In the Download dialog box, click Download to download the complete details page for this audit log entry.

  • Click Previous or Next to navigate to the adjacent audit log entry.

View audit logs in the Log Service console

Database Audit stores audited database operation logs in Log Service. The logs you query in Database Audit originate from Log Service, but you can also view and download them directly from the Projects and Logstores that are created by Database Audit in the Log Service console.

Procedure

  1. Log on to the Log Service console.

  2. In the Project list, find the Project related to Database Audit and click its name.

    Projects created by Database Audit have the following comment: Created by Database Audit. Do not delete. You can use this comment to locate the relevant Project.

  3. On the Logstores page, click the name of the target Logstore.

    Logstores whose names start with dbaudit-audit store audit logs.

  4. On the details page of the target Logstore, select a time range and view the log details.

    For detailed descriptions of the log fields, see Log field reference.

Log fields

Log fields

Log field

Description

a

The audit log ID.

alarmLevel

Indicates whether an alert was triggered. Valid values:

  • 0: No

  • 1: Yes

alarmName

The alert severity level. Valid values:

  • 1: Low

  • 2: Medium

  • 3: High

b

The session ID.

c

The SQL template ID.

c1

An internal field. You can ignore this field.

c2

The packet structure.

c3

The operation object type. Valid values:

  • 1000: select

  • 2000: insert

  • 3000: update

  • 4000: delete

  • 5000: truncate

  • 6001: create_database

  • 6005: create_user

  • 7001: alter_database

  • 7005: alter_user

  • 8001: drop_database

  • 8005: drop_user

  • 12000: grant

  • 13000: revoke

c4

An internal field. You can ignore this field.

c5

An internal field. You can ignore this field.

d

The raw packet content.

dmac

The server MAC address.

e

The number of affected rows.

f

The database name or the system identifier (SID) of the database instance.

g

The execution duration.

h

The length of the SQL statement.

i

The result set.

iid

The ID of the Database Audit instance.

j

The size of the result set.

k

Indicates whether an alert was triggered.

l

The time when the event occurred.

logType

The log type.

m

The execution result description. This field contains an error message if the execution fails.

n

The execution status.

o

An internal field. You can ignore this field.

opObj

An internal field. You can ignore this field.

p

An internal field. You can ignore this field.

param

The SQL parameters.

pickIp

An internal field. You can ignore this field.

pickUser

An internal field. You can ignore this field.

q

The database type.

r

The client IP address.

relateInfo

An internal field. You can ignore this field.

s

The client port.

smac

The client MAC address.

sqlModule

The SQL template.

t

The server IP address.

tenant

The tenant.

u

The server port.

uid

The Alibaba Cloud account ID.

v

The logon account.

w

The client tool.

x

The client hostname.

y

The OS user.

z

The operation type. For more information about the valid values, see Operation type values.

Operation type values

Value

Description

0

UNKNOWN

1

Select

2

Insert

3

Update

4

Delete

5

Truncate

6

Create

7

Alter

8

Drop

9

Savepoint

10

Commit

11

Rollback

12

Grant

13

Revoke

14

Call

15

Desc

16

Describe

17

Comment

18

Rename

19

Load

20

Unload

21

Abort

22

Explain

23

Shutdown

24

Kill

25

Exec

26

Execute

27

Login

28

Logout

29

Begin

30

Set

31

Use

32

Disassociate

33

Audit

34

Associate

35

Analyze

36

Noaudit

37

Lock

38

Merge

39

User

40

Description

41

If

42

With

43

Declare

44

Flashback

45

Terminate

46

Show

47

Upsert

48

Ping

49

Replace

50

Database

51

Flush

52

Mysqladmin

53

Reset

54

Cancel

55

Find

56

Get

57

Ismaster

58

Runcommand

59

Admincommand

60

Do

61

Return

62

Copy

63

Repair

Previous:Query and analysisNext:Alert log