Enable DAS Enterprise Edition (NoSQL Compatible) audit log-ApsaraDB for MongoDB(MongoDB)-阿里云帮助中心

Scenarios

ApsaraDB for MongoDB integrates Log Service to deliver a more stable, flexible, and efficient audit log service.

Scenario	Description
Operational auditing	Identify who modified data and when. This helps you detect internal risks, such as privilege abuse or the execution of non-compliant commands.
Security and compliance	Help your business systems meet security regulation auditing requirements.

Prerequisites

Your instance must be a replica set instance or a sharded cluster instance. This feature is not supported on single-node instances.
Log Service is activated. For more information, see Activate Log Service.
To enable the audit log as a RAM user, grant the user the following permissions:
- AliyunLogFullAccess: This is a system policy. For more information about how to grant permissions, see Grant permissions to a RAM user.
- dds:CheckServiceLinkedRole: This is a custom policy that you must create in the Access Control console before granting it to a RAM user. For instructions on how to create a custom policy by using the script editor, see Create a custom policy. For instructions on how to grant permissions, see Grant permissions to a RAM user.
  
  The following script is an example of the dds:CheckServiceLinkedRole policy.
```
{
	"Version": "1",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": "dds:CheckServiceLinkedRole",
			"Resource": "*"
		}
	]
}
```
To access the audit log as a RAM user, you must grant the RAM user the AliyunLogFullAccess or AliyunLogReadOnlyAccess permission. For more information about how to grant permissions, see Grant permissions to a RAM user.

Usage notes

Enabling the audit log records write operations, which can degrade performance and cause latency jitters on your ApsaraDB for MongoDB instance. For instances that run MongoDB 6.0 or later, you may experience a 15% to 20% performance loss. For instances that run an earlier version, the performance loss may be greater. For more information, see Performance impact of enabling the audit log.

Note
If your ApsaraDB for MongoDB instance handles a high volume of write operations, we recommend enabling this feature only for troubleshooting or security audits to prevent performance degradation.
After you enable the audit log, the admin and slow operation types are audited by default. To change the audited operation types, see Modify the DAS Enterprise Edition (NoSQL Compatible) audit log.
If you use the standard audit log, you can upgrade to the DAS Enterprise Edition (NoSQL Compatible) audit log for tiered hot and cold storage, per-instance retention periods, and instance-level bill splitting.

Billing

Billable item	Billing method	Daily unit price	Description
log traffic	pay-as-you-go	CNY 0.24/GB	Default fee. This pay-as-you-go fee applies when logs are ingested into storage and covers basic processes like collection, transmission, and writing.
cold storage		CNY 0.00625/GB/hour	Default fee. Cold storage fees are based on log volume and storage duration. If hot storage is disabled, all logs incur cold storage fees. If you enable hot storage: New logs are first stored in hot storage, incurring the hot storage fee for that period. After the hot storage period expires, the system automatically moves the data to cold storage at no extra cost.
log indexing		CNY 0.24/GB	This fee applies when you enable the log indexing feature. The system stores indexed log data in hot storage. The system automatically adapts and creates optimized indexes to improve data read speed.
hot storage		CNY 0.008/GB/hour	Hot storage fees are based on log volume and storage duration. After the hot storage period expires, the system automatically moves the data to cold storage at no extra cost. Hot storage retains logs for a maximum of 7 days.

Important

The unit prices in this topic are for reference only. For actual pricing, refer to the purchase page and your bill. For more information, see ApsaraDB for MongoDB Pricing.

You can use the following methods to reduce audit log costs.

Method	Risk	Reference
Shorten the audit log retention period	This reduces the historical time range available for auditing.	Modify the DAS Enterprise Edition (NoSQL Compatible) audit log
Reduce the number of audited operation types	If you deselect an operation type, the system stops uploading logs for that type. Note After you deselect an operation type, existing audit logs for that type are retained only for the configured retention period. For example, your audit log retention period is 5 days, and you are auditing `admin`, `slow`, and `query` operations. If you deselect the `query` type at 00:00:00 on October 10, 2022, no new `query` logs will be saved. The existing `query` logs from 00:00:00 on October 5, 2022 to 00:00:00 on October 10, 2022 will be deleted as they expire.	Modify the DAS Enterprise Edition (NoSQL Compatible) audit log
Disable the audit log	After you disable the audit log, audit log uploads for the instance stop. You can no longer trace subsequent access operations. Note After you disable the audit log, existing audit logs are retained only for the configured retention period. For example, your audit log retention period is 5 days. If you disable the audit log at 00:00:00 on October 10, 2022, no new audit logs are saved. The existing logs from 00:00:00 on October 5, 2022 to 00:00:00 on October 10, 2022 will be deleted as they expire.	Disable the DAS Enterprise Edition (NoSQL Compatible) audit log

Procedure

Note

Enabling the DAS Enterprise Edition (NoSQL Compatible) audit log does not require an instance restart.
Currently, the DAS Enterprise Edition (NoSQL Compatible) audit log is available only in the China (Shanghai), China (Ulanqab), China (Hong Kong), Germany (Frankfurt), and Singapore regions. Support for other regions is being rolled out.

Log on to the ApsaraDB for MongoDB console.
In the left-side navigation pane, click Replica Set Instances or Sharded Cluster Instances, based on your instance type.
In the upper-left corner of the page, select the region and resource group for your instance.
Click the ID of the desired instance, or click Manage in the Actions column for that instance.
In the left-side navigation pane, choose Data Security > Audit Logs.
Click Enable DAS Enterprise Edition (NoSQL Compatible) and configure the settings.
- Set the SQL Log Retention Period (cold storage). The value must be between 30 and 1,825 days. The default is 30 days.
- (Optional) To enable log indexing, select Enable log indexing and set the Hot storage duration. The value must be between 0 and 7 days. The default is 1 day.
Click Submit.
Note
- When you enable the audit log, ApsaraDB for MongoDB automatically obtains the AliyunServiceRoleForMongoDB role to grant Log Service the required permissions.
- In the Daily SQL Log Traffic Estimation section, you can estimate your daily audit log traffic and its corresponding cost. This estimate does not affect actual audit log usage.

API reference

API	Description
DescribeAuditPolicy	Checks whether the audit log is enabled for an instance.
ModifyAuditPolicy	Enables or disables the audit log for an instance and sets its retention period.
ModifySqlLogConfig	Enables or configures the DAS Enterprise Edition (NoSQL Compatible) audit log.