The audit log feature, powered by Alibaba Cloud Simple Log Service (SLS), records all write operations for your Tair (Redis OSS-compatible) instances. It allows you to query, analyze, and export audit logs. This helps security auditors detect unusual data operations and pinpoint who made changes and when. It also helps your business meet security and compliance requirements and enables developers and operations engineers to identify performance issues.
Overview
After you enable the audit log feature, the system records write operations. It does not record read operations.
In write-intensive scenarios, such as frequent use of the INCR command, this feature can cause a 5% to 15% performance decrease and occasional latency jitter. We recommend that you enable this feature only when troubleshooting issues or performing security audits.
If a command has too many parameters, is too long, or exceeds the total length limit, the command is truncated in the audit log. The format is similar to the SLOWLOG command.
Use cases
Tair (Redis OSS-compatible) integrates with Simple Log Service to provide a stable, user-friendly, flexible, and efficient audit log service. Common use cases include:
Typical scenario | Description |
Operation review | Identifies who modified data and when, which helps detect internal risks such as permission abuse or the execution of non-compliant commands. |
Security and compliance | Helps your business systems meet the audit requirements specified in security standards. |
Billing
You are charged on a pay-as-you-go basis for the storage and retention of audit logs. Billing rates vary by region. For more information, see Billing.
After you disable the audit log feature, logs are still stored for the previously set Log Retention Period until they expire. Therefore, you continue to incur charges for audit logs after the feature is disabled.
RAM user permissions
If you use your Alibaba Cloud account, you can skip this section. If a RAM user needs to enable the audit log feature, the user must have administrative permissions for Simple Log Service.
You can attach the system AliyunLogFullAccess policy to the RAM user. This policy grants the RAM user permission to manage all Logstores. For more information, see Grant permissions to a RAM user.
Alternatively, you can create a custom policy that allows the RAM user to manage only the audit logs of specific Tair (Redis OSS-compatible) instances.
Procedure
Log on to the console and go to the Instances page. In the top navigation bar, select the region in which the instance is deployed. Then, find the instance and click its ID.
In the left-side navigation pane, choose .
Set the log retention period.
NoteThis setting applies to all instances that have the audit log feature enabled in the current region. You are charged for audit logs based on storage usage and the retention period. The retention period can be set from 1 to 365 days.
Click Estimate Fees and Enable Audit Logs.
In the dialog box that appears, review the cost estimate and the on-screen messages, and then click Enable.
NoteIf Simple Log Service is not yet enabled for your account, follow the on-screen instructions to enable it.
FAQ
Q: How do I disable the audit log feature for a specific instance?
A: On the Audit Logs page, click Service Settings in the upper-right corner to disable auditing for all nodes.
Q: How do I download the complete audit log?
A: For detailed instructions, see Download logs. Note the following:
When you download logs, the target Project name must be in the format
nosql-{Your_Alibaba_Cloud_Account_ID}-{Region_ID}, such as nosql-176498472******-cn-hangzhou. Then, select redis_audit_log_standard as the target Logstore.To download all logs, set the download method to Download Via Cloud Shell or Download Via CLI. If you select Download Directly, only the logs displayed on the current page are downloaded.
Q: Why does the audit log feature support only write operations and not read operations?
A: In most scenarios, read operations are far more frequent than write operations. Auditing read operations would cause a significant performance impact. Additionally, the large volume of data could lead to log loss. For these reasons, auditing read operations is not supported.
Q: The log retention period is set at the region level. If I set it to 7 days for one instance and then to 14 days for another instance in the same region, which setting will be used?
A: The most recent setting is applied.
Q: Why do some audit logs show a client IP address that does not belong to my application's client?
A: Audit logs also include records of internal management operations. You can filter out this information if needed.
Q: Why can't I enable the audit log feature for my instance even though it is compatible with Redis 4.0 or later?
A: This can happen if the minor version of your instance is too old. You can upgrade the minor and proxy versions and then try again.
Q: Why do some audit logs show the client IP address as
127.0.0.1?A: Logs with the client IP address
127.0.0.1have two possible sources:For instances that run major version 7.0 with a minor version earlier than 7.0.1.17 and use LUA scripts, after you upgrade to the latest minor version, the client IP address is recorded.
Internal management operations performed by the instance. The following table describes common internal operation logs.
Log type
Description
Primary node eviction
Data was evicted from the node.
Primary node audit log drop event
The start of an audit log drop event (drop start).
Primary node audit log drop event
The end of an audit log drop event (drop end).
Primary node hot key log
Information about hot keys on the node, based on queries per second (QPS) or traffic.
Primary node large key log
Information about large keys on the node, based on the number of sub-elements.
API reference
API | Description |
Enables or disables the audit log feature for an instance and sets the log retention period. | |
Queries the configuration of audit logs for an instance, such as whether the feature is enabled and the log retention period. | |
Queries the audit logs of an instance. |