Updated on 2023-03-15 GMT+08:00

Audit Logs

An audit log records operations performed on your databases and collections. The generated log files are stored in OBS. Auditing logs can enhance your database security and help you analyze the cause of failed operations.

Precautions

  • Audit log is disabled by default. You can enable it based on your service requirements. Enabling it may have a slight impact on your system performance.
  • DDS checks generated audit logs. If the retention period of logs exceeds the period you set, DDS will delete the logs. It is recommended that audit logs be stored for more than 180 days for tracing and problem analysis.
  • After the audit policy is modified, DDS audits logs according to the new policy and the retention period of the original audit logs is subject to the modified retention period.
  • You are not advised to delete audit logs. To delete audit logs, ensure that this operation meets external and internal security compliance requirements, and download audit logs and back them up locally. Audit logs cannot be restored after being deleted. Exercise caution when performing this operation.
  • You can view, download, and delete DDS instance audit logs on the DDS console. For details, see Viewing Audit Logs on the DDS Console. By enabling log reporting in Log Reporting, you can also view details about audit logs of DDS DB instances on the LTS console, including searching for logs, monitoring logs, downloading logs, and viewing real-time logs.

Example Traces

The following is an example of querying the replica set status.

{
  "atype": "replSetGetStatus",
  "ts": {
    "$date": "2022-06-29T07:23:29.077+0000"
  },
  "local": {
    "ip": "127.0.0.1",
    "port": 8636
  },
  "remote": {
    "ip": "127.0.0.1",
    "port": 50860
  },
  "users": [
    {
      "user": "rwuser",
      "db": "admin"
    }
  ],
  "roles": [
    {
      "role": "root",
      "db": "admin"
    }
  ],
  "param": {
    "command": "replSetGetStatus",
    "ns": "admin",
    "args": {
      "replSetGetStatus": 1,
      "forShell": 1,
      "$clusterTime": {
        "clusterTime": {
          "$timestamp": {
            "t": 1656487409,
            "i": 117
          }
        },
        "signature": {
          "hash": {
            "$binary": "PTJhGQ6cr8RyzuqbevXfG0xWj/c=",
            "$type": "00"
          },
          "keyId": {
            "$numberLong": "7102437926763495425"
          }
        }
      },
      "$db": "admin"
    }
  },
  "result": 0
}

Configuring the Audit Policy

  1. Log in to the management console.
  2. Click in the upper left corner and select a region and a project.
  3. Click in the upper left corner of the page and choose Databases > Document Database Service.
  4. On the Instances page, click the instance name.
  5. In the navigation pane on the left, choose Audit Logs.
  6. On the Audit Logs page, click Set Audit Policy.
  7. On the displayed page, click .
  8. Configure required parameters and click OK to enable the audit policy.

    Figure 1 Enabling audit policy
    Table 1 Parameter description

    Parameter

    Description

    All

    Audit all collections in the instance.

    Custom

    Audit specified databases or collections in the instance.

    The database or collection name cannot contain spaces or the following special characters: /\' : "[]{}() The dollar sign ($) can be used only as an escape character.

    The database name can contain a maximum of 64 characters.

    If you enter a combined database and collection name, the total name length is 120 characters with the database name length of no more than 64 characters and the collection name cannot be blank, contain null, or use system. in prefix.

    Statement Type

    You can query audit logs of specified statements in a collection, including auth, insert, update, delete, command and query statements.

    Retention Days

    The number of days to retain audit logs. Range: 7 to 732

    • After the audit policy is enabled, you can modify it as required. After the modification, logs are generated according to the new policy and the retention period of the original logs is subject to the modified retention period.

      To modify the audit policy, click Set Audit Policy. In the dialog box that is displayed, modify the audit policy.

      Figure 2 Modifying the audit policy
    • Disable the audit policy.

      After the audit policy is disabled, no audit log is generated.

      To disable the audit policy, click . For details, see Figure 3.

      Figure 3 Disabling the audit policy

      You can determine whether to delete all automated backup files:

      • If you do not select Delete automated backups, all backup files within the retention period will be retained. You can manually delete them later.
      • If you select Delete automated backups, all backup files within the retention period will be deleted.

      Click OK.