Updated on 2024-07-18 GMT+08:00

Enabling or Disabling SQL Audit

After you enable SQL audit, all SQL operations will be recorded in log files. You can download audit logs to view log details.

By default, SQL audit is disabled because enabling this function may affect database performance. This section describes how to enable, modify, or disable SQL audit.

Notes

  • Both DB instances and read replicas support SQL audit logging.
  • After SQL audit is enabled, RDS records SQL operations in audit logs. The generated audit log files are temporarily stored in the instance and then uploaded to OBS and stored in the backup space. If there is not enough free backup space available for generated audit logs, the additional space required is billed.
  • Audit logs are cleared every hour. After you change the retention period of audit logs, expired audit logs will be deleted 1 hour later.
  • After SQL audit is enabled, a large number of audit logs may be generated during peak hours. As a result, there are many audit log files temporarily stored in the instance, and the storage may be full.

Precautions

  • Enabling SQL audit deteriorates instance performance by about 5%.
  • After SQL audit is disabled, all audit logs will be deleted immediately and cannot be recovered. Exercise caution when performing this operation.

Enabling SQL Audit

  1. Log in to the management console.
  2. Click in the upper left corner of the page and choose Databases > Relational Database Service.
  3. On the Instances page, click the target DB instance.
  4. In the navigation pane, choose SQL Audits. On the displayed page, click Set SQL Audit.

  5. In the displayed dialog box, toggle on the Audit Logging switch and set the log retention period.

    • To enable SQL audit, set to .
    • Audit logs are retained for 7 days by default but can be retained from 1 to 732 days if needed.

  6. Click OK.

Disabling SQL Audit

  1. Log in to the management console.
  2. Click in the upper left corner of the page and choose Databases > Relational Database Service.
  3. On the Instances page, click the target DB instance.
  4. In the navigation pane, choose SQL Audits. On the displayed page, click Set SQL Audit.
  5. In the displayed dialog box, toggle off the Audit Logging switch and select the check box "I acknowledge that after audit log is disabled, all audit logs are deleted."

    Deleted audit logs cannot be recovered. Exercise caution when performing this operation.

  6. Click OK.