Help Center/ Relational Database Service/ User Guide/ Working with RDS for MySQL/ Log Management/ Enabling SQL Audit
Updated on 2025-11-26 GMT+08:00
View PDF

Enabling SQL Audit

After you enable the SQL audit function, all SQL operations will be recorded in log files. You can download audit logs to view log details.

By default, SQL audit is disabled because enabling this function may affect database performance. This section describes how to enable, modify, or disable SQL audit.

Supported Database Versions

Only the versions listed below support SQL audit.
  • RDS for MySQL 5.6 instances using cloud disks: 5.6.43 and later versions
  • RDS for MySQL 5.7 instances using cloud disks: 5.7.23 and later versions
  • RDS for MySQL 8.0

Constraints

  • Both primary DB instances and read replicas support SQL audit logging.
  • After SQL auditing is enabled, RDS records SQL operations in audit logs. The generated audit log files are temporarily stored in the instance and then uploaded to OBS and stored in the backup space. If there is not enough free backup space available for generated audit logs, the additional space required is billed.
  • Audit logs are cleared every hour. After you change the retention period of audit logs, expired audit logs will be deleted 1 hour later.
  • After SQL auditing is enabled, a large number of audit logs may be generated during peak hours. As a result, there are many audit log files temporarily stored in the instance, and the storage may be full.
  1. Log in to the management console.
  2. Click in the upper left corner of the page and choose Databases > Relational Database Service.
  3. On the Instances page, click the target instance name.
  4. In the navigation pane on the left, choose Logs. On the displayed page, click the SQL Audit Logs tab.
  5. On the displayed tab page, click Set SQL Audit. In the displayed dialog box, specify parameters and click OK.

    Enabling or setting SQL audit
    • To enable SQL audit, toggle on the switch (from to ).
    • Audit logs can be retained from 1 to 732 days and are retained for 7 days by default.

    Disabling SQL audit

    To disable SQL audit, toggle (enabled) to (disabled).

  1. Log in to the management console.
  2. Click in the upper left corner of the page and choose Databases > Relational Database Service.
  3. On the Instances page, click the target instance name.
  4. In the navigation pane on the left, choose Logs. On the displayed page, click the SQL Audit Logs tab.
  5. Click next to the Report Audit Logs to LTS field.
  6. Select an LTS log group and log stream and click OK.

    • After this function is enabled, audit logs record all requests sent to your DB instance and are stored in LTS.
    • This function does not take effect immediately. There is a delay of about 10 minutes.
    • After this function is enabled, all audit policies are reported by default.
    • Keep the following points in mind before you enable audit logging or audit log reporting to LTS:
      • Enabling audit logging or audit log reporting to LTS generates audit logs and the sensitive information in the audit logs is not anonymized.
      • If you enable audit logging first and then enable audit log reporting to LTS, LTS reuses the audit policy set for your instance and you will also be billed for reporting audit logs to LTS. Only after you disable audit logging, billing for audit logging will be terminated.
      • If you enable audit logging first and then enable audit log reporting to LTS, you are not advised to disable audit logging before audit log reporting to LTS is running properly.
    • Audit logs may be lost while being uploaded to LTS in certain situations. If audit logging is enabled, you can download all audit logs from OBS.
      • There is a low probability that some logs are lost when the service traffic is heavy, audit logs are generated too fast, or the LTS service fails.
      • Each audit log record uploaded to LTS cannot exceed 512 KB. Larger records will be truncated.

If SQL Audit Is Disabled but Audit Log Reporting to LTS Is Enabled, Will SQL Audit Logs Still Be Generated?

Yes.

If Audit Log Reporting to LTS Is Enabled but the Corresponding Log Stream Is Deleted, Will SQL Audit Logs Still Be Generated?

If the log stream is deleted, RDS for MySQL will continue to generate audit logs and will try to report the logs. If the number of logs that fail to be reported exceeds the upper limit 50, the excess logs will be deleted.

Parent Topic: Log Management