Help Center/ Database Security Service/ User Guide/ Backing Up and Restoring Database Audit Logs
Updated on 2024-04-16 GMT+08:00

Backing Up and Restoring Database Audit Logs

Database audit logs can be backed up to OBS buckets to achieve high availability for disaster recovery. You can back up or restore database audit logs as required.

Prerequisites

  • You have purchased a database audit instance and the Status is Running.
  • Database audit has been enabled.

Precautions

  • Audit logs are backed up to OBS. Buckets are automatically created for you and billed per use.

OBS Fine-grained Authorization

DBSS backup and restoration require OBS permissions. Users without IAM authorization permissions must be manually authorized by a user having the Security Administrator permission.

  1. Log in to the management console.
  2. Select a region, click in the upper left corner, and choose Management & Governance > Identity and Access Management.
  3. In the navigation pane, choose Permissions > Authorization. Click Create Custom Policy.
  4. Configure policy parameters. Set Policy Name to DBSS OBS Agency Access. Set Policy View to JSON. The policy content is as follows:

    {
        "Version": "1.1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "obs:object:PutObjectVersionAcl",
                    "obs:object:PutObjectAcl",
                    "obs:object:GetObjectVersion",
                    "obs:object:GetObject",
                    "obs:object:GetObjectVersionAcl",
                    "obs:bucket:HeadBucket",
                    "obs:object:GetObjectAcl",
                    "obs:bucket:CreateBucket",
                    "obs:bucket:ListBucket",
                    "obs:object:PutObject"
                ],
                "Resource": [
                    "OBS:*:*:object:*",
                    "OBS:*:*:bucket:OBS_Bucket_Name_1",
                    "OBS:*:*:bucket:OBS_bucket_2" //You can add multiple buckets.
                ]
            }
        ]
    }

    See Figure 1. Click OK.

    Figure 1 Creating a custom policy

  5. In the navigation pane, choose Agencies and then click Create Agency in the upper right corner.
  6. Configure agency parameters. Set Agency Name to dbss_depend_obs_trust. Set Agency Type to Cloud service. Set Cloud Service to DBSS. See Figure 2.

    Figure 2 Creating an agency

  7. Click Next. Select the custom policy created in 4, and add the permission DBSS OBS Agency Access to the agency dbss_depend_obs_trust, as shown in Figure 3. Click Next in the lower right corner.

    Figure 3 Selecting a policy

  8. Set Scope to All resources and click OK. If the message in Figure 4 is displayed, the authorization is successful. Click Finish. The authorization will take effect in about 15 minutes.

    Figure 4 Authorization completed

Automatically Backing Up Database Audit Logs

  1. Log in to the management console.
  2. Select a region, click , and choose Security & Compliance > Database Security Service. The Dashboard page is displayed.
  3. In the navigation tree on the left, choose Settings.
  4. In the Instance drop-down list, select the required instance and click the Backup and Restoration tab.
  5. Click Modify Automated Backup Settings. In the displayed dialog box, set the auto backup parameters. Table 1 describes the parameters.

    Figure 5 Configure Automatic Backup dialog box
    Table 1 Parameters

    Parameter

    Description

    Example Value

    Automatic Backup

    Status of automatic backup

    • : enabled
    • : disabled

    Backup Period

    Automatic backup period. Its options are as follows:

    • Daily
    • Hourly

    Daily

    Started

    Start time of the backup. Click to configure.

    2020/01/14 20:27:08

    Bucket Name

    Name of the OBS bucket used for backup. Its options are as follows:

    • Create Default Bucket
    • Select Bucket
    NOTE:
    • If you click Create Default Bucket, you will be prompted to authorize OBS for exporting audit log backups.
    • Audit logs can be exported only to the bucket created by DBSS.

    20f18-7a5a-4042

    Export Directory

    Directory for storing backup files in the OBS bucket.

    test

  6. Click OK.

    After the automatic backup function is configured, new data in the database will be backed up one hour later. Then you can view the backup information.

Restoring Database Audit Logs

After backing up database audit logs, you can restore the audit logs as required.

Restoring logs is risky. Therefore before restoring logs, ensure that the backup log data is correct or complete.

  1. Log in to the management console.
  2. Select a region, click , and choose Security & Compliance > Database Security Service. The Dashboard page is displayed.
  3. In the navigation tree on the left, choose Settings.
  4. In the Instance drop-down list, select the required instance and click the Backup and Restoration tab.
  5. In the Operation column of the backup log to be restored, click Restore Log.
  6. In the displayed dialog box, click OK.

Exporting Risk Data

You can export the logs that record high-risk operations to OBS. An OBS bucket will be automatically created to store these logs and will charge per use.

Before you enable risk export, perform operations in OBS Fine-grained Authorization.

  1. Log in to the management console.
  2. Select a region, click , and choose Security & Compliance > Database Security Service. The Dashboard page is displayed.
  3. In the navigation tree on the left, choose Settings.
  4. In the Instance drop-down list, select the required instance and click the Risk Export tab.
  5. Click in the row of a database to export risk data. An OBS bucket will be automatically created to store risk logs.

    • Bucket Name:Click Create Default Bucket or Select Bucket.
    • Export Directory: Create a directory for storing risk files in the OBS bucket.
      Figure 6 Automatically creating an OBS bucket