Help Center> Document Database Service> User Guide> Logs> Audit Logs> Audit Log Policy Management

Updated on 2024-01-10 GMT+08:00

View PDF

Audit Log Policy Management

An audit log records operations performed on your databases and collections. The generated log files are stored in OBS. Auditing logs can enhance your database security and help you analyze the cause of failed operations.

Precautions

The audit policy of a DDS DB instance is disabled by default. You can enable it based on your service requirements. After the function is enabled, the system records audit information about write operations, which may deteriorate the performance by 15% to 20%.
You will be charged for enabling SQL audit log. For details, see Service Pricing.
DDS checks generated audit logs. If the retention period of logs exceeds the period you set, DDS will delete the logs. It is recommended that audit logs be stored for more than 180 days for tracing and problem analysis.
After the audit policy is modified, DDS audits logs according to the new policy and the retention period of the original audit logs is subject to the modified retention period.
You are not advised to delete audit logs. To delete audit logs, ensure that this operation meets external and internal security compliance requirements, and download audit logs and back them up locally. Audit logs cannot be restored after being deleted. Exercise caution when performing this operation.
You can view, download, and delete DDS instance audit logs on the DDS console. For details, see Viewing Audit Logs on the DDS Console. By enabling log reporting in Log Reporting, you can also view details about audit logs of DDS DB instances on the LTS console, including searching for logs, monitoring logs, downloading logs, and viewing real-time logs. For details, see Viewing Audit Logs on the LTS Console.

Example Traces

The following is an example of querying the replica set status. For details about the fields, see Trace Structure.

{
  "atype": "replSetGetStatus",
  "ts": {
    "$date": "2022-06-29T07:23:29.077+0000"
  },
  "local": {
    "ip": "127.0.0.1",
    "port": 8636
  },
  "remote": {
    "ip": "127.0.0.1",
    "port": 50860
  },
  "users": [
    {
      "user": "rwuser",
      "db": "admin"
    }
  ],
  "roles": [
    {
      "role": "root",
      "db": "admin"
    }
  ],
  "param": {
    "command": "replSetGetStatus",
    "ns": "admin",
    "args": {
      "replSetGetStatus": 1,
      "forShell": 1,
      "$clusterTime": {
        "clusterTime": {
          "$timestamp": {
            "t": 1656487409,
            "i": 117
          }
        },
        "signature": {
          "hash": {
            "$binary": "PTJhGQ6cr8RyzuqbevXfG0xWj/c=",
            "$type": "00"
          },
          "keyId": {
            "$numberLong": "7102437926763495425"
          }
        }
      },
      "$db": "admin"
    }
  },
  "result": 0
}

Configuring the Audit Policy

Log in to the management console.
Click in the upper left corner and select a region and a project.
Click in the upper left corner of the page and choose Databases > Document Database Service.
On the Instances page, click the instance name.
In the navigation pane on the left, choose Audit Logs.
On the Audit Logs page, click Set Audit Policy.
On the displayed page, click .

Configure required parameters and click OK to enable the audit policy.

Figure 1 Enabling audit policy

**Table 1** Parameter description
Parameter	Description
All	Audit all collections in the instance.
Custom	Audit specified databases or collections in the instance. The database or collection name cannot contain spaces or the following special characters: /\' : "[]{}() The dollar sign ($) can be used only as an escape character. The database name can contain a maximum of 64 characters. If you enter a combined database and collection name, the total name length is 120 characters with the database name length of no more than 64 characters and the collection name cannot be blank, contain null, or use system. in prefix.
Statement Type	You can query audit logs of specified statements in a collection, including auth, insert, update, delete, command and query statements.
Retention Days	The number of days to retain audit logs. Range: 7 to 732

After the audit policy is enabled, you can modify it as required. After the modification, logs are generated according to the new policy and the retention period of the original logs is subject to the modified retention period.
To modify the audit policy, click Set Audit Policy. In the dialog box that is displayed, modify the audit policy.

Figure 2 Modifying the audit policy
Disable the audit policy.

After the audit policy is disabled, no audit log is generated.

To disable the audit policy, click . Figure 3 shows the dialog box for setting the backup policy.

Figure 3 Disabling audit policy

You can determine whether to delete all audit logs:
- If you do not select Delete audit logs, all audit logs within the retention period will be retained. You can manually delete them later.
- If you select Delete audit logs, all audit logs within the retention period will be deleted.
Click OK.