Updated on 2026-06-15 GMT+08:00

Enabling SQL Audit

Scenarios

After SQL audit is enabled for RDS for PostgreSQL DB instances, the system records SQL operations and uploads logs every half an hour or when the size of a single record reaches 100 MB. The generated audit logs are stored in OBS. If there is not enough free backup space available for generated audit logs, the additional space required is billed.

Precautions

  • SQL audit is disabled for DB instances by default because enabling it increases database loads.
  • To ensure good performance, SQL audit uses the Coordinated Universal Time (UTC) format and is not affected by the time zone configuration.
  • When you enable SQL audit, the system automatically installs the pgAudit plug-in for a specific database. If you want to audit another database after SQL audit is enabled, manually install pgAudit for this database. For details, see pgAudit.
  • After SQL audit is enabled, READ, WRITE, and DDL SQL statements are logged by default. To adjust the audit scope, change the value of pgaudit.log on the Parameters page. For details, see Modifying Parameters of an RDS for PostgreSQL Instance.

Constraints

Only the following versions support SQL audit. If your DB engine version is too low, upgrade it to the latest version by referring to Upgrading a Minor Version or Upgrading the Major Version of a DB Instance on the Console.
  • Latest minor versions of RDS for PostgreSQL 12 and 13
  • All versions of RDS for PostgreSQL 14 and above

Performance

The pgAudit impact on database performance depends on how many audit logs there are and how often they are generated. More audit logs mean more impact on the database performance. pgAudit can decrease the database performance by about 20%. You need to configure parameters for pgAudit based on your workloads to achieve a balance between audit requirements and database performance.

Procedure

  1. Log in to the RDS console.
  2. Click in the upper left corner and select a region.
  3. On the Instances page, click the target instance name to go to the Summary page.
  4. In the navigation pane, choose Logs.
  5. Click the SQL Audit Logs tab and click Set SQL Audit.
  6. In the displayed dialog box, set the number of days for storing SQL audit logs, choose a database, and click OK.

    Audit logs can be retained from 1 to 3,660 days and are retained for 7 days by default.

    Figure 1 Setting SQL audit

  7. To disable SQL audit, toggle off the Audit Logging switch, select the confirmation check box, and click OK.

    After SQL audit is disabled, all audit logs will be deleted immediately and cannot be recovered. Exercise caution when performing this operation.

    Figure 2 Disabling SQL audit