Esta página ainda não está disponível no idioma selecionado. Estamos trabalhando para adicionar mais opções de idiomas. Agradecemos sua compreensão.
- What's New
- Function Overview
- Service Overview
- Billing
- Getting Started
-
User Guide
- Overview
- Enabling and Using Database Audit (by Installing Agents)
- Enabling and Using Database Audit (Without Installing Agents)
- Upgrading the Database Audit Instance Version
- Configuring Audit Rules
- Viewing Audit Results
- Notification Settings Management
- Viewing Monitoring Information
- Backing Up and Restoring Database Audit Logs
-
Other Operations
- Managing Database Audit Instances
- Viewing the Instance Overview
- Managing Databases and Agents
- Uninstalling an Agent
- Management an Audit Scope
- Viewing Information About SQL Injection Detection
- Managing Risky Operations
- Managing Privacy Data Protection Rules
- Managing Audit Reports
- Managing Backup Audit Logs
- Viewing Operation Logs
- Key Operations Recorded by CTS
- Monitoring
- Shared VPC
- Permission Control
-
Best Practices
- Auditing a User-built Database on ECS
- Auditing an RDS DB instance (with Agents)
- Auditing an RDS DB Instance (Without Agents)
- Deploying the Database Audit Agent in a Container
- Checking for Slow SQL Statements
- Checking for Data Reduction
- Checking for Dirty Tables
- Configuring Oracle RAC Cluster Audit
- Meeting Database Audit Compliance Requirements
- Configuring Database Audit Instance Rules
- Change History
-
API Reference
- Before You Start
- Calling APIs
-
API
- Querying on the Management Side
-
Audit Instance
- Deleting an Audit Instance
- Creating an Audit Instance in Yearly/Monthly Billing Mode
- Querying Information About an Instance Creation Task
- Querying the Audit Instance List
- Changing a Security Group
- Starting an Audit Instance
- Stopping an Audit Instance
- Restarting an Audit Instance
- Updating Audit Instance Information
- Auditing a Database
- Auditing Agent
- Data Analytics
- Audit Rules
- TMS Tags
- Adding an RDS Database (Deprecated)
- Appendix
-
FAQs
-
Product Consulting
- What Is Database Audit?
- What Are the Differences Between DBSS Database Audit and RDS SQL Audit?
- What Editions Does DBSS Provide?
- What Databases on Huawei Cloud Does DBSS Protect?
- What Databases Does DBSS Support?
- Why Can't I See the Instance that Is Being Created After I Purchased It?
- Will My Services Be Affected If I Do Not Renew DBSS After It Expires?
- Does Database Audit Support On-premises or Non-Huawei Cloud Databases?
- What Are Regions and AZs?
- Does DBSS Support Real-Time Data Masking?
- Can DBSS Audit Databases Across Subnets?
- Is There Any Restriction on the Gateway IP Address of DBSS Audit Instances?
-
Purchase
- Which Subnet Should I Choose When Purchasing an Instance?
- Why Do I Need to Select a VPC When Buying an Instance?
- How Many Database Audit Instances Can I Purchase in the Same Region?
- What Do I Do If a Message Indicating Insufficient Quota Is Displayed During Instance Purchase?
- How Do I Renew Database Audit?
- How Do I Unsubscribe from DBSS?
-
Functions
- Can Database Audit Be Used Across AZs?
- Does Database Audit (in Bypass Mode) Affect My Services?
- Is the Database Audit Function Available to Users Other Than the Buyer?
- What Are the Functions of Database Audit?
- Supported Database Types
- What OSs Can I Install the Database Audit Agent On?
- Does Database Audit Support Bidirectional Audit?
- Can I Audit Databases Across Different VPCs?
- Can Applications Using TLS Connections Be Audited?
- How Long Is the Database Audit Data Stored by Default?
- How Soon Can I Receive an Alarm Notification If an Exception Occurs in Database Audit?
- Is the Total Number Of Alarms Every Day the Same as that of Emails?
- Why I Cannot Preview the Database Security Audit Report Online?
- If I Use Middleware at the Service Side, Will It Affect Database Audit?
- Can DBSS Capture SQL Statements Executed by Third-Party Tools?
- Can DBSS Be Deployed Off the Cloud?
- Can I Change the VPC of a DBSS Instance?
- How Do I Interconnect with DBSS Audit Data Storage?
- What Should I Do If an Alarm of Insufficient DBSS Capacity Is Displayed?
-
Agent
- Which Functions Do the Database Audit Agent Provide?
- On What Windows Versions Can I Install the Agent?
- On What Linux OSs Can I Install the Agent?
- What Is the Process Name of the Database Audit Agent?
- (Linux OS) What Should I Do If I Lack the Permission to Run the Agent Installation Script?
- (Linux OS) Where Are the Logs of the Database Audit Agent Saved?
- When Should I Select an Existing Agent?
- What Do I Do If the Database Audit Agent Is Hibernating?
- How Do I Deploy the Agent If I Have an RDS Database That Connects to Multiple ECSs?
- How Do I Determine Where to Install an Agent?
- How Do I Run a Database Audit Agent?
- How Do I Check the Status of the Database Audit Agent?
- How Do I Download a Database Audit Agent?
- How Do I Uninstall a Database Audit Agent?
- Can I Modify the CPU and Memory Thresholds of the Agent?
- How Do I Install the Agent (in Linux OS)?
- How Do I Install the Agent (in Windows OS)?
- What Do I Do If the Communication Between the Agent and Database Audit Instance Is Abnormal?
- How Many Resources Are Consumed by an Agent When It Runs on a Node?
- What Do I Do If Agent Installation Fails?
- What Do I Do If the Error Message "unsupport this Linux version, please check your Linux version with install document!" Is Displayed During Agent Installation?
-
Operations
- How Do I Configure Database Audit?
- How Do I Disable SSL for a Database?
- How Do I Set the INSERT Audit Policy for Database Audit?
- How Do I Verify My Database Audit Configuration?
- How Do I Set Database Audit Rules for All Databases?
- How Do I Check the Version of Database Audit?
- How Do I View All Alarms in Database Audit?
- How Do I Audit an RDS Database Accessed through Intranet (by Applications Off the Cloud)?
- How Do I Add an HBase Database and Perform Audit?
-
Troubleshooting
- Database Audit Is Running Properly But Generates No Audit Records
- Database Audit Is Unavailable
- Alarm Notifications Are Abnormal
- Why I Failed to Access the DBSS Purchase Page?
- What Do I Do If I Audit RDS Psostgres Database but No Audit Result Is Displayed?
- DBSS Automatic Backup Failed and The Failure Code is "Export backup file failed"
-
Logs
- Can the Operation Logs of Database Audit Be Migrated?
- How Long Are the Operation Logs of Database Audit Saved by Default?
- How Do I Check the Operation Logs of Database Audit?
- How Does Database Audit Process Logs?
- How Do I Back Up the Database Audit Logs?
- Can Database Audit Logs Be Directly Saved to OBS?
- Backup Gets Stuck at the Backup File Uploading Phase
- Change History
-
Product Consulting
- Videos
-
More Documents
-
User Guide (ME-Abu Dhabi Region)
- Overview
- Process Overview
- Applying for a Database Audit Instance
- Step 1: Add a Database
- Step 2: Add an Agent
- Step 3: Download and Install the Agent
- Step 4: Add a Security Group Rule
- Step 5: Enable Database Audit
- Adding Audit Scope
- Enabling or Disabling SQL Injection Detection
- Adding Risky Operations
- Configuring Privacy Data Protection Rules
- Viewing SQL Statement Details
- Viewing Session Distribution
- Viewing the Audit Dashboard
- Viewing Audit Reports
- Configuring Alarm Notifications
- Viewing the System Monitoring
- Viewing the Alarms
- Managing Database Audit Instances
- Viewing the Instance Overview
- Managing Databases and Agents
- Uninstalling an Agent
- Management an Audit Scope
- Viewing Information About SQL Injection Detection
- Managing Risky Operations
- Managing Privacy Data Protection Rules
- Managing Audit Reports
- Managing Backup Audit Logs
- Viewing Operation Logs
- Viewing Tracing Logs
- Auditable Operations
-
FAQs
- Product Consulting
-
Functions
- Does Database Audit (in Bypass Mode) Affect My Services?
- What Are the Functions of Database Audit?
- Supported Database Types
- What OSs Can I Install the Database Audit Agent On?
- Does Database Audit Support Bidirectional Audit?
- Can I Audit Databases Across Different VPCs?
- Can Applications Using TLS Connections Be Audited?
- How Long Is the Database Audit Data Stored by Default?
- How Soon Can I Receive an Alarm Notification If an Exception Occurs in Database Audit?
- Is the Total Number Of Alarms Every Day the Same as that of Emails?
- Why I Cannot Preview the Database Security Audit Report Online?
- If I Use Middleware at the Service Side, Will It Affect Database Audit?
- What Should I Do If an Alarm of Insufficient DBSS Capacity Is Displayed?
-
Agent
- Which Functions Do the Database Audit Agent Provide?
- On What Windows Versions Can I Install the Agent?
- On What Linux OSs Can I Install the Agent?
- What Is the Process Name of the Database Audit Agent?
- (Linux OS) What Should I Do If I Lack the Permission to Run the Agent Installation Script?
- (Linux OS) Where Are the Logs of the Database Audit Agent Saved?
- When Should I Select an Existing Agent?
- What Do I Do If the Database Audit Agent Is Hibernating?
- How Do I Determine Where to Install an Agent?
- How Do I Download a Database Audit Agent?
- How Do I Uninstall a Database Audit Agent?
- How Do I Install the Agent (in Windows OS)?
- What Do I Do If the Communication Between the Agent and Database Audit Instance Is Abnormal?
- How Many Resources Are Consumed by an Agent When It Runs on a Node?
- Operations
- Troubleshooting
-
Logs
- Can the Operation Logs of Database Audit Be Migrated?
- How Long Are the Operation Logs of Database Audit Saved by Default?
- How Do I Check the Operation Logs of Database Audit?
- How Does Database Audit Process Logs?
- How Do I Back Up the Database Audit Logs?
- Can Database Audit Logs Be Directly Saved to OBS?
- Change History
-
User Guide (Kuala Lumpur Region)
- Overview
- Applying for a Database Audit Instance
- Quick Start
- Step 1: Add a Database
- Step 2: Add an Agent
- Step 3: Add a Security Group Rule
- Step 4: Download and Install the Agent
- Step 5: Enable Database Audit
- Step 6: View Audit Results
- Configuring Audit Rules
- Viewing Monitoring Information
- Backing Up and Restoring Database Audit Logs
-
Other Operations
- Managing Database Audit Instances
- Viewing the Instance Overview
- Managing Databases and Agents
- Uninstalling an Agent
- Management an Audit Scope
- Viewing Information About SQL Injection Detection
- Managing Risky Operations
- Managing Privacy Data Protection Rules
- Managing Audit Reports
- Managing Backup Audit Logs
- Viewing Operation Logs
-
FAQs
- Product Consulting
-
Functions
- Does Database Audit (in Bypass Mode) Affect My Services?
- What Are the Functions of Database Audit?
- Supported Database Types
- What OSs Can I Install the Database Audit Agent On?
- Does Database Audit Support Bidirectional Audit?
- Can I Audit Databases Across Different VPCs?
- Can Applications Using TLS Connections Be Audited?
- How Long Is the Database Audit Data Stored by Default?
- How Soon Can I Receive an Alarm Notification If an Exception Occurs in Database Audit?
- Is the Total Number Of Alarms Every Day the Same as that of Emails?
- Why I Cannot Preview the Database Security Audit Report Online?
- If I Use Middleware at the Service Side, Will It Affect Database Audit?
- What Should I Do If an Alarm of Insufficient DBSS Capacity Is Displayed?
-
Agent
- Which Functions Do the Database Audit Agent Provide?
- On What Linux OSs Can I Install the Agent?
- What Is the Process Name of the Database Audit Agent?
- (Linux OS) What Should I Do If I Lack the Permission to Run the Agent Installation Script?
- (Linux OS) Where Are the Logs of the Database Audit Agent Saved?
- When Should I Select an Existing Agent?
- What Do I Do If the Database Audit Agent Is Hibernating?
- How Do I Determine Where to Install an Agent?
- How Do I Download a Database Audit Agent?
- How Do I Uninstall a Database Audit Agent?
- What Do I Do If the Communication Between the Agent and Database Audit Instance Is Abnormal?
- How Many Resources Are Consumed by an Agent When It Runs on a Node?
- What Do I Do If Agent Installation Fails?
- Operations
- Troubleshooting
-
Logs
- Can the Operation Logs of Database Audit Be Migrated?
- How Long Are the Operation Logs of Database Audit Saved by Default?
- How Do I Check the Operation Logs of Database Audit?
- How Does Database Audit Process Logs?
- How Do I Back Up the Database Audit Logs?
- Can Database Audit Logs Be Directly Saved to OBS?
- Backup Gets Stuck at the Backup File Uploading Phase
- Change History
-
User Guide (Paris and Amsterdam Regions)
- Overview
- Enabling and Using Database Audit (by Installing Agents)
- Enabling and Using Database Audit (Without Installing Agents)
- Adding Audit Scope
- Enabling or Disabling SQL Injection Detection
- Adding Risky Operations
- Configuring Privacy Data Protection Rules
- Viewing SQL Statement Details
- Viewing Session Distribution
- Viewing the Audit Dashboard
- Viewing Audit Reports
- Configuring Alarm Notifications
- Viewing the System Monitoring
- Viewing the Alarms
- Managing Database Audit Instances
- Viewing the Instance Overview
- Managing Databases and Agents
- Uninstalling an Agent
- Management an Audit Scope
- Viewing Information About SQL Injection Detection
- Managing Risky Operations
- Managing Privacy Data Protection Rules
- Managing Audit Reports
- Managing Backup Audit Logs
- Viewing Operation Logs
- Viewing Tracing Logs
- Auditable Operations
-
FAQs
-
Functions
- Does Database Audit (in Bypass Mode) Affect My Services?
- What Are the Functions of Database Audit?
- Supported Database Types
- What OSs Can I Install the Database Audit Agent On?
- Does Database Audit Support Bidirectional Audit?
- Can Applications Using TLS Connections Be Audited?
- How Long Is the Database Audit Data Stored by Default?
- How Soon Can I Receive an Alarm Notification If an Exception Occurs in Database Audit?
- Is the Total Number Of Alarms Every Day the Same as that of Emails?
- Why I Cannot Preview the Database Security Audit Report Online?
- If I Use Middleware at the Service Side, Will It Affect Database Audit?
-
Agent
- Which Functions Do the Database Audit Agent Provide?
- On What Linux OSs Can I Install the Agent?
- What Is the Process Name of the Database Audit Agent?
- (Linux OS) What Should I Do If I Lack the Permission to Run the Agent Installation Script?
- (Linux OS) Where Are the Logs of the Database Audit Agent Saved?
- When Should I Select an Existing Agent?
- What Do I Do If the Database Audit Agent Is Hibernating?
- How Do I Determine Where to Install an Agent?
- How Do I Download a Database Audit Agent?
- How Do I Uninstall a Database Audit Agent?
- What Do I Do If the Communication Between the Agent and Database Audit Instance Is Abnormal?
- Operations
- Troubleshooting
- Logs
-
Functions
- Change History
- API Reference (Paris and Amsterdam Regions)
-
User Guide (ME-Abu Dhabi Region)
- General Reference
Copied.
Step 2: Add an Agent
Add a new agent or choose an existing agent for the database to be audited, depending on your database type. The agent will obtain database access traffic, upload traffic statistics to the audit system, receive audit system configuration commands, and report database monitoring data.
After adding an agent, configure TCP (port 8000) and UDP (ports 7000 to 7100) in the security group inbound rule of the agent node to allow the agent to communicate with the audit instance.
Prerequisites
- You have applied for a database audit instance and the Status is Running.
- A database has been added.
Scenarios
Determine where to add the agent based on how your database is deployed. Common database deployment modes are as follows:
- Deploy DBSS for databases built on ECS/BMS. For details, see Figure 1 and Figure 2.
- Deploy DBSS for RDS databases. For details, see Figure 3 and Figure 4.
Table 1 provides more details.
NOTICE:
- If your applications and databases (databases built on ECS/BMS) are deployed on the same node, add the agent on the database side.
|
Scenario |
Where to Add the Agent |
Audit Scope |
Description |
|---|---|---|---|
|
Databases built on ECS/BMS |
Database |
All access records of applications that have accessed the database |
|
|
RDS database |
Application (if applications are deployed on the cloud) |
Access records of all the databases connected to the application |
|
|
Proxy side (if applications are deployed off the cloud) |
Only the access records between the proxy and database. Those between the applications and database cannot be audited. |
|
Adding an Agent (Self-built Databases on ECS/BMS)
- Log in to the management console.
- Select a region, click
, and choose Security > Database Security Service. The Dashboard page is displayed. - In the navigation tree on the left, choose Databases.
- In the Instance drop-down list, select the instance whose agent is to be added.
- In the Agent column of the desired database, click Add.
- In the dialog box displayed, select an add mode. For details about related parameters, see Table 2.
Table 2 Parameters for adding an agent (databases built on ECS/BMS) Parameter
Description
Example Value
Add Mode
Mode for adding an agent- Select an existing agent
If an agent has been installed on a database connected to the same application as the desired database, select Select an existing agent.
- Create an agent
If no agent is available, select Create an agent to create one.
Create an agent
Installing Node Type
This parameter is mandatory when Add Mode is set to Create an agent.
When auditing user-installed databases on ECS/BMS, select Database for Installing Node Type.
Database
OS
OS of the database to be audited. Its value can be LINUX64.
LINUX64
- Select an existing agent
- Click OK.
- Click
next to the database to view its details and information about the added agent.
NOTE:
After adding the agent, confirm that the agent information is correct. If the agent is incorrectly added, click Delete in the Operation column of the row to delete it, and add an agent again.
Adding an Agent (RDS Databases)
NOTE:
After you add a MySQL or GaussDB(for MySQL) database, you can start configuring security group rules. You do not need to install an agent on the database.
If an application connects to multiple RDS databases, be sure to:
- Add an agent to each of the RDS databases.
- Select Select an existing agent if one of the databases already has an agent. Add that agent for the rest of the databases.
- Log in to the management console.
- Select a region, click , and choose Security > Database Security Service. The Dashboard page is displayed.
- In the navigation tree on the left, choose Databases.
- In the Instance drop-down list, select the instance whose agent is to be added.
- In the Agent column of the desired database, click Add.
- In the displayed dialog box, select an add mode. For details about related parameters, see Table 3.
- Select Select an existing agent for Add Mode.
NOTE:
If an agent has been installed on the application, you can select it to audit the desired database.
- Set Add Mode to Create an agent.
If no agent is available, select Create an agent to create one.
Select Installing Node Type to Application, and set Installing Node IP Address to the intranet IP address of the application.
Table 3 Parameters for adding an agent (RDS databases) Parameter
Description
Example Value
Add Mode
Mode for adding an agent- Selecting an existing agent
If an agent has been installed on a database connected to the same application as the desired database, select Select an existing agent.
- Create an agent
If no agent is available, select Create an agent to create one.
Create an agent
Installing Node Type
This parameter is mandatory when Add Mode is set to Create an agent.
To audit the RDS databases, select Application.
Application
Installing Node IP Address
This parameter is mandatory if Installing Node Type is set to Application. You can enter only one installation node IP address. The IP address of an agent must be unique.
The IP address is the intranet IP address of the application.
The IP address must be an internal IP address in IPv4 or IPv6 format.
NOTICE:To audit an RDS database connected to an off-cloud application, set this parameter to the IP address of the proxy.
192.168.1.1
Audited NIC Name
Optional. This parameter is configurable if Installing Node Type is set to Application.
Name of the network interface card (NIC) of the application node to be audited
-
CPU Threshold (%)
Optional. This parameter is configurable if Installing Node Type is set to Application.
CPU threshold of the application node to be audited. The default value is 80.
NOTICE:If the CPU usage of a server exceeds the threshold, the agent on the server will stop running.
80
Memory Threshold (%)
Optional. This parameter is configurable if Installing Node Type is set to Application.
Memory threshold of the application node to be audited. The default value is 80.
NOTICE:If the memory usage of your server exceeds the threshold, the agent will stop running.
80
OS
OS of the application node to be audited. The value can be LINUX64. This parameter is configurable if Installing Node Type is set to Application.
LINUX64
- Select Select an existing agent for Add Mode.
- Click OK.
Follow-Up Procedure
Configure TCP (port 8000) and UDP (ports 7000 to 7100) in the security group inbound rule of the agent node to allow the agent to communicate with the audit instance. For details about how to add a security group rule, see Adding a Security Group Rule.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
