tencent cloud

PrevNext

Feedback

search by keyword

Recent Pages

Documentation
TDSQL-C for MySQL
    Documentation
    Download PDF

    Viewing Audit Logs

    Last updated: 2023-12-12 14:19:40
    Download PDF
      This document describes how to view database audit logs and their list field.
      Note:
      A new version of the audit log page was released on July 12, 2023. The new version added a new audit log search field "Scanned Rows". For existing audit logs before this release date, the data in this field will be displayed as "-", and the corresponding downloaded files and APIs will be displayed as "-1".
      The units of the audit log fields "Execution Time" and "CPU Time" in the console and downloaded audit log files are all adjusted to microseconds.
      When searching audit logs, the character used to separate multiple search items is changed from comma to line break.

      Prerequisite

      You have enabled audit service. For more information, see Enabling Audit Service.

      Viewing Audit Logs

      Note:
      The audit log display time is down to milliseconds, facilitating more precise sorting and problem analysis of SQL commands.
      1. Log in to the TDSQL-C for MySQL console.
      2. Click Database Audit on the left sidebar and select the region at the top.
      3. Click Enabled after Audit Status to filter instances for which the audit service is enabled.
      4. Find the target instance in the audit instance list, or search for it by resource attribute in the search box, and click View Audit Log in the Operation column to enter the Audit Log tab and view logs.
      

      Tool list

      In the audit instance filter box, you can choose to switch to other audit instances that have enabled the audit service.
      Click the time box and select a time period to view the audit logs in the selected time period.
      Note:
      You can select any time period with data for search. Up to the first 60,000 eligible records can be displayed.
      In the search box, you can view the audit results by selecting search items, such as SQL details, client IP, user account, database name, SQL type, error code, execution time (μs), lock wait time (μs), IO wait time (μs), transaction duration (μs), CPU time (μs), thread ID, scanned rows, affected rows, and returned rows. Multiple Keywords are separated by line breaks.
      Search Item
      Operator
      Description
      SQL Details
      Include-OR-Segment
      Rule Description
      Enter the details of the SQL command and separate multiple keywords by line break.
      The match items in the SQL command details search box are divided into three levels. The first level sets the forward and reverse matching modes (Include, Exclude); the second level sets the logical relationship between keywords (OR, AND); the third level sets each keyword matching mode (Segment, Wildcard).
      Note:
      The search of SQL command details is case-insensitive.
      Include and Exclude match modes are supported.
      Keywords support "OR" and "AND" logical match. "OR" means a "union" relationship between different keywords, and "AND" means an "intersection" relationship between different keywords.
      Each keyword supports two match modes: "segment" and "wildcard". "Segment" means that each keyword in the SQL command details needs to be accurately matched, and "wildcard" means that fuzzy match is supported for each keyword in the SQL command details.
      Example
      For example, if the SQL command details are SELECT * FROM test_db1 join test_db2 LIMIT 1;,
      In the "Include (segment)" search mode, you can search by segment keywords such as "SELECT", "select from", "", "SELECT * FROM test_db LIMIT 1;", "from Test_DB". However, you can't search by wildcard keywords such as "SEL", "sel", and "test".
      In the "Include (wildcard)" search mode, you can't search by wildcard keywords such as "SEL", "sel", "test", and "DB".
      In the "Include (AND)" search mode, multiple keywords are in an "AND" relationship, which means you can query all SQL commands containing "SELECT" and "test_db" by entering keywords such as "SELECT" and "test_db".
      In the "Include (OR)" search mode, multiple keywords are in an "OR" relationship, which means you can query all SQL commands containing "test_db1" and "test_db2" by entering keywords such as "test_db1" and "test_db2".
      Include-AND-Segment
      E‌xclude-AND-Segment
      ‌Include-OR-Wildcard
      ‌Include-AND-Wildcard
      ‌E‌xclude-AND-Wildcard
      Client IP
      Include Exclude Equal to Not equal to
      You can filter client IP addresses by using the wildcard "" and separate them by line break. For example, if you enter "client IP: 9.223.23.2", IP addresses that start with "9.223.23.2" will be searched.
      User Account
      Include Exclude Equal to Not equal to
      Enter a user account and separate multiple keywords by line break.
      Database Name
      Include Exclude Equal to Not equal to
      Enter a database name and separate multiple keywords by line break.
      Note:
      The search of database name is case-insensitive.
      
      SQL Type
      Equal to Not equal to
      Pull down the list to select a SQL type (ALTER, CHANGEUSER, CREATE, DELETE, DROP, EXECUTE, INSERT, LOGOUT, OTHER, REPLACE, SELECT, SET, UPDATE). You can select multiple types.
      Error Code
      Equal to Not equal to
      Enter an error code and separate multiple keywords by line break.
      Audit Rule
      Include Exclude
      Displays the template IDs and names of all the rule templates in a certain region. You can filter audit logs that match this rule template based on the rule template.
      Supports input as null, indicating the filtration of all the audit logs without audit rule tags in the historical inventory and the full audit logs that don't meet rules.
      Supports the search for audit rules according to rule template ID and name.
      Supports the selection of multiple rule templates at the same time.
      Execution Time (μs)
      Range format
      Enter an execution time in the format of M-N, such as 10-100 or 20-200.
      Lock Wait Time (μs)
      Range format
      Enter a lock wait time in the format of M-N, such as 10-100 or 20-200.
      IO Wait Time (μs)
      Range format
      Enter an IO wait time in the format of M-N, such as 10-100 or 20-200.
      Transaction Duration (μs)
      Range format
      Enter a transaction duration in the format of M-N, such as 10-100 or 20-200.
      CPU Time (μs)
      Range format
      Enter a CPU time in the format of M-N, such as 10-100 or 20-200.
      Thread ID
      Equal to
      Not equal to
      Enter a thread ID and separate multiple keywords by line break.
      Scanned Rows
      Range format
      Enter a range of scanned rows in the format of M-N, such as 10-100 or 20-200.
      Affected Rows
      Range format
      Enter a range of affected rows in the format of M-N, such as 10-100 or 20-200.
      Returned Rows
      Range format
      Enter a range of returned rows returned in the format of M-N, such as 10-100 or 20-200.
      Risk Level
      Include Exclude
      Select low risk, medium risk, or high risk to filter audit logs that meet the risk level settings of rule templates.
      Also supports input as null, indicating the filtration of audit logs without risk level tags in the historical inventory.

      Log list

      The Returned Rows field represents the specific number of rows returned by executing the SQL command, which is mainly used to determine the impact of SELECT commands.
      

      Audit Fields

      The following fields are supported in TDSQL-C for MySQL audit logs. On the Audit Log tab, click the download icon. After download, click the file list icon. On the page redirected to, copy the download address and access it to get the complete SQL audit logs.
      
      Note:
      Currently, you can download audit log files of a database instance only at the Tencent Cloud private network address by using a CVM instance in the same region. For example, to download the audit logs of database instances in Beijing region, download them with a CVM instance in Beijing.
      Log files are valid for 24 hours. Download them promptly.
      Up to 30 log files can be retained for one database instance. Delete files promptly after download.
      If the status is Failed, there may be too many logs. You can download them in batches by narrowing down the time range.
      No.
      Field
      Remarks
      1
      Time
      -
      2
      Risk Level
      It is classified into low risk, medium risk, and high risk. For Full Audit, the risk level will be displayed as "-" for logs that do not meet the audit rules.
      
      3
      Client IP
      -
      4
      Database Name
      -
      5
      User Account
      -
      6
      SQL Type
      -
      7
      SQL Details
      -
      8
      Error Code
      0 means success
      9
      Thread ID
      -
      10
      Scanned Rows
      -
      11
      Returned Rows
      -
      12
      Affected Rows
      -
      13
      Execution Time (μs)
      -
      14
      CPU Time (μs)
      -
      15
      Lock Wait Time (μs)
      -
      16
      IO Wait Time (μs)
      -
      17
      Transaction Duration (μs)
      -
      18
      Policy Name
      -
      19
      Audit Rule
      It displays the rule template that the audit log meets. Upon clicking the corresponding rule template, the details of the rule template will be displayed, including the basic information, the parameter settings, and the modification record.
      The value of the audit rule for the audit logs in the historical inventory is displayed as "-".
      The value of the audit rule for the audit logs that don't meet rules is displayed as "-".

      Relationship Between SQL Statement Type and SQL Statement Mapping Object

      No.
      SQL Statement Type
      SQL Statement Mapping Object
      0
      OTHER
      All other SQL statement types except the following
      1
      SELECT
      SQLCOM_SELECT
      2
      INSERT
      SQLCOM_INSERT, SQLCOM_INSERT_SELECT
      3
      UPDATE
      SQLCOM_UPDATE, SQLCOM_UPDATE_MULTI
      4
      DELETE
      SQLCOM_DELETE, SQLCOM_DELETE_MULTI, SQLCOM_TRUNCATE
      5
      CREATE
      SQLCOM_CREATE_TABLE, SQLCOM_CREATE_INDEX, SQLCOM_CREATE_DB, SQLCOM_CREATE_FUNCTION, SQLCOM_CREATE_USER, SQLCOM_CREATE_PROCEDURE, SQLCOM_CREATE_SPFUNCTION, SQLCOM_CREATE_VIEW, SQLCOM_CREATE_TRIGGER, SQLCOM_CREATE_SERVER, SQLCOM_CREATE_EVENT, SQLCOM_CREATE_ROLE, SQLCOM_CREATE_RESOURCE_GROUP, SQLCOM_CREATE_SRS
      6
      DROP
      SQLCOM_DROP_TABLE, SQLCOM_DROP_INDEX, SQLCOM_DROP_DB, SQLCOM_DROP_FUNCTION, SQLCOM_DROP_USER, SQLCOM_DROP_PROCEDURE, SQLCOM_DROP_VIEW, SQLCOM_DROP_TRIGGER, SQLCOM_DROP_SERVER, SQLCOM_DROP_EVENT, SQLCOM_DROP_ROLE, SQLCOM_DROP_RESOURCE_GROUP, SQLCOM_DROP_SRS
      7
      ALTER
      SQLCOM_ALTER_TABLE, SQLCOM_ALTER_DB, SQLCOM_ALTER_PROCEDURE, SQLCOM_ALTER_FUNCTION, SQLCOM_ALTER_TABLESPACE, SQLCOM_ALTER_SERVER, SQLCOM_ALTER_EVENT, SQLCOM_ALTER_USER, SQLCOM_ALTER_INSTANCE, SQLCOM_ALTER_USER_DEFAULT_ROLE, SQLCOM_ALTER_RESOURCE_GROUP
      8
      REPLACE
      SQLCOM_REPLACE, SQLCOM_REPLACE_SELECT
      9
      SET
      SQLCOM_SET_OPTION, SQLCOM_RESET, SQLCOM_SET_PASSWORD, SQLCOM_SET_ROLE, SQLCOM_SET_RESOURCE_GROUP
      10
      EXECUTE
      SQLCOM_EXECUTE
      11
      LOGIN
      Database login is not subject to audit rules.
      12
      LOGOUT
      Database logout is not subject to audit rules.
      13
      CHANGEUSER
      User change is not subject to audit rules.
      
      Contact Us

      Contact our sales team or business advisors to help your business.

      Contact Us
      Technical Support

      Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

      Submit a Ticket
      7x24 Phone Support
      Copyright © 2013-2024 Tencent Cloud. All Rights Reserved.
      Privacy PolicyLegalCookie Policy