• Data Warehouse Service

dws
  1. Help Center
  2. Data Warehouse Service
  3. User Guide
  4. Audit Logs
  5. Configuring the Database Audit Log

Configuring the Database Audit Log

Scenario

DWS allows you to record the audit log of specific operations, involving audit log retention policy, unauthorized access and DML, SELECT COPY, and DDL operations performed on the stored procedures and database objects.

After configuring the audit log, you can query the audit information to locate the fault cause or the historical operation record as needed when a data warehouse cluster is abnormal.

For details about how to view the audit log information, see section Viewing the Auditing Information in the Data Warehouse Service Database Developer Guide.

Prerequisites

You can change security settings only when Cluster Status is Available and Low performance and Task Information cannot be Creating snapshot, Scaling out, Configuring, or Restarting.

Procedure

  1. Log in to the DWS management console.
  2. Click Cluster Management.
  3. In the cluster list, click the name of a cluster. On the page that is displayed, click Security Settings.

    By default, Configuration Status is Synchronized, which indicates that the latest database result is displayed.

  4. In the Audit Settings area, set the audit log retention policy.

    Figure 1 Audit log retention policy

    Table 1 describes the detailed information.

    Table 1 Audit log retention policy

    Parameter

    Description

    Audit Log Retention Policy

    Specifies the audit log retention policy. Possible values are:

    • Space priority: Audit logs will be automatically deleted if the size of audit logs on a single node exceeds 1 GB.
    • Time priority: Audit logs will be retained within the minimum retention period. After this period expires, audit logs will be automatically deleted if the size of audit logs on a single node exceeds 1 GB.

    Space priority is preferred.

    NOTE:

    Clusters 1.0.0 and 1.1.0 do not support the audit log retention policy.

    Minimum Retention Period (Day)

    This parameter is valid when Audit Log Retention Policy is set to Time priority.

    The value ranges from 0 to 730 days. The default value is 90 days.

  5. Enable the audit function for the following operations if necessary.

    indicates that the audit function is enabled. indicates that the audit function is disabled.

    Figure 2 Audit items

    Table 2 describes the detailed information about the audit items.

    Table 2 Audit items

    Parameter

    Description

    Audit Unauthorized Access

    Specifies whether to record unauthorized operations. This parameter is disabled by default.

    Audit DML Execution

    Specifies whether to record INSERT, UPDATE, and DELETE operations on tables. This parameter is disabled by default.

    Audit SELECT Execution

    Specifies whether to record the SELECT operation. This parameter is disabled by default.

    Audit Stored Procedure Execution

    Specifies whether to record operations when executing the stored procedure or user-defined functions. This parameter is disabled by default.

    Audit COPY Execution

    Specifies whether to record the COPY operation. This parameter is disabled by default.

    Audit DDL Objects

    Specifies whether to record the CREATE, DROP, and ALTER operations of specified database objects. Database, Schema, and User are selected by default. Other objects are not selected by default.

    Except audit items listed in Table 2, key audit items in Table 3 are enabled by default in DWS.

    Table 3 Key audit items

    Parameter

    Description

    Key audit items

    Records successful and failed login and deregistration information.

    Records database startup, stop, recovery, and failover audit information.

    Records a user's lock and unlock information.

    Records the grants and reclaims of a user's permission.

    Records the audit function of the SET operation.

  6. Click Apply.

    On the Security Settings page, click . If Configuration Status is Applying, the system is saving the settings.

    Wait for a moment and then refresh Configuration Status. When Configuration Status is Synchronized, the configuration is saved and takes effect.