Event alarms related to the database audit function have been integrated into TCOP and EB. If you have configured Risk Level and select Send alarm notification in your rule template, audit logs matching the rule template will trigger an alarm notification to the bound users. On the Tencent Cloud Observability Platform (TCOP), users can also view the alarm history, manage alarm policies (alarm switch), and shield alarms. Configuring event alarms for database audit can assist users in promptly receiving risk warnings and swiftly pinpointing problematic audit logs.
This document describes how to configure event alarms for instances that have database audit enabled from TCOP and EB.
Prerequisites
Configuring Event Alarms through TCOP
Creating an Alarm Policy
1. Log in to the TCOP console and select Alarm Configuration > Alarm Policy > Policy Management on the left sidebar. 2. On the policy management page, click Create Policy.
3. On the policy creation page, finalize the setup for basic information, alarm rules, and alarm notifications.
Policy Type: Select CDB > MySQL > MASTER.
Alarm Object: The object instance to be associated can be found by selecting the region where the object is located or searching for the instance ID of the object.
Trigger Condition: Locate "Event Alarm", click Add Event, add alarm events AuditLowRisk, AuditMediumRisk, or AuditHighRisk based on the actual risk level for which the alarm is needed.
Configure Alarm Notification: You can select a preset or custom notification template. Each alarm policy can be bound to three notification templates at most. For more information, see Creating Notification Template. Select Template
Create Template
4. With everything correctly set, click Complete.
Associating Alarm Objects
After creating an alarm policy, you can associate it with other alarm objects (those instances which are consistent with the policy). When instances match the rule content in the rule template and have the added risk level, and the alarm policy of the rule template is set to send alarm, the generated audit logs will trigger an alarm notification.
1. On the alarm policy list, click the Policy Name to enter the alarm policy management page. 2. On the alarm policy management page, click Add Object in the Alarm Object column.
3. In the pop-up dialog box, select the alarm objects to be associated with, and click OK.
Viewing Alarm Records, Managing Alarm Policies (Alarm On-Off), and Silencing Alarms
You can view relevant event alarm histories or manage alarm policies and create silencing alarm through TCOP. For relevant operations, see the following guidelines: Configuring Event Alarms through EB
Step 1: Activating the EB Service
Tencent Cloud EB utilizes Cloud Access Management (CAM) for its permissions management. CAM is a service provided by Tencent Cloud meant to aid users in securely managing the access permissions of resources within their Tencent Cloud accounts. Users can use CAM to create, manage, and terminate users (groups) and employ identity and policy management to govern other user's access to Tencent Cloud resources. To use the EB EventBridge, you must first activate the service on the product page. For information on how to activate this service for your root account and delegate authorization to sub-accounts, see Activating EB. After activating the EB service, you need to select the types of event sources to connect to EB. Currently, you can select monitoring events generated by TencentDB for MySQL database audit as the event source to connect to EB.
Note:
All operational events such as alarms and audits generated by TencentDB for MySQL will be delivered to the Tencent Cloud service event bus by default. This process cannot be altered or edited.
Upon activation of Tencent Cloud EB service, a default Tencent Cloud service event bus is automatically created in the Guangzhou region. Alarm events (monitoring and auditing events) generated by TencentDB for MySQL will then be automatically delivered to it.
2. Select the Guangzhou region at the top.
3. Click on the default event bus under Tencent Cloud service event bus.
4. On the default event bus details page, click Manage Event Rules.
5. On the redirected page, click Create.
6. After you finish the following configurations on the Create Event Rule page, click Next.
|
Rule name | Enter the rule name. It should contain 2-60 characters in the form of letters, digits, underscores, and hyphens. It must start with a letter and end with a digit or a letter. |
Rule description | Provide rule description using digits, English and Chinese characters, and commonly used punctuation, not exceeding 200 characters. |
Tag | Decide whether to enable the Tag. Once it is enabled, you can add Tags to this event rule. |
Data conversion | Event data conversion facilitates easy processing of event content. For example, you can extract, parse, and remap fields in events before delivering them to the event target. |
Event sample | An event structure sample is provided for your reference for event matching rule setting-up. You can locate the target template under event examples as a reference point. |
Rule pattern | Both form template and custom events are supported, but form template is recommended. |
Tencent Cloud service | Choose TencentDB for MySQL. |
Event Type | Select the required event types related to database audit alarms (AuditLowRisk, AuditMediumRisk, AuditHighRisk) |
Test match rule | Choose the event type template selected in the event example, and then click on test matching rules. If the test passes, proceed to the next step. |
Note:
To receive event alarms from specified instances, the rule configuration is as follows:
{
"source":"cdb.cloud.tencent",
"subject":"ins-xxxxxx"
}
This signifies that only events originating from TencentDB for MySQL with the instance ID of ins-XXX can be disseminated through rule matching. Other events will be discarded and will not reach the user.
An array mode can also be used to match multiple resources:
{
"source":"cdb.cloud.tencent",
"subject":["ins-xxxxxx","ins-xxxxxx"]
}
7. In the event target tab, complete the following configurations, check Enable event rules now, and click Complete.
|
Trigger method | Choose message notification. |
Message template | Support for selecting either a monitoring alarm template or a general notification template. |
Alarm content | Support for selecting either Chinese or English. |
Notification method | Support for selecting API callback, publishing channel, or all methods. The following settings will use publishing channel as an example. |
Recipients | Select a recipient user or user group. |
Notification period | Customize the notification period. |
Receive method | Select the receive channel. An SMS message is limited to 500 characters, and a phone message is limited to 350 characters. Events with excessively long descriptions (possibly due to causes such as overly lengthy instance names) will not be pushed. You are advised to configure multiple channels concurrently. |
Note:
If you need to configure multiple event targets, feel free to click on Add.
8. After the event rule is created, you can locate and manage it in the event rule list.
Was this page helpful?