This topic describes the scenarios, benefits, supported cloud services, and limits of the Log Audit Service application in the Log Service console.
- Log audit is a strict legal requirement.
Log audit is becoming a necessity for enterprises around the world to better comply with the applicable rules and regulations. For example, Cybersecurity Law of the People's Republic of China came into effect in mainland China in 2017. In addition, the Baseline for Classified Protection of Cybersecurity 2.0 shall come into effect in December 2020.
- Log audit is the foundation for data security compliance of enterprises.
Many enterprises have mature workflows and regulations for data security, which require regular auditing of device operations, logs, and network behavior. You can use the Log Audit Service application in such scenarios to consume raw logs, audit logs, and generate compliance audit reports. If you have an SOC, you can consume logs in the Log Audit Service application or use Security Center to consume logs.
- Log audit is crucial for data security and protection.
According to the M-Trends 2018 report published by FireEye, most enterprises, especially those in Asia Pacific, are vulnerable to cybersecurity attacks. The global median dwell time is 101 days in 2017. In Asia Pacific, the median dwell time is 498 days. Furthermore, the global median time for detection was 57.5 days in 2017. To shorten these time periods, these enterprises require reliable log data, durable storage, and audit services.
- Log Service
Log Service is a real-time logging service that provides data collection, cleansing, visualized search and analysis, and alert features. Log Service is applicable to DevOps, operation, security, and audit scenarios.
- Typical log audit scenarios
The requirements for log audit can be divided into the following four levels:
- Basic requirements: Most small- and medium-sized enterprises require automatic log collection and storage. They must satisfy the minimum requirements specified in the Baseline for Classified Protection of Cybersecurity 2.0.
- Intermediate requirements: Multinational enterprises, large enterprises, and some medium-sized enterprises have multiple departments that use different Alibaba Cloud accounts and are charged in separate bills. However, these enterprises need to automatically collect logs of the accounts, send these logs to a centralized location, and then perform log audit. In addition to the basic requirements, they also want to collect logs and manage accounts in a centralized manner. Typically, these enterprises have established log audit systems. They can establish a real-time connection to the Log Audit Service application to implement their requirements.
- Advanced requirements: Large enterprises that have dedicated audit compliance teams want to monitor, analyze, and configure alerts for logs. Some enterprises collect data to their audit systems for future operations. Other enterprises, especially those planning to build an audit system on the cloud, can use the search and analysis, alert, chart, and dashboard features provided by Log Service to audit log data.
- Top requirements: Most large enterprises that have professional audit compliance teams have security centers or audit systems. These enterprises need to integrate their systems with the Log Audit Service application and manage data in a centralized way.
The Log Audit Service application of Log Service can satisfy the preceding four levels of requirements.
- Centralized collection
- Log collection from multiple accounts: You can collect log data from multiple Alibaba Cloud accounts to the project of a single Alibaba Cloud account.
- Ease of use: You can use the Log Audit Service application to collect real-time logs from Alibaba Cloud services that belong to different accounts. You only need to create a configuration file and logs are automatically collected in real time when new resources (such as RDS instances, SLB instances, or OSS buckets) are detected.
- Centralized storage: Logs are collected and stored in a single project. This improves the efficiency when you perform operations such as data search and analysis, data visualization, alert configurations, and secondary development.
- Support for multiple Log Service features
- The Log Audit Service application supports all existing features of Log Service such as data search, analysis, and transformation, dashboards, alerts, and log exports. You can also audit logs that are collected from multiple accounts in a centralized manner.
- You can integrate the Log Audit Service application with Alibaba Cloud services, open-source software, and third-party SOC software to improve business growth.
Supported cloud services
|Alibaba Cloud service||Logs to be audited||Regions||Prerequisites||Logstore name||Dashboard name|
|ActionTrail||RAM logon logs, operations logs of Alibaba Cloud resources, and logs generated by using the API.||All available regions||None.||actiontrail_log||
|Server Load Balancer||Layer 7 logs of HTTP or HTTPS listeners||All available regions||None.||slb_log||
|API Gateway||Access logs||All available regions||None.||apigateway_log||API Gateway Audit Center|
|Web Application Firewall (WAF)||Access logs and attack logs||All available regions||
|Security Center||14 types of logs, which consist of 7 types of host logs, 4 types of network logs, and 3 types of security logs||All available regions||
|Cloud Firewall||Network access logs||All available regions||
||cloudfirewall_log||Cloud Firewall Audit Center|
|Bastionhost||Operations logs of O&M personnel||China (Hangzhou), China (Shanghai), China (Heyuan), and China (Chengdu)||Version 3.2 or later.||baston_log||None.|
|OSS||Resources or data operations logs, data access logs, metering logs, deletion logs of expired files, and CDN back-to-origin traffic logs||All available regions||None.||oss_log||
|RDS||Audit logs of ApsaraDB RDS for MySQL, ApsaraDB RDS for SQL Server, and ApsaraDB RDS for PostgreSQL databases||
|Distributed Relational Database Service (DRDS)||Audit logs||China (Qingdao), China (Shenzhen), China (Shanghai), China (Beijing), China (Hangzhou), China (Zhangjiakou), and China (Hong Kong)||Shared instances are not supported.||drds_log||
|Apsara File Storage NAS||Access logs||All available regions||None.||nas_log||
|Alibaba Cloud Mobile Push||Callback events||Mainland China||None.||cps_log||
- Storage methods and regions
- Centralized project storage
Log data collected from multiple Alibaba Cloud accounts across multiple regions is stored in a project that belongs to an Alibaba Cloud account. The project can reside in the following regions:
- China (Beijing), China (Hohhot), China (Hangzhou), China (Shanghai), and China (Shenzhen)
- Regional project storage
This feature is applicable only to SLB, OSS, and DRDS. The Log Audit Service application allows you to store access logs across multiple projects of an Alibaba Cloud account. These projects can reside in the same regions as the services from which logs are collected. For example, you can store the access logs of an OSS bucket that resides in the China (Hangzhou) region to a project that resides in the same region.
- Synchronize log data to one Logstore
You can synchronize the Logstores of regional projects to a central Logstore. This improves the efficiency when you perform operations such as data search and analysis, data visualization, alert configurations, and secondary development.
The synchronization mechanism relies on the data transformation feature of Log Service. All available regions support log data synchronization except for the China (Qingdao) and China (Heyuan) regions.
- Centralized project storage
- Resource limits
- The name of the project that is used for centralized storage is in the format of slsaudit-center-<Alibaba Cloud account ID>-<Region>, for example, slsaudit-center-1234567890-cn-beijing. You cannot delete a project that is used for centralized storage by using the Log Service console. However, you can delete the project by using the command line tool or by using the API.
- The names of the projects that store access logs of SLB instances, OSS buckets, and DRDS instances respectively are in the format of slsaudit-region--<Alibaba Cloud account ID>-<Region>, for example, slsaudit-region-1234567890-cn-beijing. You cannot delete the preceding projects in the console. You can only delete the projects by using the command line tool or by using the API.
- After you create Logtail configurations for log data collection from cloud services,
the Log Audit Service application creates one or more dedicated Logstores for data
storage. You can manage the Logstores as normal Logstores. However, the dedicated
Logstores have the following limits:
- You cannot perform write operations on dedicated Logstores. This prevents data tampering.
- You can modify the retention period of log data and delete the dedicated Logstores only on the Audit Configurations page of the Log Audit Service application or by using the API.
- If you turn on the Synchronization to Central Project switch for services that support regional project storage, a data transformation
task is generated in the projects. These tasks synchronize the logs of the services
for which they are activated to the corresponding project.
- The task name is Internal Job: SLS Audit Service, Data Sync for OSS Access, or Internal Job: SLS Audit Service Data Sync for SLB.
- You can disable the task only on the Audit Configurations page of the Log Audit Service application or by using the API.
- If you turn on the Synchronization to Central Project switch for SLB, OSS, or DRDS, the dedicated Logstores that are used for log data storage become dedicated to data synchronization. You cannot perform operations on the Logstores. If you want to search and analyze log data, you can perform the operations on the Logstore that is used for centralized storage.
- Log Service
You must activate Log Service and the Log Audit Service application for the Alibaba Cloud account that is used for centralized storage of log data collected from other Alibaba Cloud accounts. Aside from Alibaba Cloud accounts whose services have modules on which the Log Audit Service application depends, you do not need to activate Log Service on other Alibaba Cloud accounts. You are not billed for Log Service on these accounts. The Log Audit Service application is provided free of charge. However, you are charged for the data storage and read/write traffic based on the pay-as-you-go method.
You can use free resource quotas and resource plans to offset fees.
- Alibaba Cloud services
After you activate the Log Audit Service application and activate the corresponding log collection or analysis feature for the relevant Alibaba Cloud services, additional fees may be incurred for the Alibaba Cloud services. The following table describes the additional fees for Alibaba Cloud services.
Alibaba Cloud service Additional fee WAF For information about the additional fees that may be incurred after you activate the Access Log Service feature in the WAF console, see Billing method. Security Center For information about the additional fees that may be incurred after you activate the Log Analysis feature in the Security Center console, see Billing methods. Cloud Firewall For information about the additional fees incurred after you activate the Log Analysis feature in the Cloud Firewall console, see Log analysis billing method. ApsaraDB for RDS After you configure log audit for ApsaraDB for RDS, SQL Explorer is automatically enabled for the ApsaraDB for RDS instances that satisfy the requirements. For more information about pricing, see Pricing, billing items, and billing methods.