This topic describes the scenarios and benefits of the Log Audit Service application in Log Service. This topic also describes the Alibaba Cloud services that are supported by the Log Audit Service application.
- Log audit is required by laws.
Log audit is a necessity for enterprises around the world to better comply with applicable rules and regulations. For example, the Cybersecurity Law of the People's Republic of China came into effect in mainland China in 2017. In addition, the Baseline for Classified Protection of Cybersecurity 2.0 came into effect in December 2019.
- Log audit is the foundation for data security compliance of enterprises.
A large number of enterprises have their own regulations and compliance teams to audit device operations, network behavior, and logs. You can use the Log Audit Service application to consume raw logs, audit logs, and generate compliance audit reports. If you have an SOC, you can consume logs in the Log Audit Service application or use Security Center to consume logs.
- Log audit is crucial for data security and protection.
Based on the M-Trends 2018 report published by FireEye, most enterprises, especially those in Asia Pacific, are vulnerable to cybersecurity attacks. The global median dwell time was 101 days in 2017. In Asia Pacific, the median dwell time was 498 days. To shorten these time periods, enterprises need reliable log data, durable storage, and audit services.
- Log Service
Log Service is a real-time logging service that allows you to collect, cleanse, and analyze log data. You can visualize log data on charts and dashboards. You can also configure alerts for logs. Log Service is applicable to DevOps, operation, security, and audit scenarios.
- Typical log audit scenarios
Requirements for log audit can be classified into the following four levels:
- Basic requirements: Most small and medium-sized enterprises need automatic log collection and storage. These enterprises must meet the minimum requirements that are specified in the Baseline for Classified Protection of Cybersecurity 2.0.
- Intermediate requirements: Multinational enterprises, large enterprises, and some medium-sized enterprises have multiple departments that use different Alibaba Cloud accounts and separately pay bills. Therefore, these enterprises need to collect logs of the accounts by using an automatic process, send these logs to the same storage resource, and then audit the logs. In addition to the basic requirements, these types of enterprises also need to collect logs and manage accounts in a centralized manner. Most of these enterprises have an audit system and want to connect their audit systems to the Log Audit Service application in real time.
- Advanced requirements: Large enterprises that have dedicated audit compliance teams need to monitor logs, analyze logs, and configure alerts for logs. Some enterprises collect data to their audit systems for further operations. Other enterprises, especially those who want to build an audit system on the cloud, can use the query, analysis, alert, chart, and dashboard features provided by Log Service to audit logs.
- Top requirements: Most large enterprises that have professional audit compliance teams have SOCs or audit systems. These enterprises need to integrate their systems with the Log Audit Service application and manage data in a centralized manner.
The Log Audit Service application of Log Service satisfies all four levels of requirements.
- Centralized log collection
- Log collection across accounts: You can collect logs from multiple Alibaba Cloud accounts to a project of one Alibaba Cloud account.
- Ease of use: You can use the Log Audit Service application to collect logs in real time from Alibaba Cloud services that belong to different accounts. You only need to turn on the relevant switches on the Audit-Related Logs tab. Logs are automatically collected in real time when new resources such as RDS instances, SLB instances, or OSS buckets are detected.
- Centralized storage: Logs are collected and stored in the central project that resides in a region. This improves efficiency when you query, analyze, and visualize the collected logs. You can also configure alerts for the logs and perform secondary development.
- Multiple Log Service features
- The Log Audit Service application supports all features of Log Service. You can query, analyze, transform, and export logs. You can visualize log data on dashboards and configure alerts for logs. You can also audit logs in a centralized manner.
- You can integrate the Log Audit Service application with Alibaba Cloud services, open source software, and third-party SOC software to extract more data value.
Supported Alibaba Cloud services
|Alibaba Cloud service||Audit-related log||Region||Prerequisites||Assets|
|ActionTrail||RAM logon logs, operations logs of Alibaba Cloud resources, and logs generated by using OpenAPI Explorer||All available regions||None||
|SLB||Layer-7 access logs of HTTP or HTTPS listeners||All available regions||None||
|API Gateway||Access logs||All available regions||None||
|WAF||Access logs and attack logs||All available regions||
|Security Center||Seven types of host logs, four types of network logs, and three types of security logs||All available regions||
|Cloud Firewall||Internet access logs||None||
|Bastionhost||Operations logs||All available regions||Version 3.2 or later||
|OSS||Resource operations logs, data operations logs, data access logs, metering logs, deletion logs of expired files, and CDN back-to-origin traffic logs||All available regions||None||
|ApsaraDB RDS||Audit logs of ApsaraDB RDS for MySQL, SQL Server, and PostgreSQL databases||
|PolarDB-X||Audit logs||China (Qingdao), China (Shenzhen), China (Shanghai), China (Beijing), China (Hangzhou), China (Zhangjiakou), China (Chengdu), and China (Hong Kong)||None||
|PolarDB for MySQL||PolarDB audit logs||China (Qingdao), China (Beijing), China (Hangzhou), China (Shanghai), China (Shenzhen), and China (Hong Kong)||SQL Explorer of related databases is automatically enabled.||
|NAS||Access logs||All available regions||None||
|Alibaba Cloud Mobile Push||Callback events||Mainland China||None||
||China (Shanghai), China (Beijing), China (Hangzhou), China (Shenzhen), China (Hohhot), China (Zhangjiakou), China (Chengdu), and China (Hong Kong)||You must manually enable the log collection feature for Kubernetes logs.