All Products
Search
Document Center

Simple Log Service:Overview of Log Audit Service

Last Updated:Jan 23, 2024

This topic describes the features, background information, scenarios, and benefits of Log Audit Service. This topic also describes the Alibaba Cloud services that are supported by Log Audit Service.

Features

Log Audit Service supports all features of Simple Log Service. Log Audit Service also supports automated and centralized log collection from cloud services across Alibaba Cloud accounts in real time. This allows you to audit the collected logs. Log Audit Service also stores data that is required for auditing and allows you to query and aggregate the data. You can use Log Audit Service to audit the logs that are collected from the following Alibaba Cloud services: ActionTrail, Container Service for Kubernetes (ACK), Object Storage Service (OSS), Apsara File Storage NAS (NAS), Server Load Balancer (SLB), Application Load Balancer (ALB), API Gateway, Virtual Private Cloud (VPC), ApsaraDB RDS, PolarDB-X 1.0, PolarDB, Web Application Firewall (WAF), Anti-DDoS, Cloud Firewall, and Security Center. You can also use Log Audit Service to audit the logs that are collected from third-party cloud services and self-managed security operations centers (SOCs).

image

Background information

  • Log audit is required by law.

    Log audit is required by enterprises worldwide to meet regulatory requirements. The Cybersecurity Law of the People's Republic of China came into effect in the Chinese mainland in 2017. The Multi-Level Protection Scheme (MLPS) 2.0 came into effect in December 2019.日志审计-001

  • Log audit is the foundation for the data security compliance of enterprises.

    A large number of enterprises have compliance and audit teams that are capable of auditing device operations, network behavior, and logs. You can use Log Audit Service to consume raw logs, audit logs, and generate compliance audit reports. You can use your self-managed SOC or Alibaba Cloud Security Center to consume logs in Log Audit Service.

    image
  • Log audit is crucial for data security and protection.

    The M-Trends 2018 report published by FireEye stated that most enterprises, especially enterprises in Asia Pacific, are vulnerable to cybersecurity attacks. The global median dwell time is 101 days. In Asia Pacific, the median dwell time is 498 days. The dwell time indicates the period from the time when an attack occurs to the time when the attack is detected. To shorten the dwell time, enterprises need reliable log data, durable storage, and audit services.

Scenarios

  • Simple Log Service-based audit

    Simple Log Service allows you to collect, cleanse, analyze, and visualize logs from end to end. You can also configure alerts for logs. You can use Simple Log Service in DevOps, operations, security, and audit scenarios.

    image
  • Typical log audit

    The following requirements for log audit are classified into four levels.日志审计-004

    • Basic requirements: Most small and medium-sized enterprises require automatic log collection and storage. The enterprises need to meet the basic requirements that are specified in MLPS 2.0 and implement automatic maintenance.

    • Intermediate requirements: Multinational enterprises, large enterprises, and specific medium-sized enterprises have multiple departments that use different Alibaba Cloud accounts and pay separate bills. However, logs required for audit must be automatically collected in a centralized manner. In addition to basic requirements, these enterprises need to collect logs and manage accounts in a centralized manner. In most cases, these enterprises have audit systems and need to synchronize their audit systems with Log Audit Service in real time.

    • Advanced requirements: Large enterprises that have dedicated compliance and audit teams need to monitor logs, analyze logs, and configure alerts for logs. Specific enterprises collect logs and send the logs to their audit systems for further processing. Enterprises that want to build an audit system on the cloud can use the audit-related features provided by Simple Log Service. The features include query, analysis, alerting, and visualization.

    • Top requirements: Most large enterprises that have professional compliance and audit teams have self-managed SOCs or audit systems. The enterprises need to synchronize their SOCs or audit systems with Log Audit Service and manage data in a centralized manner.

    Log Audit Service of Simple Log Service meets all four levels of requirements.

Benefits

  • Centralized log collection

    • Log collection across accounts: You can collect logs from multiple Alibaba Cloud accounts to a project within one Alibaba Cloud account. You can configure multi-account collection in custom authentication mode or resource directory mode. The resource directory mode is recommended. For more information, see Configure multi-account collection.

    • Ease of use: You need to only configure collection policies once. Then, Log Audit Service collects logs in real time from Alibaba Cloud resources that belong to different accounts when new resources are detected. The new resources include newly created ApsaraDB RDS instances, SLB instances, and OSS buckets.

    • Centralized storage: Logs are collected and stored in the central project of a region. This way, you can query, analyze, and visualize the collected logs in a more efficient manner. You can also configure alerts for the logs and perform secondary development.

  • Comprehensive audit

    • Log Audit Service supports all features of Simple Log Service. For example, you can query, analyze, transform, visualize, and export logs, and configure alerts for logs. Log Audit Service also allows you to audit logs in a centralized manner.

    • You can use Log Audit Service together with Alibaba Cloud services, open source software, and third-party SOCs to create more value from data.

Supported Alibaba Cloud services

You can use Log Audit Service to audit the logs that are collected from the following Alibaba Cloud services: ActionTrail, ACK, OSS, NAS, SLB, ALB, API Gateway, VPC, ApsaraDB RDS, PolarDB-X 1.0, PolarDB, WAF, Cloud Firewall, Security Center, and Anti-DDoS. Logs that are collected from an Alibaba Cloud service are automatically stored in Logstores and Metricstores. Dashboards are automatically generated for the Logstores and Metricstores. The following table describes the details.

Alibaba Cloud service

Audited log

Supported region for the service

Prerequisites

Simple Log Service resource

ActionTrail

  • RAM logon logs

  • Resource operation logs of Alibaba Cloud services

  • Logs of operations in OpenAPI Explorer

China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Hong Kong), Singapore (Singapore), Australia (Sydney), Malaysia (Kuala Lumpur), Indonesia (Jakarta), Japan (Tokyo), US (Silicon Valley), US (Virginia), Germany (Frankfurt), UK (London), India (Mumbai), and UAE (Dubai)

None

  • Logstore

    actiontrail_log

  • Dashboard

    • ActionTrail Audit Center

    • ActionTrail Core Configuration Center

    • ActionTrail Login Center

Cloud Config

  • Configuration change logs

  • Resource non-compliance events

All regions supported by Cloud Config

If you want to collect, store, or query logs of Cloud Config in Log Audit Service, you must authorize Simple Log Service to extract the logs that are recorded in Cloud Config. After you complete the authorization, the logs of Cloud Config are automatically pushed to Simple Log Service.

  • Logstore

    cloudconfig_log

  • Dashboard

    None

Server Load Balancer (SLB)

Layer 7 network logs of HTTP or HTTPS listeners

China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), Singapore (Singapore), Japan (Tokyo), Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), India (Mumbai), UK (London), UAE (Dubai), Australia (Sydney), US (Silicon Valley), US (Virginia), and Germany (Frankfurt)

None

  • Logstore

    slb_log

  • Dashboard

    • SLB Audit Center

    • SLB Access Center

    • SLB Overall Data View

Application Load Balancer (ALB)

Layer 7 network logs of HTTP or HTTPS listeners

China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Ulanqab), China (Shenzhen), China (Guangzhou), China (Chengdu), China (Hong Kong), Japan (Tokyo), Singapore (Singapore), Australia (Sydney), Malaysia (Kuala Lumpur), Indonesia (Jakarta), Germany (Frankfurt), US (Silicon Valley), US (Virginia), and India (Mumbai)

None

  • Logstore

    alb_log

  • Dashboard

    • ALB Operation Center

    • ALB Access Center

API Gateway

Access logs

All supported regions

None

  • Logstore

    apigateway_log

  • Dashboard

    API Gateway Audit Center

VPC

Flow logs

China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), Singapore (Singapore), Australia (Sydney), Malaysia (Kuala Lumpur), Indonesia (Jakarta), Japan (Tokyo), US (Silicon Valley), US (Virginia), UAE (Dubai), Germany (Frankfurt), India (Mumbai), and UK (London)

  • After the flow log feature is enabled for a VPC or a vSwitch, the feature cannot capture information about ECS instances that belong to the following instance families in the VPC or vSwitch. The feature can capture information about ECS instances that meet the requirements.

  • The feature cannot be enabled for elastic network interfaces (ENIs) that are bound to ECS instances if the ECS instances belong to the following instance families.

ecs.c1, ecs.c2, ecs.c4, ecs.ce4, ecs.cm4, ecs.d1, ecs.e3, ecs.e4, ecs.ga1, ecs.gn4, ecs.gn5, ecs.i1, ecs.m1, ecs.m2, ecs.mn4, ecs.n1, ecs.n2, ecs.n4, ecs.s1, ecs.s2, ecs.s3, ecs.se1, ecs.sn1, ecs.sn2, ecs.t1, and ecs.xn4

  • Logstore

    vpc_log

  • Dashboard

    • VPC Flow Log Overview

    • VPC Flow Log Rejection Center

    • VPC Flow Log Traffic Center

DNS

Intranet DNS logs

China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Shenzhen), China (Guangzhou), and Singapore

Go to the Alibaba Cloud DNS console of the new version and activate Alibaba Cloud DNS PrivateZone.

  • Logstore

    dns_log

  • Dashboard

    None

Web Application Firewall (WAF)

  • Access logs

  • Attack logs

All supported regions

  • Your WAF instance must be of the Business or Enterprise edition.

  • The Simple Log Service for WAF feature must be enabled in the WAF console. For more information, see Enable the log analysis feature.

  • Logstore

    waf_log

  • Dashboard

    • WAF Audit Center

    • WAF Security Center

    • WAF Access Center

Security Center

  • Host logs (eight types)

  • Four types of network logs

  • Three types of security logs

China (Hangzhou) and Singapore (Singapore)

  • Your Security Center must be of the Enterprise edition.

  • The log analysis feature must be enabled in the Security Center console. For more information, see Enable the log analysis feature.

  • Logstore

    sas_log

  • Dashboard

    • SAS Alarm Center

    • SAS Connection Center

    • SAS DNS Access Center

    • SAS Baseline Center

    • SAS Login Center

    • SAS Process Center

    • SAS Network Session Center

    • SAS Vulnerability Center

    • SAS Web Access Center

Cloud Firewall (CFW)

Traffic logs of the Internet firewall and VPC firewalls

N/A

  • Your Cloud Firewall must be of the Premium Edition or higher.

  • The log analysis feature must be enabled in the Cloud Firewall console. For more information, see Enable the log analysis feature.

  • Logstore

    cloudfirewall_log

  • Dashboard

    Cloud Firewall Audit Center

Bastionhost

Operation logs

All supported regions

Your Bastionhost must be of V3.2 or later.

  • Logstore

    bastion_log

  • Dashboard

    None

OSS

  • Resource operation logs

  • Data operation logs

  • Data access logs and metering logs

  • Deletion logs of expired files

  • CDN back-to-origin traffic logs

China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), Singapore (Singapore), Australia (Sydney), Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), Japan (Tokyo), South Korea (Seoul), Thailand (Bangkok), India (Mumbai), Germany (Frankfurt), UAE (Dubai), UK (London), US (Virginia), and US (Silicon Valley)

None

  • Logstore

    oss_log

  • Dashboard

    • OSS Audit Center

    • OSS Access Center

    • OSS Operation Center

    • OSS Performance Center

    • OSS Overall Data View

ApsaraDB RDS instances

  • Audit logs of ApsaraDB RDS for MySQL instances

  • Slow query logs of ApsaraDB RDS for MySQL instances

  • Performance logs of ApsaraDB RDS for MySQL instances

  • Error logs of ApsaraDB RDS for MySQL instances

  • Audit logs of ApsaraDB RDS for PostgreSQL instances

  • Slow query logs of ApsaraDB RDS for PostgreSQL instances

  • Error logs of ApsaraDB RDS for PostgreSQL instances

  • Audit logs of ApsaraDB RDS for MySQL instances: all supported regions except China (Nanjing - Local Region), China (Fuzhou-Local Region), China (Heyuan), and Philippines (Manila)

  • Slow query logs, performance logs, and error logs of ApsaraDB RDS for MySQL instances: all supported regions except China (Nanjing - Local Region), China (Fuzhou-Local Region), and Philippines (Manila)

  • Audit logs of ApsaraDB RDS for PostgreSQL instances: China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Hong Kong), Singapore (Singapore), Australia (Sydney), Malaysia (Kuala Lumpur), Indonesia (Jakarta), Germany (Frankfurt), and United States (Virginia)

  • Slow query logs and error logs of ApsaraDB RDS for PostgreSQL instances: China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), Singapore (Singapore), Australia (Sydney), Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), Germany (Frankfurt), UK (London), and US (Virginia)

  • View audit logs

    • ApsaraDB RDS for MySQL instances are supported, except for ApsaraDB RDS for MySQL Basic Edition instances.

    • ApsaraDB RDS for PostgreSQL High-availability Edition instances are supported.

    • The SQL Explorer or SQL Audit feature must be enabled. The features are automatically enabled by Log Audit Service.

  • Slow query logs and error logs

    • ApsaraDB RDS for MySQL instances are supported, except for ApsaraDB RDS for MySQL Basic Edition instances.

    • ApsaraDB RDS for PostgreSQL High-availability Edition instances are supported.

  • Performance logs

    ApsaraDB RDS for MySQL instances are supported, except for ApsaraDB RDS for MySQL Basic Edition instances.

  • View audit logs

    • Logstore

      rds_log

    • Dashboard

      • RDS Audit Center

      • RDS Security Center

      • RDS Performance Center

      • RDS Overall Data View

  • Slow query logs and error logs

    • Logstore

      rds_log

    • Dashboard

      None

  • Performance logs

    • Metricstore

      rds_metrics

    • Dashboard

      RDS Performance Monitor

PolarDB for MySQL

  • Audit logs of PolarDB for MySQL clusters

  • Slow query logs of PolarDB for MySQL clusters

  • Performance logs of PolarDB for MySQL clusters

  • Error logs of PolarDB for MySQL clusters

All supported regions

  • View audit logs

    • PolarDB for MySQL clusters are supported.

    • The SQL Explorer or SQL Audit feature must be enabled. The features are automatically enabled by Log Audit Service.

  • Slow query logs, performance logs, and error logs

    Only PolarDB for MySQL clusters are supported.

  • Slow query logs, audit logs, and error logs

    • Logstore

      polardb_log

    • Dashboard

      None

  • Performance logs

    • Metricstore

      polardb_metrics

    • Dashboard

      PolarDB Performance Monitor

PolarDB-X 1.0

PolarDB-X 1.0 audit logs

China (Qingdao), China (Shenzhen), China (Shanghai), China (Beijing), China (Hangzhou), China (Zhangjiakou), China (Chengdu), and China (Hong Kong)

None

  • Logstore

    drds_log

  • Dashboard

    • DRDS Operation Center

    • DRDS Security Center

    • DRDS Performance Center

NAS

Access logs

All supported regions

None

  • Logstore

    nas_log

  • Dashboard

    • NAS Summary

    • NAS Audit Center

    • NAS Operation Center

ACK

  • Kubernetes audit logs

  • Kubernetes Event Center

  • Ingress access logs

China (Shanghai), China (Beijing), China (Hangzhou), China (Shenzhen), China (Hohhot), China (Zhangjiakou), China (Chengdu), and China (Hong Kong)

You must enable the log collection feature for Kubernetes logs.

Note
  • You must use projects that are automatically created and are named in the k8s-log-{ClusterID} format. Projects that are manually created are not supported.

  • The collection of Kubernetes logs is based on the data transformation feature. When you collect Kubernetes logs, you are charged for the data transformation feature. For more information, see Billable items of pay-by-feature.

  • You cannot collect Kubernetes logs across accounts.

  • Logstore

    • k8s_log

    • k8s_ingress_log

  • Dashboard

    • Kubernetes Audit Center Overview

    • Kubernetes Event Center

    • Kubernetes Resource Operation Overview

    • Ingress Overview

    • Ingress Access Center

Anti-DDoS

  • Anti-DDoS Pro access logs

  • Anti-DDoS Premium access logs

  • Anti-DDoS Origin access logs

N/A

  • Logstore

    ddos_log

  • Dashboard

    • Anti-DDoS Premium Access Center

    • Anti-DDoS Premium Operation Center

    • Anti-DDoS Pro Access Center

    • Anti-DDoS Pro Operation Center

    • Anti-DDoS Origin Events Report

    • Anti-DDoS Origin Mitigation Report

Cloud Service Bus (CSB) App Connect

Operation logs

N/A

None

  • Logstore

    appconnect_log

  • Dashboard

    None

Note

If an ApsaraDB RDS instance or a PolarDB for MySQL cluster is restarted, Log Audit Service may fail to collect specific logs that are generated within 5 minutes after the restart.