Unified Multi-Account Log Auditing & MLPS 2.0 Compliance - Simple Log Service - Alibaba Cloud - Simple Log Service

Log Audit Service automates centralized log collection from Alibaba Cloud services across multiple accounts for compliance auditing, threat detection, and security analysis.

Important

The entry to the old version of the Log Audit Service console is removed on January 21, 2025. However, existing users (those who started using the service before this date) still have access to the entry. New users who want to use the old version can visit the new version of the Log Audit Service and click Back to Old Version to return to the old version.

Features

Log Audit Service extends Simple Log Service with automated, cross-account log collection in real time. It collects, stores, queries, and aggregates audit data from ActionTrail, Container Service for Kubernetes (ACK), Object Storage Service (OSS), Apsara File Storage NAS (NAS), Server Load Balancer (SLB), Application Load Balancer (ALB), API Gateway, Virtual Private Cloud (VPC), ApsaraDB RDS, PolarDB-X 1.0, PolarDB, Web Application Firewall (WAF), Anti-DDoS, Cloud Firewall, Security Center, third-party cloud services, and self-managed SOCs.

Background information

Log audit is legally required.

Enterprises worldwide must meet regulatory requirements such as the Cybersecurity Law of the People's Republic of China (effective 2017) and MLPS 2.0 (effective December 2019).
Log audit underpins enterprise data security compliance.

Enterprise compliance teams audit device operations, network behavior, and logs. Log Audit Service consumes raw logs, generates compliance reports, and integrates with self-managed SOCs or Alibaba Cloud Security Center.
Log audit is critical for data security.

According to the FireEye M-Trends 2018 report, the global median dwell time (from breach to detection) was 101 days, and 498 days in Asia Pacific. Shortening dwell time requires reliable log data, durable storage, and audit capabilities.

Scenarios

SLS-based audit

SLS provides end-to-end log collection, cleansing, analysis, visualization, and alerting for DevOps, operations, security, and audit scenarios.
Typical log audit

Log audit requirements are classified into four levels.
- Basic: Small and medium enterprises need automatic log collection and storage to meet MLPS 2.0 requirements.
- Intermediate: Large or multinational enterprises with multiple Alibaba Cloud accounts need centralized log collection, account management, and real-time synchronization with existing audit systems.
- Advanced: Enterprises with dedicated compliance teams need log monitoring, analysis, alerting, and visualization — either forwarding logs to their own systems or using SLS built-in audit features.
- Top: Large enterprises with professional compliance teams need to synchronize self-managed SOCs or audit systems with Log Audit Service for centralized data management.
Log Audit Service meets all four levels of requirements.

Benefits

Centralized log collection
- Cross-account collection: Collect logs from multiple Alibaba Cloud accounts into one project. Configure multi-account collection in custom authentication mode or resource directory mode (recommended). Configure multi-account collection.
- Ease of use: Configure collection policies once. Log Audit Service automatically collects logs from new resources (RDS instances, SLB instances, OSS buckets) across accounts in real time.
- Centralized storage: Logs are stored in a central project of one region, enabling efficient querying, analysis, visualization, alerting, and secondary development.
Comprehensive audit
- Log Audit Service supports querying, analysis, transformation, visualization, alerting, and log export — all SLS features plus centralized audit.
- Integrates with Alibaba Cloud services, open-source software, and third-party SOCs.

Supported Alibaba Cloud services

Log Audit Service collects logs from ActionTrail, ACK, OSS, NAS, SLB, ALB, API Gateway, VPC, ApsaraDB RDS, PolarDB-X 1.0, PolarDB, WAF, Cloud Firewall, Security Center, and Anti-DDoS. Logs are automatically stored in dedicated Logstores and Metricstores with auto-generated dashboards.

Cloud service	Audited log	Supported region for collection	Prerequisite	Simple Log Service resource
ActionTrail	Resource Access Management (RAM) logon logs Resource operation logs of Alibaba Cloud services Logs of API operations	China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Hong Kong), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Japan (Tokyo), US (Silicon Valley), US (Virginia), Germany (Frankfurt), UK (London), and UAE (Dubai)	None	Logstore actiontrail_log Dashboard ActionTrail Audit Center ActionTrail Core Configuration Center ActionTrail Login Center
Cloud Config	Configuration change logs Resource non-compliance events	All regions supported by Cloud Config	To collect Cloud Config logs in Log Audit Service, authorize SLS to extract logs from Cloud Config. After authorization, logs are automatically pushed to SLS.	Logstore cloudconfig_log Dashboard None
SLB	Layer 7 network logs of HTTP or HTTPS listeners	China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), Singapore, Japan (Tokyo), Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), UK (London), UAE (Dubai), US (Silicon Valley), US (Virginia), and Germany (Frankfurt)	None	Logstore slb_log Dashboard SLB Audit Center SLB Access Center SLB Overall Data View
ALB	Layer 7 network logs of HTTP or HTTPS listeners	China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Ulanqab), China (Shenzhen), China (Guangzhou), China (Chengdu), China (Hong Kong), Japan (Tokyo), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Germany (Frankfurt), US (Silicon Valley), and US (Virginia)	None	Logstore alb_log Dashboard ALB Operation Center ALB Access Center
API Gateway	Access logs	All supported regions	None	Logstore apigateway_log Dashboard API Gateway Audit Center
VPC	Flow logs	China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Japan (Tokyo), US (Silicon Valley), US (Virginia), UAE (Dubai), Germany (Frankfurt), and UK (London)	After the flow log feature is enabled for a VPC or a vSwitch, the feature cannot capture information about ECS instances that belong to the following instance families in the VPC or vSwitch. The feature can capture information about only other ECS instances that meet the requirements. The feature cannot be enabled for elastic network interfaces (ENIs) that are bound to ECS instances if the ECS instances belong to the following instance families. ecs.c1, ecs.c2, ecs.c4, ecs.ce4, ecs.cm4, ecs.d1, ecs.e3, ecs.e4, ecs.ga1, ecs.gn4, ecs.gn5, ecs.i1, ecs.m1, ecs.m2, ecs.mn4, ecs.n1, ecs.n2, ecs.n4, ecs.s1, ecs.s2, ecs.s3, ecs.se1, ecs.sn1, ecs.sn2, ecs.t1, and ecs.xn4	Logstore vpc_log Dashboard VPC Flow Log Overview VPC Flow Log Rejection Center VPC Flow Log Traffic Center
DNS	Intranet DNS logs	China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Shenzhen), China (Guangzhou), China (Hong Kong), China (Chengdu), Singapore, and US (Silicon Valley)	Go to the Alibaba Cloud DNS console of the new version to activate Alibaba Cloud DNS PrivateZone.	Logstore dns_log Dashboard None
	Public DNS resolution logs	N/A	Go to the Authoritative DNS Resolution page of the Alibaba Cloud DNS console to enable the DNS traffic analysis feature and enable the feature for the required domain names. Chinese domain name-related logs cannot be stored.	Logstore dns_log Dashboard None
	Global Traffic Manager logs	N/A	Go to the Global Traffic Manager 3.0 page of the Alibaba Cloud DNS console to activate Global Traffic Manager (GTM) and purchase a GTM instance. Chinese domain name-related logs cannot be stored. Global Traffic Manager is available only for users in the required whitelist. To add a user to the whitelist, you must submit a ticket to Alibaba Cloud DNS engineers.	Logstore dns_log Dashboard None
WAF	Access Logs Attack logs	All supported regions	Your WAF instance must be of the Enterprise or Business edition. Enable the Simple Log Service for WAF feature in the WAF console. Get started with the Simple Log Service for WAF feature.	Logstore waf_log Dashboard WAF Audit Center WAF Security Center WAF Access Center
Security Center	Nine types of host logs Seven types of security logs Four types of network logs Important Starting March 27, 2025, network log delivery is no longer supported, but previously delivered data will be preserved and available for queries. For more information, see [Notice] updates on log analysis and CTDR features.	China (Hangzhou) and Singapore	Your Security Center must be of the Enterprise edition. The log analysis feature must be enabled in the Security Center console. For more information, see Enable log analysis.	Logstore sas_log Dashboard SAS Alarm Center SAS Connection Center SAS DNS Access Center SAS Baseline Center SAS Login Center SAS Process Center SAS Network Session Center SAS Vulnerability Center SAS Web Access Center
Cloud Firewall	Traffic logs of the Internet firewall and VPC firewalls	N/A	Your Cloud Firewall must be of the Premium Edition or higher. The log analysis feature must be enabled in the Cloud Firewall console. For more information, see Enable the log analysis feature.	Logstore cloudfirewall_log Dashboard Cloud Firewall Audit Center
Bastionhost	Operation logs	All supported regions	Your Bastionhost must be of V3.2 or later.	Logstore bastion_log Dashboard None
OSS	Resource operation logs Data operation logs Data access logs and metering logs Deletion logs of expired files CDN back-to-origin traffic logs	China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), Japan (Tokyo), South Korea (Seoul), Thailand (Bangkok), Germany (Frankfurt), UAE (Dubai), UK (London), US (Virginia), and US (Silicon Valley)	None	Logstore oss_log Dashboard OSS Audit Center OSS Access Center OSS Operation Center OSS Performance Center OSS Overall Data View
ApsaraDB RDS	Audit logs of ApsaraDB RDS for MySQL instances Slow query logs of ApsaraDB RDS for MySQL instances Performance logs of ApsaraDB RDS for MySQL instances Error logs of ApsaraDB RDS for MySQL instances Audit logs of ApsaraDB RDS for PostgreSQL instances Slow query logs of ApsaraDB RDS for PostgreSQL instances Error logs of ApsaraDB RDS for PostgreSQL instances	Audit logs of ApsaraDB RDS for MySQL instances: all supported regions except China (Heyuan), and Philippines (Manila) Slow query logs, performance logs, and error logs of ApsaraDB RDS for MySQL instances: all supported regions except Philippines (Manila) Audit logs of ApsaraDB RDS for PostgreSQL instances: China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Hong Kong), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Germany (Frankfurt), and US (Virginia) Slow query logs and error logs of ApsaraDB RDS for PostgreSQL instances: China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), Germany (Frankfurt), UK (London), and US (Virginia)	Audit logs ApsaraDB RDS for MySQL instances are supported, except those running the RDS Basic Edition. ApsaraDB RDS for PostgreSQL instances that run the RDS High-availability Edition are supported. The SQL Explorer or SQL Audit feature must be enabled. The features are automatically enabled by Log Audit Service. Slow query logs and error logs ApsaraDB RDS for MySQL instances are supported, except those running the RDS Basic Edition. ApsaraDB RDS for PostgreSQL instances that run the RDS High-availability Edition are supported. Performance logs ApsaraDB RDS for MySQL instances are supported, except those running the RDS Basic Edition.	Audit logs Logstore rds_log Dashboard RDS Audit Center RDS Security Center RDS Performance Center RDS Overall Data View Slow query logs and error logs Logstore rds_log Dashboard None Performance logs Metricstore rds_metrics Dashboard RDS Performance Monitoring
PolarDB for MySQL	Audit logs of PolarDB for MySQL clusters Slow query logs of PolarDB for MySQL clusters Performance logs of PolarDB for MySQL clusters Error logs of PolarDB for MySQL clusters	All supported regions	Audit logs PolarDB for MySQL clusters are supported. The SQL Explorer or SQL Audit feature must be enabled. The features are automatically enabled by Log Audit Service. Slow query logs, performance logs, and error logs Only PolarDB for MySQL clusters are supported.	Slow query logs, audit logs, and error logs Logstore polardb_log Dashboard None Performance logs Metricstore polardb_metrics Dashboard PolarDB Performance Monitor
PolarDB-X 1.0	PolarDB-X 1.0 audit logs	China (Qingdao), China (Shenzhen), China (Shanghai), China (Beijing), China (Hangzhou), China (Zhangjiakou), China (Chengdu), and China (Hong Kong)	None	Logstore drds_log Dashboard DRDS Operation Center DRDS Security Center DRDS Performance Center
NAS	Access logs	All supported regions	None	Logstore nas_log Dashboard NAS Summary NAS Audit Center NAS Operation Center
ACK	Kubernetes audit logs Kubernetes event centers Ingress access logs	China (Shanghai), China (Beijing), China (Hangzhou), China (Shenzhen), China (Hohhot), China (Zhangjiakou), China (Chengdu), and China (Hong Kong)	Manually enable the log collection feature for Kubernetes logs. Note Use projects automatically created in the k8s-log-{ClusterID} format. Manually created projects are not supported. The collection of Kubernetes logs is based on the data transformation feature. When you collect Kubernetes logs, you are charged for the data transformation feature. For more information, see Billable items for pay-by-feature. Cross-account collection of Kubernetes logs is not supported. For more information about the prerequisites before you use Kubernetes audit logs, see Collect container logs from ACK clusters. For more information about the prerequisites before you use Kubernetes event centers, see Create and use the K8s Event Center. Ingress access logs prerequisites: Analyze and monitor the access logs of nginx-ingress-controller.	Logstore k8s_log k8s_ingress_log Dashboard Kubernetes Audit Center Overview Kubernetes Event Center Kubernetes Resource Operation Overview Ingress Overview Ingress Access Center
Anti-DDoS	Anti-DDoS Proxy (Chinese Mainland) access logs Anti-DDoS Proxy (Outside Chinese Mainland) access logs Anti-DDoS Origin access logs	N/A	Anti-DDoS Proxy (Chinese Mainland): The log analysis feature must be enabled in the Anti-DDoS Proxy (Chinese Mainland) console. For more information, see Use the log analysis feature. Anti-DDoS Proxy (Outside Chinese Mainland): The log analysis feature must be enabled in the Anti-DDoS Proxy (Outside Chinese Mainland) console. For more information, see Use the log analysis feature. Anti-DDoS Origin: The log analysis feature must be enabled in the Anti-DDoS Origin console. For more information, see Enable the log analysis feature.	Logstore ddos_log Dashboard Anti-DDoS Proxy (Outside Chinese Mainland) Access Center Anti-DDoS Proxy (Outside Chinese Mainland) Operation Center Anti-DDoS Proxy (Chinese Mainland) Access Center Anti-DDoS Proxy (Chinese Mainland) Operation Center Anti-DDoS Origin Events Report Anti-DDoS Origin Scrubbing Analysis Report

Note

If an ApsaraDB RDS instance or a PolarDB for MySQL cluster is restarted, Log Audit Service may fail to collect some logs that are generated within 5 minutes after the restart.