This topic describes the audit operations that you can perform in the Log Audit Service application after logs are collected.

Prerequisites

  • The Log Audit Service application is configured. For more information, see Configure log collection.
  • Relevant permissions are granted to the current logon account. For more information, see Configure permission assistant.
    • To query logs or view reports, you must grant read permissions on the Log Audit Service application and the resources of related projects to the current logon account.
    • To create reports, configure alerts, or make secondary access configurations, you must grant read/write permissions on the Log Audit Service application and the resources of related projects to the current logon account.

View audit reports

  1. Log on to the Log Service console.
  2. In the Log Application section, click Start in the Log Audit Service card.
  3. In the left-side navigation pane, click Audit Report.
  4. Click the target dashboard to view data reports.
    On the target dashboard, you can view the reports of various datasets. For information about how to manage a dashboard, see Overview.
    Note If you do not turn on the Synchronization to Central Project switch on the Global Configurations page for OSS, SLB, or DRDS, you can only view the reports that reside in the corresponding regions under Regional. If you turn on the Synchronization to Central Project switch for OSS, SLB, and DRDS, you can view the reports that reside in all available regions except the China (Qingdao) and China (Heyuan) regions under Central. For more information about limits on regions, see Limits.

Query audit logs

  1. Log on to the Log Service console.
  2. In the Log Application section, click Start in the Log Audit Service card.
  3. In the left-side navigation pane, click Audit Query.
  4. Click the target service to open the search and analysis page.
    For information about how to search and analyze data, see Overview.
    Note If you do not turn on the Synchronization to Central Project switch on the Global Configurations page for OSS, SLB, or DRDS, you can only search and analyze the data that resides in the corresponding regions under Regional. If you turn on the Synchronization to Central Project switch for OSS, SLB, and DRDS, you can search and analyze the data under Central that resides in all available regions except the China (Qingdao) and China (Heyuan) regions. For more information about limits on regions, see Limits.

Create an audit alert

  1. Log on to the Log Service console.
  2. In the Log Application section, click Start in the Log Audit Service card.
  3. Create an alert.
    • Create an alert based on logs.
      1. In the left-side navigation pane, click Audit Query.
      2. Click the target service to open the search and analysis page.
      3. Click Save as Alert. In the Create Alert wizard that appears, create an alert. For more information, see Overview.
    • Create an alert based on a report.
      1. In the left-side navigation pane, click Audit Report.
      2. Click the target dashboard.
      3. On the dashboard page that appears, select the target chart and choose Log audit - 009 > Create Alert to create an alert. For more information, see Overview.

Manage a Logstore

  1. Log on to the Log Service console.
  2. In the Log Application section, click Start in the Log Audit Service card.
  3. Choose Audit Configurations > Access to Cloud Products > Global Configurations.
  4. Click the target project to open the Logstores page.

What to do next

After you complete log audit, you can ship data to other Alibaba Cloud services or third-party systems. You can also use the services or systems to consume data.
  • Data shipping

    You can ship data to Alibaba Cloud services such as OSS, MaxCompute, AnalyticDB for MySQL, and Time Series Database (TSDB), or to third-party systems such as Splunk and other security information and event management (SIEM) solutions. For more information, see Overview.

  • Data consumption

    You can use Alibaba Cloud services such as CloudMonitor, ARMS, and StreamCompute, or third-party streaming systems such as Spark Streaming, Storm, Flume, and Logstash to consume log data. For more information, see Overview.