You can use the Log Audit Service application of Log Service to collect cloud service logs of a single Alibaba Cloud account. Before you can use the application, you must authorize Log Service to collect logs from relevant Alibaba Cloud services. If you want to use the application to collect logs across Alibaba Cloud accounts, you must also authorize the Alibaba Cloud accounts. You can use the AccessKey pair of a Resource Access Management (RAM) user who has the required permissions to complete the authorization. You can also follow the steps described in this topic to complete the authorization.

Background information

You can use the Log Audit Service application to collect cloud service logs of a single Alibaba Cloud account or across multiple Alibaba Cloud accounts.
To collect cloud service logs across Alibaba Cloud accounts, you must authorize the current Alibaba Cloud account and the other Alibaba Cloud accounts.
  • Authorize the current Alibaba Cloud account to receive logs from other Alibaba Cloud accounts. The logs are stored in the Logstore dedicated to log audit.
  • Authorize the other Alibaba Cloud accounts to synchronize logs to the current Alibaba Cloud account. The logs are stored in the Logstore dedicated to log audit.
The Log Audit Service application of Log Service involves multiple authorization roles and policies. You can find the detailed information in the following tables.

Authorize Log Service to collect cloud service logs of the current Alibaba Cloud account

  1. Log on to the RAM console.
    We recommend that you use a RAM user to complete the authorization. The RAM user must be granted the read and write permissions on RAM. For this purpose, you can attach the AliyunRAMFullAccess policy to the RAM user.
  2. Create a policy named AliyunLogAuditServiceDispatchPolicy.
    1. In the left-side navigation pane, choose Permissions > Policies. On the page that appears, click Create Policy.
    2. On the Create Custom Policy page, set the parameters, and then click OK. The following table describes the parameters.
      Parameter Description
      Policy Name Set the name to AliyunLogAuditServiceDispatchPolicy.
      Configuration Mode Select Script.
      Policy Document The content of the policy. Replace the content in the editor with the following script:
      {
          "Version": "1",
          "Statement": [
              {
                  "Action": "log:*",
                  "Resource": [
                      "acs:log:*:*:project/slsaudit-*"
                  ],
                  "Effect": "Allow"
              }
          ]
      }
  3. Follow Step 2 to create a policy named AliyunLogAuditServiceMonitorAccess.
    The following table describes the parameters.
    Parameter Description
    Policy Name Set the name to AliyunLogAuditServiceMonitorAccess.
    Configuration Mode Select Script.
    Policy Document The content of the policy. Replace the content in the editor with the following script:
    {
        "Version": "1",
        "Statement": [
            {
                "Action": "log:*",
                "Resource": [
                    "acs:log:*:*:project/slsaudit-*",
                    "acs:log:*:*:app/audit"
                ],
                "Effect": "Allow"
            },
            {
                "Action": [
                    "rds:ModifySQLCollectorPolicy",
                    "vpc:*FlowLog*",
                    "drds:*SqlAudit*",
                    "kvstore:ModifyAuditLogConfig"
                ],
                "Resource": "*",
                "Effect": "Allow"
            }
        ]
    }
    Note To collect Kubernetes data, you must create a policy named AliyunLogAuditServiceK8sAccess by using the following script in the editor: After the AliyunLogAuditServiceK8sAccess policy is created, you must create a role named sls-audit-service-monitor and attach the policy to the role. For more information, see Step 5.
    {
        "Version": "1",
        "Statement": [
            {
                "Action": "log:*",
                "Resource": [
                    "acs:log:*:*:project/k8s-log-*"
                ],
                "Effect": "Allow"
            }
        ]
    }
  4. Create a role named sls-audit-service-dispatch and attach the AliyunLogAuditServiceDispatchPolicy policy to the role.
    1. In the left-side navigation pane, click RAM Roles. On the page that appears, click Create RAM Role. The Create RAM Role wizard appears.
    2. In the Select Role Type step, select Alibaba Cloud Service and click Next.
    3. In the Configure Role step, set the parameters, and then click OK. The following table describes the parameters.
      Parameter Description
      Role Type The type of the RAM role. Select Normal Service Role.
      RAM Role Name The name of the RAM role. Set the value to sls-audit-service-dispatch.
      Select Trusted Service The Alibaba Cloud service to which you want to assign this role. Select Log Service from the drop-down list. The following script shows the content of the corresponding policy:
      {    
      "Statement": [
              {
                  "Action": "sts:AssumeRole",
                  "Effect": "Allow",
                  "Principal": {
                      "Service": [
                          "log.aliyuncs.com"
                      ]
                  }
              }
          ],
          "Version": "1"
      }
    4. Click Add Permissions to RAM Role.
    5. In the Add Permissions dialog box, set the parameters to attach a policy to the role.
      In the Select Policy section, select Custom Policy and add the AliyunLogAuditServiceDispatchPolicy policy in the left section to the right section.
  5. Create a role named sls-audit-service-monitor and attach the AliyunLogAuditServiceMonitorAccess policy to the role.
    1. In the left-side navigation pane, click RAM Roles. On the page that appears, click Create RAM Role. The Create RAM Role wizard appears.
    2. In the Select Role Type step, select Alibaba Cloud Service and click Next.
    3. In the Configure Role step, set the parameters, and then click OK. The following table describes the parameters.
      Parameter Description
      Role Type The type of the RAM role. Select Normal Service Role.
      RAM Role Name The name of the RAM role. Set the value to sls-audit-service-monitor.
      Select Trusted Service The Alibaba Cloud service to which you want to assign this role. Select Log Service from the drop-down list. The following script shows the content of the corresponding policy:
      {    
      "Statement": [
              {
                  "Action": "sts:AssumeRole",
                  "Effect": "Allow",
                  "Principal": {
                      "Service": [
                          "log.aliyuncs.com"
                      ]
                  }
              }
          ],
          "Version": "1"
      }
    4. Click Add Permissions to RAM Role.
    5. In the Add Permissions dialog box, set the parameters to attach a policy to the role.
      In the Select Policy section, select Custom Policy and add the AliyunLogAuditServiceMonitorAccess policy in the left section to the right section. Select System Policy and add the ReadOnlyAccess policy to the right section.

Authorize Log Service to collect logs from the cloud services purchased by other Alibaba Cloud accounts

  1. Obtain the IDs of the Alibaba Cloud accounts.
    1. Log on to the Account Management console.
      Log on to the console by using each Alibaba Cloud account.
    2. Go to the Security Settings page and obtain the ID of the account.
  2. Authorize other Alibaba Cloud accounts.
    1. Log on to the RAM console.
      We recommend that you use a RAM user to authorize other Alibaba Cloud accounts. The RAM user must be granted the read and write permissions on RAM. For this purpose, you can attach the AliyunRAMFullAccess policy to the RAM user.
    2. In the left-side navigation pane, click RAM Roles.
    3. On the RAM Roles page, click the sls-audit-service-dispatch role to go to the details page of the role.
    4. Click the Trust Policy Management tab. On the tab, replace the content in the editor with the following script:
      {
          "Statement": [
              {
                  "Action": "sts:AssumeRole",
                  "Effect": "Allow",
                  "Principal": {
                      "Service": [
                          "log.aliyuncs.com"
                      ]
                  }
              }
          ],
          "Version": "1"
      }
  3. Authorize the current Alibaba Cloud account.
    1. Log on to the RAM console.
      We recommend that you use a RAM user to authorize the current Alibaba Cloud account. The RAM user must be granted the read and write permissions on RAM. For this purpose, you can attach the AliyunRAMFullAccess policy to the RAM user.
    2. In the left-side navigation pane, choose Permissions > Policies. On the page that appears, click Create Policy.
    3. On the Create Custom Policy page, set the parameters, and then click OK. The following table describes the parameters.
      Parameter Description
      Name The name of the policy. Set the value to AliyunLogAuditServiceMonitorAccess.
      Configuration Mode Select Script.
      Policy Document The content of the policy. Replace the content in the text box with the following script:
      {
          "Version": "1",
          "Statement": [
              {
                  "Action": "log:*",
                  "Resource": [
                      "acs:log:*:*:project/slsaudit-*",
                      "acs:log:*:*:app/audit"
                  ],
                  "Effect": "Allow"
              },
              {
                  "Action": [
                      "rds:ModifySQLCollectorPolicy",
                      "vpc:*FlowLog*",
                      "drds:*SqlAudit*",
                      "kvstore:ModifyAuditLogConfig"                      
                  ],
                  "Resource": "*",
                  "Effect": "Allow"
              }
          ]
      }
      
                                                          
      Note To collect Kubernetes data, you must create a policy named AliyunLogAuditServiceK8sAccess by using the following script in the editor. After the AliyunLogAuditServiceK8sAccess policy is created, you must create a role named sls-audit-service-monitor and attach the policy to the role. For more information, see Step 3.iv.
      {
          "Version": "1",
          "Statement": [
              {
                  "Action": "log:*",
                  "Resource": [
                      "acs:log:*:*:project/k8s-log-*"
                  ],
                  "Effect": "Allow"
              }
          ]
      }
    4. Create a role named sls-audit-service-monitor and attach the AliyunLogAuditServiceMonitorAccess policy to the role.
      1. In the left-side navigation pane, click RAM Roles. On the page that appears, click Create RAM Role. The Create RAM Role wizard appears.
      2. In the Select Role Type step, select Alibaba Cloud Service and click Next.
      3. In the Configure Role step, set the parameters, and then click OK. The following table describes the parameters.
        Parameter Description
        Role Type The type of the RAM role. Select Normal Service Role.
        Role Name The name of the RAM role. Set the value to sls-audit-service-monitor.
        Select Trusted Service The Alibaba Cloud service to which you want to assign this role. Select Log Service from the drop-down list.
      4. Click Add Permissions to RAM Role.
      5. In the Add Permissions dialog box, set the parameters to attach a policy to the role.

        In the Select Policy section, select Custom Policy and add the AliyunLogAuditServiceMonitorAccess policy in the left section to the right section. Select System Policy and add the ReadOnlyAccess policy to the right section.

      6. Go back to the RAM Roles page and click the sls-audit-service-monitor role to open the details page of the role.
      7. Click the Trust Policy Management tab. On the tab, replace the original script in the editor with the following content:
        Replace Alibaba Cloud account ID in the following script with the ID of the current Alibaba Cloud account. For more information about how to obtain the account ID, see Step 1.
         {
            "Statement": [
                {
                    "Action": "sts:AssumeRole",
                    "Effect": "Allow",
                    "Principal": {
                        "Service": [
                            "Alibaba Cloud account ID@log.aliyuncs.com",
                            "log.aliyuncs.com"
                        ]
                    }
                }
            ],
            "Version": "1"
        }