You can use the Log Audit Service application of Log Service to collect cloud service logs of a single Alibaba Cloud account. Before you can use the Log Audit Service application of Log Service, you must grant Log Service the permissions on log collection from relevant Alibaba Cloud services. If you want to use the application for log collection across Alibaba Cloud accounts, you must also authorize the Alibaba Cloud accounts. You can use the AccessKey pair of a Resource Access Management (RAM) user who has the required permissions to complete the authorization. You can also follow the steps described in this topic to complete the authorization.

Background information

You can use the Log Audit Service application to collect cloud service logs of a single Alibaba Cloud account or across Alibaba Cloud accounts.
To collect cloud service logs across Alibaba Cloud accounts, you must authorize the current Alibaba Cloud account and the other Alibaba Cloud accounts as follows:
  • Authorize the current Alibaba Cloud account to receive logs from other Alibaba Cloud accounts. The logs are stored in the Logstore dedicated to log audit.
  • Authorize the other Alibaba Cloud accounts to synchronize logs to the current Alibaba Cloud account. The logs are stored in the Logstore dedicated to log audit.

Authorize Log Service to collect cloud service logs of the current Alibaba Cloud account

  1. Log on to the RAM console.
    We recommend that you use a RAM user to complete the authorization. The RAM user must be granted the read/write permissions on RAM. For this purpose, you can attach the AliyunRAMFullAccess policy to the RAM user.
  2. Create a policy named AliyunLogAuditServiceDispatchPolicy.
    1. In the left-side navigation pane, choose Permissions > Policies. On the page that appears, click Create Policy.
    2. On the Create Custom Policy page, set the parameters, and then click OK. The following table describes the parameters.
      Parameter Description
      Policy Name Set the name to AliyunLogAuditServiceDispatchPolicy.
      Configuration Mode Select Script.
      Policy Document The content of the policy. Replace the content in the editor with the following script:
      {
          "Version": "1",
          "Statement": [
              {
                  "Action": [
                      "log:*"
                  ],
                  "Resource": [
                      "acs:log:*:*:project/slsaudit-*"
                  ],
                  "Effect": "Allow"
              }
          ]
      }
  3. Follow step 2 to create a policy named AliyunLogAuditServiceMonitorAccess.
    The following table describes the parameters.
    Parameter Description
    Policy Name Set the name to AliyunLogAuditServiceMonitorAccess.
    Configuration Mode Select Script.
    Policy Document The content of the policy. Replace the content in the editor with the following script:
    {
        "Version": "1",
        "Statement": [
            {
                "Action": "log:*",
                "Resource": [
                    "acs:log:*:*:project/slsaudit-*",
                    "acs:log:*:*:app/audit"
                ],
                "Effect": "Allow"
            },
            {
                "Action": [
                    "rds:ModifySQLCollectorPolicy",
                    "vpc:*FlowLog*",
                    "drds:*SqlAudit*"
                ],
                "Resource": "*",
                "Effect": "Allow"
            }
        ]
    }
  4. Create a role named sls-audit-service-dispatch and attach the AliyunLogAuditServiceDispatchPolicy policy to the role.
    1. In the left-side navigation pane, click RAM Roles. On the page that appears, click Create RAM Role. The Create RAM Role wizard appears.
    2. In the Select Role Type step, select Alibaba Cloud Service and click Next.
    3. In the Configure Role step, set the parameters, and then click OK. The following table describes the parameters.
      Parameter Description
      Role Type The type of the RAM role. Select Normal Service Role.
      RAM Role Name The name of the RAM role. Set the value to sls-audit-service-dispatch.
      Select Trusted Service The Alibaba Cloud service to which you want to assign this role. Select Log Service from the drop-down list. The content of the corresponding policy is as follows:
      {    
      "Statement": [
              {
                  "Action": "sts:AssumeRole",
                  "Effect": "Allow",
                  "Principal": {
                      "Service": [
                          "log.aliyuncs.com"
                      ]
                  }
              }
          ],
          "Version": "1"
      }
    4. Click Add Permissions to RAM Role.
    5. In the Add Permissions dialog box, set the parameters to attach a policy to the role.
      In the Select Policy section, select Custom Policy and add the AliyunLogAuditServiceDispatchPolicy policy in the left section to the right section.
  5. Create a role named sls-audit-service-monitor and attach the AliyunLogAuditServiceMonitorAccess policy to the role.
    1. In the left-side navigation pane, click RAM Roles. On the page that appears, click Create RAM Role. The Create RAM Role wizard appears.
    2. In the Select Role Type step, select Alibaba Cloud Service and click Next.
    3. In the Configure Role step, set the parameters, and then click OK. The following table describes the parameters.
      Parameter Description
      Role Type The type of the RAM role. Select Normal Service Role.
      RAM Role Name The name of the RAM role. Set the value to sls-audit-service-monitor.
      Select Trusted Service The Alibaba Cloud service to which you want to assign this role. Select Log Service from the drop-down list. The content of the corresponding policy is as follows:
      {    
      "Statement": [
              {
                  "Action": "sts:AssumeRole",
                  "Effect": "Allow",
                  "Principal": {
                      "Service": [
                          "log.aliyuncs.com"
                      ]
                  }
              }
          ],
          "Version": "1"
      }
    4. Click Add Permissions to RAM Role.
    5. In the Add Permissions dialog box, set the parameters to attach a policy to the role.
      In the Select Policy section, select Custom Policy and add the AliyunLogAuditServiceMonitorAccess policy in the left section to the right section. Select System Policy and add the ReadOnlyAccess policy to the right section.

Authorize Log Service to collect logs from services of other Alibaba Cloud accounts

  1. Obtain the IDs of the Alibaba Cloud accounts.
    1. Log on to the Account Management console.
      Log on to the console by using each Alibaba Cloud account.
    2. Go to the Security Settings page and obtain the ID of the account.
  2. Authorize other Alibaba Cloud accounts.
    1. Log on to the RAM console.
      We recommend that you use a RAM user to authorize other Alibaba Cloud accounts. The RAM user must be granted read/write permissions on RAM. For this purpose, you can attach the AliyunRAMFullAccess policy to the RAM user.
    2. In the left-side navigation pane, click RAM Roles.
    3. On the RAM Roles page, click the sls-audit-service-dispatch role to go to the details page of the role.
    4. Click the Trust Policy Management tab. On the tab, replace the content in the editor with the following script.

      Replace The ID of another Alibaba Cloud account in the script with the ID of an Alibaba Cloud account from whose services you want to collect logs. For more information about how to obtain the account ID, see step 1. If you want to collect cloud service logs across Alibaba Cloud accounts, add a principle for each Alibaba Cloud account except the current Alibaba Cloud account to the Service element.

      {
          "Statement": [
              {
                  "Action": "sts:AssumeRole",
                  "Effect": "Allow",
                  "Principal": {
                      "Service": [
                          "The ID of another Alibaba Cloud account@log.aliyuncs.com",
                          "log.aliyuncs.com"
                      ]
                  }
              }
          ],
          "Version": "1"
      }
  3. Authorize the current Alibaba Cloud account.
    1. Log on to the RAM console.
      We recommend that you use a RAM user to authorize the current Alibaba Cloud account. The RAM user must be granted read/write permissions on RAM. For this purpose, you can attach the AliyunRAMFullAccess policy to the RAM user.
    2. In the left-side navigation pane, choose Permissions > Policies. On the page that appears, click Create Policy.
    3. On the Create Custom Policy page, set the parameters, and then click OK. The following table describes the parameters.
      Parameter Description
      Policy Name The name of the policy. Set the value to AliyunLogAuditServiceMonitorAccess.
      Configuration Mode Select Script.
      Policy Document The content of the policy. Replace the content in the editor with the following script:
      {
          "Version": "1",
          "Statement": [
              {
                  "Action": "log:*",
                  "Resource": [
                      "acs:log:*:*:project/slsaudit-*",
                      "acs:log:*:*:app/audit"
                  ],
                  "Effect": "Allow"
              },
              {
                  "Action": [
                      "rds:ModifySQLCollectorPolicy",
                      "vpc:*FlowLog*",
                      "drds:*SqlAudit*"
                  ],
                  "Resource": "*",
                  "Effect": "Allow"
              }
          ]
      }
      
      													
    4. Create a role named sls-audit-service-monitor and attach the AliyunLogAuditServiceMonitorAccess policy to the role.
      1. In the left-side navigation pane, click RAM Roles. On the page that appears, click Create RAM Role. The Create RAM Role wizard appears.
      2. In the Select Role Type step, select Alibaba Cloud Service and click Next.
      3. In the Configure Role step, set the parameters, and then click OK. The following table describes the parameters.
        Parameter Description
        Role Type The type of the RAM role. Select Normal Service Role.
        RAM Role Name The name of the RAM role. Set the value to sls-audit-service-monitor.
        Select Trusted Service The Alibaba Cloud service to which you want to assign this role. Select Log Service from the drop-down list.
      4. Click Add Permissions to RAM Role.
      5. In the Add Permissions dialog box, set the parameters to attach a policy to the role.

        In the Select Policy section, select Custom Policy and add the AliyunLogAuditServiceMonitorAccess policy in the left section to the right section. Select System Policy and add the ReadOnlyAccess policy to the right section.

      6. Go back to the RAM Roles page and click the sls-audit-service-monitor role to go to the details page of the role.
      7. Click the Trust Policy Management tab. On the tab, replace the original script in the editor with the following content:
        Replace The ID of the Alibaba Cloud account in whose Logstore log data is stored in a centralized way in the following script with the ID of the current Alibaba Cloud account. For more information about how to obtain the account ID, see step 1.
         {
            "Statement": [
                {
                    "Action": "sts:AssumeRole",
                    "Effect": "Allow",
                    "Principal": {
                        "Service": [
                            "The ID of the Alibaba Cloud account in whose Logstore log data is stored in a centralized way@log.aliyuncs.com",
                            "log.aliyuncs.com"
                        ]
                    }
                }
            ],
            "Version": "1"
        }