Log Audit enables one-click, cross-account collection and centralized storage of cloud product logs. It collects all qualifying cloud product logs by default. Collection policies let you narrow the scope by account, region, or instance for fine-grained control.
Supported products
Collection policies support RDS, PolarDB-X 1.0, PolarDB, SLB, ALB, DNS, Kubernetes.
|
Cloud product |
Collection object |
Parameter |
Description |
|
RDS |
RDS instance |
Account: account.id |
The ID of the Alibaba Cloud account that owns the RDS instance. |
|
Region: region |
The region where the RDS instance is located. For example, cn-shanghai. |
||
|
Instance ID: instance.id |
The ID of the RDS instance. |
||
|
Instance name: instance.name |
The name of the RDS instance. |
||
|
DB type: instance.db_type |
The database engine type. Valid values: mysql, pgsql, and mssql. |
||
|
DB version: instance.db_version |
The database engine version. For example, 8.0. |
||
|
Tag: tag.* |
The user-defined tag key. Replace the asterisk (*) in tag.* with your custom tag key. |
||
|
PolarDB |
PolarDB cluster |
Account: account.id |
The ID of the Alibaba Cloud account that owns the PolarDB cluster. |
|
Region: region |
The region where the PolarDB cluster is located. For example, cn-shanghai. |
||
|
Cluster ID: cluster.id |
The ID of the PolarDB cluster. |
||
|
Cluster name: cluster.name |
The name of the PolarDB cluster. |
||
|
Cluster compatible DB type: cluster.db_type |
The database engine type compatible with the PolarDB cluster. Currently, only MySQL is supported. |
||
|
Cluster compatible DB version: cluster.db_version |
The version of the database engine compatible with the cluster. Valid values: 8.0, 5.7, and 5.6. |
||
|
Tag: tag.* |
The user-defined tag key. Replace the asterisk (*) in tag.* with your custom tag key. |
||
|
PolarDB-X 1.0 |
PolarDB-X 1.0 instance |
Account: account.id |
The ID of the Alibaba Cloud account that owns the PolarDB-X 1.0 instance. |
|
Region: region |
The region where the PolarDB-X 1.0 instance is located. For example, cn-shanghai. |
||
|
Instance ID: instance.id |
The ID of the PolarDB-X 1.0 instance. |
||
|
Instance name: instance.name |
The name of the PolarDB-X 1.0 instance. |
||
|
SLB |
SLB instance |
Account: account.id |
The ID of the Alibaba Cloud account that owns the SLB instance. |
|
Region: region |
The region where the SLB instance is located. For example, cn-shanghai. |
||
|
Instance ID: instance.id |
The ID of the SLB instance. |
||
|
Instance name: instance.name |
The name of the SLB instance. |
||
|
Network type: instance.network_type |
The network type of the SLB instance. Valid values: Virtual Private Cloud (VPC) and classic network. |
||
|
VPC ID: instance.vpc_id |
The ID of the VPC that contains the SLB instance. |
||
|
Address type: instance.address_type |
The address type of the SLB instance. Valid values: intranet and internet. |
||
|
Tag: tag.* |
The user-defined tag key. Replace the asterisk (*) in tag.* with your custom tag key. |
||
|
ALB |
ALB instance |
Account: account.id |
The ID of the Alibaba Cloud account that owns the ALB instance. |
|
Region: region |
The region where the ALB instance is located. For example, cn-shanghai. |
||
|
Instance ID: instance.id |
The ID of the ALB instance. |
||
|
Instance name: instance.name |
The name of the ALB instance. |
||
|
VPC ID: instance.vpc_id |
The ID of the VPC that contains the ALB instance. |
||
|
Address type: instance.address_type |
The address type of the ALB instance. Valid values: intranet and internet. |
||
|
Tag: tag.* |
The user-defined tag key. Replace the asterisk (*) in tag.* with your custom tag key. |
||
|
Alibaba Cloud DNS PrivateZone |
VPC instance |
Account: account.id |
The ID of the Alibaba Cloud account that owns the VPC instance. |
|
Region: region |
The region where the VPC instance is located. |
||
|
Instance ID: instance.id |
The ID of the VPC instance. |
||
|
Instance name: instance.name |
The name of the VPC instance. |
||
|
Tag: tag.* |
The user-defined tag key. Replace the asterisk (*) in tag.* with your custom tag key. |
||
|
Alibaba Cloud DNS logs and Global Traffic Manager logs |
Domain |
Account: account.id |
The ID of the Alibaba Cloud account that owns the domain. |
|
Domain: domain |
The domain name. |
||
|
Kubernetes (Kubernetes audit logs) |
Kubernetes cluster |
Region: region |
The region where the Kubernetes cluster is located. For example, cn-shanghai. |
|
Cluster ID: cluster.id |
The ID of the Kubernetes cluster. |
||
|
Cluster name: cluster.name |
The name of the Kubernetes cluster. |
||
|
Cluster type: cluster.type |
The type of the Kubernetes cluster. Valid values: Dedicated Kubernetes, Managed Kubernetes, and Serverless Kubernetes. |
||
|
Network type: cluster.network_mode |
The network type of the Kubernetes cluster. Valid values: Virtual Private Cloud (VPC) and classic network. |
||
|
Tag: tag.* |
The user-defined tag key. Replace the asterisk (*) in tag.* with your custom tag key. |
||
|
Kubernetes (Kubernetes Event Center) |
Kubernetes cluster |
Region: region |
The region where the Kubernetes cluster is located. For example, cn-shanghai. |
|
Cluster ID: cluster.id |
The ID of the Kubernetes cluster. |
||
|
Cluster name: cluster.name |
The name of the Kubernetes cluster. |
||
|
Cluster type: cluster.type |
The type of the Kubernetes cluster. Valid values: Dedicated Kubernetes, Managed Kubernetes, and Serverless Kubernetes. |
||
|
Network type: cluster.network_mode |
The network type of the Kubernetes cluster. Valid values: Virtual Private Cloud and classic network. |
||
|
Tag: tag.* |
The user-defined tag key. Replace the asterisk (*) in tag.* with your custom tag key. |
||
|
Kubernetes (Ingress access logs) |
Kubernetes cluster |
Region: region |
The region where the Kubernetes cluster is located. For example, cn-shanghai. |
|
Cluster ID: cluster.id |
The ID of the Kubernetes cluster. |
||
|
Cluster name: cluster.name |
The name of the Kubernetes cluster. |
||
|
Cluster type: cluster.type |
The type of the Kubernetes cluster. Valid values: Dedicated Kubernetes, Managed Kubernetes, and Serverless Kubernetes. |
||
|
Network type: cluster.network_mode |
The network type of the Kubernetes cluster. Valid values: Virtual Private Cloud (VPC) and classic network. |
||
|
Tag: tag.* |
The user-defined tag key. Replace the asterisk (*) in tag.* with your custom tag key. |
||
|
Log content: log.* |
The log content. |
Configure a collection policy
Log on to the Simple Log Service console.
Go to the Log Audit Service page.
NoteAs of January 21, 2025, the console entry point for Log Audit Service has been removed. However, it is still visible to existing users who activated the service before January 21, 2025. New users who need to use the old version can access the Log Audit Service (New Version) and use the Back to Old Version feature.
In the Log Application area, on the Audit & Security tab, click Log Audit Service (New Version).
In the upper-right corner of the New Log Audit page, click Back to Old Version to continue using the features of Log Audit (Old Version).
-
Go to and click Modify.
-
Click Log Collection Policy to the right of the target cloud service.
-
Configure the collection policy.
Configure a collection policy in default mode or advanced editing mode. Use advanced editing mode for complex policies.
Note-
You can configure multiple collection policies.
-
In advanced editing mode, you can manually edit policy statements. After editing, you cannot switch back to default mode.
-
To restore default mode, clear all policy statements and save.
-
Default collection policy
-
In the Policies to Add section, configure the following parameters and click Add Policy.
NoteIf the Retain toggle for the default collection policy is on, the last line of the policy is
accept "*" (default policy--accept). If the Retain toggle is off, the last line of the policy isdrop "*" (default policy--drop).For example, select Keep for Action, region for Attribute, and Exact Match for Operator. Then, enter
cn-hangzhoufor Attribute Value.Parameter
Description
Action
The action to perform, as defined in Policy syntax.
Attribute
The collection object attribute. Available attributes are listed in Supported products.
Operator
The comparison operator. For example, Exact Match corresponds to ==. All operators are listed in Policy syntax.
Attribute Value
The attribute value. You can enter multiple values.
-
In the Added Policies section, verify the policy configuration.
You can modify policies and adjust their order.
-
Click Edit to the right of the target collection policy to modify it.
-
Click the up and down arrows to reorder the policy.
Click Delete to the right of the target collection policy to remove it.
-
-
Confirm the configuration and click OK.
-
-
Advanced editing mode
-
Turn on the Advanced Edit Mode toggle.
-
In the Rule text box, configure the collection policy, and then click OK.
Syntax reference: Policy syntax.
For example, with Advanced Editing Mode enabled and Default Collection Policy set to Retain, your rules might be:
keep region == "cn-shanghai",keep region == "cn-hangzhou", andaccept "*".
-
-
-
On the Global Configurations page, click OK.
Policy syntax
-
Action
-
keep: If the target matches, evaluation continues to the next policy. Otherwise, the log is dropped. -
drop: If the target matches, the log is dropped. Otherwise, evaluation continues to the next policy. -
accept: If the target matches, the log is collected. Otherwise, evaluation continues to the next policy.
-
-
Match mode
Match mode
Description
Exact match
Exact string match.
-
operator:
== -
Example: keep instance.db_type == "mysql" indicates that RDS instances of the MySQL type pass this check.
Wildcard match
Wildcard match. Asterisk (*) matches zero or more characters; question mark (?) matches one character.
-
operator:
== -
Examples:
-
keep instance.name == "backend*" indicates that instances whose names start with backend meet this condition.
-
keep instance.name == "active?" matches instances whose names start with active and are followed by any single character.
-
Regular expression match
Regular expression match.
-
operator:
~= -
Example: keep instance.name ~= "^\d+$" means that instance names that consist only of digits pass this check.
NotePartial match by default. Anchor with
^and$for a full match.Numeric comparison
Numeric comparison.
-
operators:
-
Direct comparison:
>,>=,=,<=,< -
Closed interval comparison: : [*, 100]. You can use an asterisk (*) to indicate an unbounded side.
-
-
Examples:
-
keep tag.level >= 2 indicates that instances whose tag.level is greater than or equal to 2 pass this check.
-
keep tag.level : [*, 10] indicates that instances with a tag.level less than or equal to 10 pass the current check.
-
keep tag.level : [1, 10] indicates that instances whose tag.level is in the range [1, 10] pass the current check.
-
Logical relationship
-
keywords:
-
AND: Uses the case-insensitive keywords and and &&.
-
OR: Uses the case-insensitive keyword or.
-
NOT: Uses the case-insensitive keywords not and !.
-
-
Examples:
-
keep (tag.level > 10) and (region == "cn-shanghai") keeps instances that have a tag.level greater than 10 and are in the Shanghai region.
-
keep (tag.level > 10) or (region == "cn-shanghai") indicates that instances whose tag.level is greater than 10 or that are located in Shanghai pass the current check.
-
keep not region == "cn-shanghai" is an example that specifies a region other than Shanghai and passes the current check.
-
Global match
A policy without a specified attribute name implies a global match.
-
keep "abc" indicates that all collection items that contain the string abc are allowed to pass the current check.
-
accept "*" accepts all collected items.
Note-
Global matches must be enclosed in double quotation marks (" ").
-
Global matching is supported only in the advanced edit mode.
-
-
Character escaping
In a collection policy, escape special characters such as the asterisk (*) and backslash (\). For example, keep instance.name == "abc\*" matches an instance whose name is abc*.
Use cases
-
Collect instance logs by region
To collect instance logs only from Chinese mainland regions, use the following policy:
# Collect logs only from instances in China regions keep region == "cn-*" # Accept by default accept "*" -
Collect instance logs by tag
To collect logs only from instances with tag key
typeand valueproduction(case-insensitive), use the following policy:# Collect logs from production instances keep tag.type ~= "(?i)^production$" # Accept by default accept "*" -
Advanced use case
To collect logs from RDS MySQL instances, and also from any instance tagged level: high regardless of database type (MySQL, SQL Server, or PostgreSQL), use the following policy:
# Accept any instance tagged as high-level accept tag.level == "high" # Filter for MySQL database type keep instance.db_type == "mysql" # Accept by default accept "*"