All Products
Search
Document Center

Simple Log Service:Configure collection policies

Last Updated:Jun 08, 2026

Log Audit enables one-click, cross-account collection and centralized storage of cloud product logs. It collects all qualifying cloud product logs by default. Collection policies let you narrow the scope by account, region, or instance for fine-grained control.

Supported products

Collection policies support RDS, PolarDB-X 1.0, PolarDB, SLB, ALB, DNS, Kubernetes.

Cloud product

Collection object

Parameter

Description

RDS

RDS instance

Account: account.id

The ID of the Alibaba Cloud account that owns the RDS instance.

Region: region

The region where the RDS instance is located. For example, cn-shanghai.

Instance ID: instance.id

The ID of the RDS instance.

Instance name: instance.name

The name of the RDS instance.

DB type: instance.db_type

The database engine type. Valid values: mysql, pgsql, and mssql.

DB version: instance.db_version

The database engine version. For example, 8.0.

Tag: tag.*

The user-defined tag key.

Replace the asterisk (*) in tag.* with your custom tag key.

PolarDB

PolarDB cluster

Account: account.id

The ID of the Alibaba Cloud account that owns the PolarDB cluster.

Region: region

The region where the PolarDB cluster is located. For example, cn-shanghai.

Cluster ID: cluster.id

The ID of the PolarDB cluster.

Cluster name: cluster.name

The name of the PolarDB cluster.

Cluster compatible DB type: cluster.db_type

The database engine type compatible with the PolarDB cluster. Currently, only MySQL is supported.

Cluster compatible DB version: cluster.db_version

The version of the database engine compatible with the cluster. Valid values: 8.0, 5.7, and 5.6.

Tag: tag.*

The user-defined tag key.

Replace the asterisk (*) in tag.* with your custom tag key.

PolarDB-X 1.0

PolarDB-X 1.0 instance

Account: account.id

The ID of the Alibaba Cloud account that owns the PolarDB-X 1.0 instance.

Region: region

The region where the PolarDB-X 1.0 instance is located. For example, cn-shanghai.

Instance ID: instance.id

The ID of the PolarDB-X 1.0 instance.

Instance name: instance.name

The name of the PolarDB-X 1.0 instance.

SLB

SLB instance

Account: account.id

The ID of the Alibaba Cloud account that owns the SLB instance.

Region: region

The region where the SLB instance is located. For example, cn-shanghai.

Instance ID: instance.id

The ID of the SLB instance.

Instance name: instance.name

The name of the SLB instance.

Network type: instance.network_type

The network type of the SLB instance. Valid values: Virtual Private Cloud (VPC) and classic network.

VPC ID: instance.vpc_id

The ID of the VPC that contains the SLB instance.

Address type: instance.address_type

The address type of the SLB instance. Valid values: intranet and internet.

Tag: tag.*

The user-defined tag key.

Replace the asterisk (*) in tag.* with your custom tag key.

ALB

ALB instance

Account: account.id

The ID of the Alibaba Cloud account that owns the ALB instance.

Region: region

The region where the ALB instance is located. For example, cn-shanghai.

Instance ID: instance.id

The ID of the ALB instance.

Instance name: instance.name

The name of the ALB instance.

VPC ID: instance.vpc_id

The ID of the VPC that contains the ALB instance.

Address type: instance.address_type

The address type of the ALB instance. Valid values: intranet and internet.

Tag: tag.*

The user-defined tag key.

Replace the asterisk (*) in tag.* with your custom tag key.

Alibaba Cloud DNS PrivateZone

VPC instance

Account: account.id

The ID of the Alibaba Cloud account that owns the VPC instance.

Region: region

The region where the VPC instance is located.

Instance ID: instance.id

The ID of the VPC instance.

Instance name: instance.name

The name of the VPC instance.

Tag: tag.*

The user-defined tag key.

Replace the asterisk (*) in tag.* with your custom tag key.

Alibaba Cloud DNS logs and Global Traffic Manager logs

Domain

Account: account.id

The ID of the Alibaba Cloud account that owns the domain.

Domain: domain

The domain name.

Kubernetes (Kubernetes audit logs)

Kubernetes cluster

Region: region

The region where the Kubernetes cluster is located. For example, cn-shanghai.

Cluster ID: cluster.id

The ID of the Kubernetes cluster.

Cluster name: cluster.name

The name of the Kubernetes cluster.

Cluster type: cluster.type

The type of the Kubernetes cluster. Valid values: Dedicated Kubernetes, Managed Kubernetes, and Serverless Kubernetes.

Network type: cluster.network_mode

The network type of the Kubernetes cluster. Valid values: Virtual Private Cloud (VPC) and classic network.

Tag: tag.*

The user-defined tag key.

Replace the asterisk (*) in tag.* with your custom tag key.

Kubernetes (Kubernetes Event Center)

Kubernetes cluster

Region: region

The region where the Kubernetes cluster is located. For example, cn-shanghai.

Cluster ID: cluster.id

The ID of the Kubernetes cluster.

Cluster name: cluster.name

The name of the Kubernetes cluster.

Cluster type: cluster.type

The type of the Kubernetes cluster. Valid values: Dedicated Kubernetes, Managed Kubernetes, and Serverless Kubernetes.

Network type: cluster.network_mode

The network type of the Kubernetes cluster. Valid values: Virtual Private Cloud and classic network.

Tag: tag.*

The user-defined tag key.

Replace the asterisk (*) in tag.* with your custom tag key.

Kubernetes (Ingress access logs)

Kubernetes cluster

Region: region

The region where the Kubernetes cluster is located. For example, cn-shanghai.

Cluster ID: cluster.id

The ID of the Kubernetes cluster.

Cluster name: cluster.name

The name of the Kubernetes cluster.

Cluster type: cluster.type

The type of the Kubernetes cluster. Valid values: Dedicated Kubernetes, Managed Kubernetes, and Serverless Kubernetes.

Network type: cluster.network_mode

The network type of the Kubernetes cluster. Valid values: Virtual Private Cloud (VPC) and classic network.

Tag: tag.*

The user-defined tag key.

Replace the asterisk (*) in tag.* with your custom tag key.

Log content: log.*

The log content.

Configure a collection policy

  1. Log on to the Simple Log Service console.

  2. Go to the Log Audit Service page.

    Note

    As of January 21, 2025, the console entry point for Log Audit Service has been removed. However, it is still visible to existing users who activated the service before January 21, 2025. New users who need to use the old version can access the Log Audit Service (New Version) and use the Back to Old Version feature.

    1. In the Log Application area, on the Audit & Security tab, click Log Audit Service (New Version).

    2. In the upper-right corner of the New Log Audit page, click Back to Old Version to continue using the features of Log Audit (Old Version).

  3. Go to Access to Cloud Services > Global Configurations and click Modify.

  4. Click Log Collection Policy to the right of the target cloud service.

  5. Configure the collection policy.

    Configure a collection policy in default mode or advanced editing mode. Use advanced editing mode for complex policies.

    Note
    • You can configure multiple collection policies.

    • In advanced editing mode, you can manually edit policy statements. After editing, you cannot switch back to default mode.

    • To restore default mode, clear all policy statements and save.

    • Default collection policy

      1. In the Policies to Add section, configure the following parameters and click Add Policy.

        Note

        If the Retain toggle for the default collection policy is on, the last line of the policy is accept "*" (default policy--accept). If the Retain toggle is off, the last line of the policy is drop "*" (default policy--drop).

        For example, select Keep for Action, region for Attribute, and Exact Match for Operator. Then, enter cn-hangzhou for Attribute Value.

        Parameter

        Description

        Action

        The action to perform, as defined in Policy syntax.

        Attribute

        The collection object attribute. Available attributes are listed in Supported products.

        Operator

        The comparison operator. For example, Exact Match corresponds to ==. All operators are listed in Policy syntax.

        Attribute Value

        The attribute value. You can enter multiple values.

      2. In the Added Policies section, verify the policy configuration.

        You can modify policies and adjust their order.

        • Click Edit to the right of the target collection policy to modify it.

        • Click the up and down arrows to reorder the policy.

        Click Delete to the right of the target collection policy to remove it.

      3. Confirm the configuration and click OK.

    • Advanced editing mode

      1. Turn on the Advanced Edit Mode toggle.

      2. In the Rule text box, configure the collection policy, and then click OK.

        Syntax reference: Policy syntax.

        For example, with Advanced Editing Mode enabled and Default Collection Policy set to Retain, your rules might be: keep region == "cn-shanghai", keep region == "cn-hangzhou", and accept "*".

  6. On the Global Configurations page, click OK.

Policy syntax

  • Action

    • keep: If the target matches, evaluation continues to the next policy. Otherwise, the log is dropped.

    • drop: If the target matches, the log is dropped. Otherwise, evaluation continues to the next policy.

    • accept: If the target matches, the log is collected. Otherwise, evaluation continues to the next policy.

  • Match mode

    Match mode

    Description

    Exact match

    Exact string match.

    • operator: ==

    • Example: keep instance.db_type == "mysql" indicates that RDS instances of the MySQL type pass this check.

    Wildcard match

    Wildcard match. Asterisk (*) matches zero or more characters; question mark (?) matches one character.

    • operator: ==

    • Examples:

      • keep instance.name == "backend*" indicates that instances whose names start with backend meet this condition.

      • keep instance.name == "active?" matches instances whose names start with active and are followed by any single character.

    Regular expression match

    Regular expression match.

    • operator: ~=

    • Example: keep instance.name ~= "^\d+$" means that instance names that consist only of digits pass this check.

    Note

    Partial match by default. Anchor with ^ and $ for a full match.

    Numeric comparison

    Numeric comparison.

    • operators:

      • Direct comparison: >, >=, =, <=, <

      • Closed interval comparison: : [*, 100]. You can use an asterisk (*) to indicate an unbounded side.

    • Examples:

      • keep tag.level >= 2 indicates that instances whose tag.level is greater than or equal to 2 pass this check.

      • keep tag.level : [*, 10] indicates that instances with a tag.level less than or equal to 10 pass the current check.

      • keep tag.level : [1, 10] indicates that instances whose tag.level is in the range [1, 10] pass the current check.

    Logical relationship

    • keywords:

      • AND: Uses the case-insensitive keywords and and &&.

      • OR: Uses the case-insensitive keyword or.

      • NOT: Uses the case-insensitive keywords not and !.

    • Examples:

      • keep (tag.level > 10) and (region == "cn-shanghai") keeps instances that have a tag.level greater than 10 and are in the Shanghai region.

      • keep (tag.level > 10) or (region == "cn-shanghai") indicates that instances whose tag.level is greater than 10 or that are located in Shanghai pass the current check.

      • keep not region == "cn-shanghai" is an example that specifies a region other than Shanghai and passes the current check.

    Global match

    A policy without a specified attribute name implies a global match.

    • keep "abc" indicates that all collection items that contain the string abc are allowed to pass the current check.

    • accept "*" accepts all collected items.

    Note
    • Global matches must be enclosed in double quotation marks (" ").

    • Global matching is supported only in the advanced edit mode.

  • Character escaping

    In a collection policy, escape special characters such as the asterisk (*) and backslash (\). For example, keep instance.name == "abc\*" matches an instance whose name is abc*.

Use cases

  • Collect instance logs by region

    To collect instance logs only from Chinese mainland regions, use the following policy:

    # Collect logs only from instances in China regions
    keep region == "cn-*"
    # Accept by default
    accept "*"
  • Collect instance logs by tag

    To collect logs only from instances with tag key type and value production (case-insensitive), use the following policy:

    # Collect logs from production instances
    keep tag.type ~= "(?i)^production$"
    # Accept by default
    accept "*"
  • Advanced use case

    To collect logs from RDS MySQL instances, and also from any instance tagged level: high regardless of database type (MySQL, SQL Server, or PostgreSQL), use the following policy:

    # Accept any instance tagged as high-level
    accept tag.level == "high"
    # Filter for MySQL database type
    keep instance.db_type == "mysql"
    # Accept by default
    accept "*"