The Log Audit Service application allows you to collect logs of Alibaba Cloud services across multiple accounts and store the logs in a centralized manner. If the log audit feature is enabled for an Alibaba Cloud service, Log Service automatically collects service logs that meet specified policy conditions. You can also configure policy conditions for the accounts, regions, and instances from which logs are collected. In this way, you can collect logs at a fine granularity. This topic describes how to configure a log collection policy.

Supported services

You can configure log collection policies for Relational Database Service (RDS), Distributed Relational Database Service (DRDS), Server Load Balancer (SLB), and Alibaba Cloud Container Service for Kubernetes (ACK). The following table describes the policy conditions of the four services.
Alibaba Cloud service Log source Attribute Description
RDS RDS instance account.id The ID of the Alibaba Cloud account to which an RDS instance belongs.
region The ID of the region where an RDS instance resides, for example, cn-shanghai.
instance.id The ID of an RDS instance.
instance.name The name of an RDS instance.
instance.db_type The type of an RDS instance. Valid values: mysql, pgsql, and mssql.
instance.db_version The version of an RDS instance, for example, 8.0.
tag. * The tag of an RDS instance.

You can replace the asterisk (*) in the tag. * parameter with a custom tag name.

DRDS DRDS instance account.id The ID of the Alibaba Cloud account to which a DRDS instance belongs.
region The ID of the region where a DRDS instance resides, for example, cn-shanghai.
instance.id The ID of a DRDS instance.
instance.name The name of a DRDS instance.
SLB SLB instance account.id The ID of the Alibaba Cloud account to which an SLB instance belongs.
region The ID of the region where an SLB instance resides, for example, cn-shanghai.
instance.id The ID of an SLB instance.
instance.name The name of an SLB instance.
instance.network_type The network type of an SLB instance. Valid values: VPC and Classic.
instance.vpc_id The ID of the VPC where an SLB instance resides.
instance.address_type The address type of an SLB instance. Valid values: Intranet and Internet
tag. * The tag of an SLB instance.

You can replace the asterisk (*) in the tag. * parameter with a custom tag name.

Kubernetes container (Kubernetes audit log) Kubernetes cluster region The ID of the region where a Kubernetes cluster resides, for example, cn-shanghai.
cluster.id The ID of a Kubernetes cluster.
cluster.name The name of a Kubernetes cluster.
cluster.type The type of a Kubernetes cluster. Valid values: Standard Dedicated Cluster, Managed Cluster, and Serverless Cluster.
cluster.network_mode The network type of a Kubernetes cluster. Valid values: VPC and Classic.
tag. * The tag of a Kubernetes cluster.

You can replace the asterisk (*) in the tag. * parameter with a custom tag name.

Kubernetes container (Kubernetes Event Center) Kubernetes cluster region The ID of the region where a Kubernetes cluster resides, for example, cn-shanghai.
cluster.id The ID of a Kubernetes cluster.
cluster.name The name of a Kubernetes cluster.
cluster.type The type of a Kubernetes cluster. Valid values: Standard Dedicated Cluster, Managed Cluster, and Serverless Cluster.
cluster.network_mode The network type of a Kubernetes cluster. Valid values: VPC and Classic.
tag. * The tag of a Kubernetes cluster.

You can replace the asterisk (*) in the tag. * parameter with a custom tag name.

Kubernetes container (Ingress access log) Kubernetes cluster region The ID of the region where a Kubernetes cluster resides, for example, cn-shanghai.
cluster.id The ID of a Kubernetes cluster.
cluster.name The name of a Kubernetes cluster.
cluster.type The type of a Kubernetes cluster. Valid values: Standard Dedicated Cluster, Managed Cluster, and Serverless Cluster.
cluster.network_mode The network type of a Kubernetes cluster. Valid values: VPC and Classic.
tag. * The tag of a Kubernetes cluster.

You can replace the asterisk (*) in the tag. * parameter with a custom tag name.

log. * The content of the log.

Configure log collection policies

  1. Log on to the Log Service console.
  2. In the Log Application section, click Start in the Log Audit Service section.
  3. Choose Access to Cloud Products > Global Configurations. In the upper-right corner of the page that appears, click Modify.
  4. Click Collection Policy of the target Alibaba Cloud service.
  5. Configure log collection policies.
    Log Service provides the basic edit mode and the advanced edit mode to configure log collection policies. If the basic edit mode does not satisfy your business requirements, you can enable the advanced edit mode. In this mode, you can configure policies with higher flexibility.
    Note
    • You can configure multiple policies to collect logs of an Alibaba Cloud service.
    • In the advanced edit mode, you can edit policy statements. After you edit a policy statement, you cannot directly return to the basic edit mode.
    • To return to the basic edit mode, you must delete all policy statements and save the changes.
    • Basic edit mode
      1. In the Add Policy section, set the required parameters, and click Add. The following table describes the parameters.Log Collection Policy - 002
        Parameter Description
        Action The action that is performed after the policy is evaluated based on a log field. For more information, see Policy syntax.
        Attribute The log field. Log fields vary depending on the log source. For more information, see Supported services.
        Operator The operator, for example, ==. This operator indicates exact match. For more information, see Policy syntax.
        Attribute value The value of an attribute. You can specify multiple values for an attribute.
      2. In the Added Policy section, check the policies that you have configured.
        You can modify policies and adjust the execution sequence of the policies in the Added Policy section.
        • To modify the policy, click Edit on the right side of a policy.
        • To adjust the execution sequence of the policy, click the up or down arrow on the right side of a policy.
        Log Collection Policy - 003
        Note The accept "*" policy is the default policy for log collection. This policy indicates that all logs are collected. It cannot be edited or deleted.
      3. Click OK.
    • Advanced edit mode
      1. Turn on the Advanced Edit Mode switch.
      2. In the Policy text box, configure log collection policies, and click OK.

        For more information about the policy syntax, see Policy syntax.

        Log Collection Policy - 001
  6. On the Global Configurations page, click Save.

Policy syntax

  • Action
    • keep: If a policy is matched, Log Service attempts to match the next policy. If a policy is not matched, Log Service does not collect logs based on the policy and no longer attempts to match the next policy.
    • drop: If a policy is matched, Log Service does not collect logs based on the policy and no longer attempts to match the next policy. If a policy is not matched, Log Service attempts to match the next policy.
    • accept: If a policy is matched, Log Service collects the logs and no longer attempts to match the next policy. If a policy is not matched, Log Service attempts to match the next policy.
  • Matching mode
    Matching mode Description
    Exact match Exact match means to fully match attribute values.
    • Operator: ==.
    • Example: keep instance.db_type == "mysql" indicates that an instance matches the current policy if the instance type is MySQL.
    Wildcard matching Wildcard matching means to match attribute values by using asterisks (*) and questions marks (?). An asterisks (*) indicates zero or more characters, and a question mark (?) indicates a single character.
    • Operator: ==.
    • Examples:
      • keep instance.name == "backend*" indicates that an instance matches the current policy if the instance name starts with backend.
      • keep instance.name == "active?" indicates that an instance matches the current policy if the instance name starts with active that is followed by a character.
    Regular expression matching Regular expression matching means to match attribute values by using a regular expression.
    • Operator: ~=.
    • Example: keep instance.name ~= "^\d+$" indicates that an instance matches the current policy if the instance name consists of only digits.
    Note By default, a string matches the current policy if one of its substrings matches a regular expression. To implement exact match, you must prefix the regular expression with a caret (^) and end the expression with a dollar sign ($).
    Value comparison Value comparison means to match attribute values by using numeric value comparison.
    • Operators:
      • Operators for direct comparison, including greater than (>), greater than or equal to (>=), equal to (=), less than or equal to (<=), and less than (<).
      • Closed interval operator, for example, : [*, 100]. The asterisk (*) is used to indicate infinity.
    • Examples:
      • keep tag.level >= 2 indicates that an instance matches the current policy if the value of the tag.level field is greater than or equal to 2.
      • keep tag.level : [*, 10] indicates that an instance matches the current policy if the value of the tag.level field is less than or equal to 10.
      • keep tag.level : [1, 10] indicates that an instance matches the current policy if the value of the tag.level field is within the range [1, 10].
    Logical relationships
    • Operators:
      • AND: The keywords are not case-sensitive and include and, AND, and &&.
      • OR: The keywords are not case-sensitive and include or and OR.
      • NOT: The keywords are not case-sensitive and include not, NOT, and the exclamation point (!).
    • Examples:
      • keep (tag.level > 10) and (region == "cn-shanghai") indicates that an instance matches the current policy if the value of the tag.level field is greater than 10 and the instance resides in the China (Shanghai) region.
      • keep (tag.level > 10) or (region == "cn-shanghai") indicates that an instance matches the current policy if the value of the tag.level field is greater than 10 or the instance resides in the China (Shanghai) region.
      • keep not region == "cn-shanghai" indicates that an instance matches the current policy if the instance does not reside in the China (Shanghai) region.
    Global matching In global matching mode, the log source is not specified. Examples:
    • keep "abc" indicates that logs from all sources that contain abc match the current policy.
    • accept "*" indicates that all logs match the current policy.
    Note
    • You must enclose attribute values in double quotation marks ("") when you implement global matching.
    • Global matching is available only in advanced edit mode.
  • Special characters

    You cannot use special characters such as asterisks (*) or backslashes (\) in a log collection policy. For example, keep instance.name == "abc\*" indicates that an instance matches the current policy if the instance name starts with abc.

Common scenarios

  • Collect logs of instances that reside in specific regions
    For example, to collect logs of the instances that reside in the regions of China, you can use the following log collection policy:
    # only scan cn region
    keep region == "cn-*"
    
    # accept by default
    accept "*"
  • Collect logs of instances that have specific tags
    For example, to collect logs of the instances that have the type: production tag (the tag value is not case-sensitive), you can use the following log collection policy:
    # only scan "production" instances
    keep tag.type ~= "(? i)^production$"
    
    # accept by default
    accept "*"
  • Advanced scenarios
    For example, to collect logs of ApsaraDB RDS for MySQL instances, and collect logs of the ApsaraDB RDS for SQL Server instances and ApsaraDB RDS for PostgreSQL instances that have the level: high tag, you can use the following log collection policy:
    # accept all high level instances
    accept tag.level == "high"
    
    # only scan mysql
    keep instance.db_type == "mysql"
    
    # accept by default
    accept "*"