If you want to deliver resource change logs and resource non-compliance event logs to a specified Logstore in Log Service, you must specify a project and a Logstore. After the resource-related logs are delivered to the specified Logstore, you can query and analyze the logs.

Prerequisites

Log Service is activated. If you have not activated Log Service, you must log on to the Log Service console and activate the service by following the on-screen instructions. For more information, see What is Log Service?.

Use an ordinary account

If you use an ordinary account, you can specify a Logstore to store the resource-related logs of the current account.

  1. Log on to the Cloud Config console.
  2. In the left-side navigation pane, choose Delivery Services > Deliver Logs to SLS.
  3. On the Deliver Logs to SLS page, turn on SLS Settings.
  4. Set the required parameters to specify a Log Service Logstore to store resource-related logs.
    The following table describes the parameters.
    Parameter Description
    Select Acceptable Content
    The type of resource log to be delivered to the Log Service Logstore. Valid values:
    • Historical Configuration Changes: the resource change logs. When the configuration of a resource changes, Cloud Config delivers the resource change logs to the Log Service Logstore.
    • Non-compliance Events: the resource non-compliance event logs. If a resource is evaluated as non-compliant, Cloud Config delivers the resource non-compliance event logs to the Log Store Logstore.
    Project Region The region where the project resides.
    Project Name The name of the project. The project name must be unique within the management account in the specified region.
    • If you select Create a project in the account, you must specify a project name.
    • If you select Select an existing project from the account, you must select an existing project from the Project Name drop-down list.
    Logstore Name The name of the Logstore. The Logstore name must be unique within the management account in the specified region.
    • If you select Create a project in the account, you must specify a Logstore name.
    • If you select Select an existing project from the account, you must select an existing Logstore from the Logstore Name drop-down list.
    Recipient Address for Large Files
    The Object Storage Service (OSS) bucket that is used to receive the large files that Cloud Config delivers to the Log Service Logstore.
    • If you set this parameter, a file that Cloud Config delivers to the Logstore is automatically transferred to the specified OSS bucket when the file size exceeds 1 MB.
    • If you leave this parameter empty, the excess part of a file that Cloud Config delivers to the Logstore is automatically truncated when the file size exceeds 1 MB.
    Note The Region and Account parameters are automatically set based on the settings in the Content and Recipient Address section. You need only to select the bucket to receive the large files that exceed 1 MB in size.
  5. Click OK.

Use a management account

If you use a management account, you can specify a Logstore to store the resource-related logs of the management account and the member accounts in the resource directory. The delivery destination can be a Logstore that belongs to the management account or a member account. Only management accounts are authorized to deliver resource-related logs. No member accounts have the relevant permissions.

  1. Log on to the Cloud Config console.
  2. In the left-side navigation pane, choose Delivery Services > Deliver Logs to SLS.
  3. On the Deliver Logs to SLS page, turn on SLS Settings.
  4. Set the required parameters to specify a Log Service Logstore to store resource-related logs.
    You can create a project within the current management account or select an existing project that belongs to the management account or a member account. The specified project stores the resource-related logs of the management account and its member accounts.
    • To deliver resource-related logs to a project that belongs to the management account, select Create a project in the account or Select an existing project from the account, and set the required parameters. The following table describes the parameters.
      Parameter Description
      Select Acceptable Content
      The type of resource log to be delivered to the Log Service Logstore. Valid values:
      • Historical Configuration Changes: the resource change logs. When the configuration of a resource changes, Cloud Config delivers the resource change logs to the Log Service Logstore.
      • Non-compliance Events: the resource non-compliance event logs. If a resource is evaluated as non-compliant, Cloud Config delivers the resource non-compliance event logs to the Log Store Logstore.
      Project Region The region where the project resides.
      Project Name The name of the project. The project name must be unique within the management account in the specified region.
      • If you select Create a project in the account, you must specify a project name.
      • If you select Select an existing project from the account, you must select an existing project from the Project Name drop-down list.
      Logstore Name The name of the Logstore. The Logstore name must be unique within the management account in the specified region.
      • If you select Create a project in the account, you must specify a Logstore name.
      • If you select Select an existing project from the account, you must select an existing Logstore from the Logstore Name drop-down list.
      Recipient Address for Large Files
      The Object Storage Service (OSS) bucket that is used to receive the large files that Cloud Config delivers to the Log Service Logstore.
      • If you set this parameter, a file that Cloud Config delivers to the Logstore is automatically transferred to the specified OSS bucket when the file size exceeds 1 MB.
      • If you leave this parameter empty, the excess part of a file that Cloud Config delivers to the Logstore is automatically truncated when the file size exceeds 1 MB.
      Note The Region and Account parameters are automatically set based on the settings in the Content and Recipient Address section. You need only to select the bucket to receive the large files that exceed 1 MB in size.
    • To deliver resource-related logs to a project that belongs to a member account, select Select an existing project from other enterprise management accounts, and set the required parameters. Before you set the parameters, make sure that the member account has an available project. The following table describes the parameters.
      Parameter Description
      Select Acceptable Content
      The type of resource log to be delivered to the Log Service Logstore. Valid values:
      • Historical Configuration Changes: the resource change logs. When the configuration of a resource changes, Cloud Config delivers the resource change logs to the Log Service Logstore.
      • Non-compliance Events: the resource non-compliance event logs. If a resource is evaluated as non-compliant, Cloud Config delivers the resource non-compliance event logs to the Log Store Logstore.
      Logstore ARN The ARN of the Logstore within the member account. The ARN consists of the following information: the ID of the region where the Logstore resides, the ID of the member account, and the name of the Logstore. You can select the region from the Region drop-down list, the member account from the Member Accounts drop-down list, the project from the Project Name drop-down list, and the Logstore from the Logstore Name drop-down list.
      The role ARN that belongs to the destination account The ARN of the role to be assumed by the member account. The ARN consists of the following information: the ID of the member account and the service-linked role for Cloud Config. You can select the member account from the drop-down list and use the default service-linked role.
      Recipient Address for Large Files
      The Object Storage Service (OSS) bucket that is used to receive the large files that Cloud Config delivers to the Log Service Logstore.
      • If you set this parameter, a file that Cloud Config delivers to the Logstore is automatically transferred to the specified OSS bucket when the file size exceeds 1 MB.
      • If you leave this parameter empty, the excess part of a file that Cloud Config delivers to the Logstore is automatically truncated when the file size exceeds 1 MB.
      Note The Region and Account parameters are automatically set based on the settings in the Content and Recipient Address section. You need only to select the bucket to receive the large files that exceed 1 MB in size.
  5. Click OK.
  6. In the The changes will apply to all member accounts in the organization. Are you sure you want to apply the changes? message, click OK.

What to do next

After the resource-related logs are delivered to the specified Logstore, you can query and analyze the resource-related logs in the Logstore within a specified period. For more information, see Query logs.

For information about the sample JSON code that is used to deliver logs, see Examples of resource change logs and Example of resource non-compliance events.