You can use the Log Audit Service application of Log Service to collect logs from the cloud services of multiple Alibaba Cloud accounts. Then, you can send the logs to a project of an Alibaba Cloud account for centralized storage. If you want to use the application to collect logs across multiple Alibaba Cloud accounts, you can use a resource directory to manage the accounts. This topic describes how to authorize Log Service to collect and synchronize logs across multiple Alibaba Cloud accounts by using a resource directory.

Prerequisites

  • The Alibaba Cloud accounts whose logs you want to collect are created and added to the resource directory as member accounts.

    You can create multiple Alibaba Cloud accounts in the resource directory. You can also invite Alibaba Cloud accounts to the resource directory. For more information, see Create a member account and Invite an Alibaba Cloud account to join a resource directory.

  • Log Service is activated for the Alibaba Could account to which the central project belongs.
  • Related features are enabled for the Alibaba Cloud services from which you want to collect logs. For more information, see Supported Alibaba Cloud services.

Background information

The Log Audit Service application supports all features of Log Service. You can use the Log Audit Service application to automatically collect logs in real time from Alibaba Cloud services that belong to different Alibaba Cloud accounts. You can also use the application to store and audit the logs in a centralized manner. Before you use the Log Audit Service application, you must authorize Log Service to collect logs from the related Alibaba Cloud services. You must also authorize the Alibaba Cloud accounts to synchronize logs across multiple accounts. You can perform AccessKey pair-based authorization or manual authorization. If you want to use the application to collect logs across multiple Alibaba Cloud accounts, you can use a resource directory to manage the accounts. For more information, see Log Audit Service.

Alibaba Cloud provides Resource Directory for enterprise customers to manage the relationships among multiple accounts. A resource directory allows you to establish an organizational structure for the resources that are used by your enterprise applications. This way, you can use one resource directory to plan, build, and manage the resources in a centralized manner. For more information, see Resource Directory.

A resource directory helps you consolidate the accounts of your enterprise to form a hierarchical organization. The organization indicates the relationships between your accounts and resources. You can manage resources in a centralized manner based on the relationships. This helps you meet the requirements for finance, security, audit, and compliance. The following figure shows the basic structure of a resource directory. Resource Directory
  • An enterprise management account is the account that is used to enable a resource directory and is the super administrator account of the resource directory. The enterprise management account has full permissions on the resource directory and the member accounts in the resource directory. Each resource directory has only one enterprise management account. For security reasons, we recommend that you create an Alibaba Cloud account and use it only as the enterprise management account. For more information, see Enterprise management account.
  • A folder is an organizational unit in a resource directory. A folder may indicate a branch, a line of business, or a project of an enterprise. Each folder can contain member accounts and child folders to form a tree-shaped organizational structure. For more information, see Folder.
  • A member account is an Alibaba Cloud account. A member account is a resource container and an organizational unit in a resource directory. Each member account indicates a project or an application. The resources of different member accounts are isolated. For more information, see Member account.

Procedure

  1. Access the Alibaba Cloud account to which the central project belongs by using the resource directory.
    After you create member accounts in or add member accounts to a resource directory, you can specify a member account as the account to which the central project belongs. Then, you can use a RAM user, a RAM role, or a root user to access the member account to which the central project belongs.
  2. Log on to the Log Service console.
  3. In the Log Application section, click Log Audit Service.
  4. Configure log collection in the Log Audit Service application by using the Alibaba Could account to which the central project belongs.
    If the initial configuration is complete, skip this step.
    1. In the left-side navigation pane, choose Access to Cloud Products > Global Configurations .
    2. In the Region of the Central Project drop-down list, select a region for centralized storage of log data.
      • China (Beijing), China (Hohhot), China (Hangzhou), China (Shanghai), and China (Shenzhen)
      • Singapore (Singapore), Japan (Tokyo), Germany (Frankfurt), and Indonesia (Jakarta)
    3. Authorize Log Service to collect and synchronize logs.
      You can perform manual authorization or AccessKey pair-based authorization.
      • AccessKey pair-based authorization: Enter the AccessKey ID and the AccessKey secret of the logon account. The AccessKey pair is for temporary use and is not saved.

        If you enter the AccessKey pair of a RAM user, the RAM user must have the read and write permissions on Resource Access Management (RAM) resources. To grant the read and write permissions on RAM resources to the RAM user, you can attach the AliyunRAMFullAccess policy to the RAM user. For more information, see Grant permissions to a RAM user.

      • Manual authorization: For more information, see Authorize Log Service to collect cloud service logs of the current Alibaba Cloud account.
    4. In the Cloud Products column, find the service for which you want to enable the log audit feature and specify the retention period for log data.
      You can also turn on the Synchronization to Central Project switch for Layer 7 access logs for Server Load Balancer (SLB), Object Storage Service (OSS) access logs, and Distributed Relational Database Service (DRDS) audit logs. After you turn on the Synchronization to Central Project switch, the Log Service console automatically changes the retention period to the recommended period. The project for regional storage is used as a temporary storage space.
    5. Click Save.
  5. Configure log collection for multiple accounts in the Alibaba Cloud account to which the central project belongs.
    Configure log collection for multiple accounts
    1. In the left-side navigation pane, choose Multi-Account Configurations > Global Configurations.
    2. On the Multi-Account Configurations page, click Modify.
    3. Authorize Log Service to collect and synchronize logs.
      You can perform manual authorization or AccessKey pair-based authorization.
      • AccessKey pair-based authorization: In the AccessKey Pair for Other Accounts to Authorize Log Service field, enter the ID, the AccessKey ID, and the AccessKey secret of another Alibaba Cloud account. The AccessKey pair is for temporary use and is not saved.

        If you enter the AccessKey pair of a RAM user, the RAM user must have the read and write permissions on RAM resources. To grant the read and write permissions on RAM resources to the RAM user, you can attach the AliyunRAMFullAccess policy to the RAM user.

      • Manual authorization: Enter one or more Alibaba Cloud account IDs. For more information about how to grant related permissions to the accounts, see Authorize Log Service to collect logs from cloud services across multiple Alibaba Cloud accounts.
  6. Use the resource directory to access the member accounts from which log data is collected and authorize these accounts to synchronize logs in sequence.
    If you selected AccessKey Pair-Based Authorization in Step 5, skip this step.
    1. Access a member account that you want to authorize by using the resource directory. For more information, see Step 1.
    2. Configure manual authorization for the member account. For more information, see Step 3 in Authorize Log Service to collect logs from cloud services across multiple Alibaba Cloud accounts.
  7. View the configuration result.

    After you complete the configuration, the initial synchronization is completed within approximately 2 minutes. If an exception occurs, modify the configurations as prompted. For more information, see FAQ.

    Resource directory-results