You can use the Log Audit Service application of Log Service to collect logs from the cloud services of multiple Alibaba Cloud accounts. Then, you can send the logs to the project of another Alibaba Cloud account. If you want to use the application to collect logs across multiple Alibaba Cloud accounts, you can use a resource directory to manage and authorize these accounts. This topic describes how to authorize Log Service to collect and synchronize logs across multiple Alibaba Cloud accounts by using a resource directory.

Prerequisites

  • The Alibaba Cloud accounts from which you want to collect logs are created and added to the resource directory as member accounts.

    You can create or invite multiple Alibaba Cloud accounts to the resource directory. For more information, see Create a member account and Invite a member account.

  • Log Service is activated for the Alibaba Could account where the Log Service project resides.
  • Related features are enabled for the Alibaba Cloud services from which you want to collect logs. For more information, see Supported cloud services.

Background information

The Log Audit Service application allows you to use all existing features of Log Service. In addition, the application also allows you to collect and audit cloud service logs of multiple Alibaba Cloud accounts. You can store all logs in one project of a single Alibaba Cloud account. If you want to use the application to collect logs, you must authorize Log Service to collect logs from the related Alibaba Cloud services. You must also authorize these Alibaba Cloud accounts to synchronize logs across accounts. You can use AccessKey pair-based authorization and manual authorization to complete the authorization. You can use the resource directory to manage the accounts.

Alibaba Cloud provides Resource Directory for enterprise customers to manage the relationships among a number of accounts. A resource directory allows you to establish an organizational structure for the resources used by your enterprise applications. This way, you can use one resource directory to plan, build, and manage the resources in a centralized manner.

After you create a resource directory, you can consolidate the accounts of your enterprise to indicate the hierarchical relationships between your accounts and resources. This meets the requirements in terms of finance, security, audit, and compliance. The following figure shows the basic structure of a resource directory.Resource directory
  • A master account is the account that is used to enable a resource directory. This is the super administrator of the resource directory. The master account has administrative permissions on the resource directory and the member accounts in the resource directory. Each resource directory has only one master account. To ensure the security of the master account, we recommend that you create an Alibaba Cloud account. Then, you can use this account as the master account.
  • A folder is an organizational unit in a resource directory. A folder may indicate a branch, business line, or product project of an enterprise. Each folder can contain member accounts and child folders to form a tree-shaped organizational structure.
  • A member account is an Alibaba Cloud account. It serves as a resource container and an organizational unit in a resource directory. Each member account indicates a project or application. The resources of different member accounts are isolated.

Procedure

  1. Access the Alibaba Cloud account where the project resides by using the resource directory.
    After a member account is created in or added to a resource directory, you can select one member account. This is the account where the Log Service project resides. Then, you can use a RAM user, RAM role, or root user to access the member account where the Log Service project resides.
  2. Log on to the Log Service console.
  3. In the Log Application section, click Start in the Log Audit Service section.
  4. Configure data collection in the Log Audit Service application by using the Alibaba Could account where the project resides.
    Skip this step if you have completed the initial configuration.Initial configuration
    1. In the left-side navigation pane, choose Access to Cloud Products > Global Configurations .
    2. In the Region of the Central Project section, select a region for central storage of log data.
      The available regions include China (Beijing), China (Hohhot), China (Hangzhou), China (Shanghai), China (Shenzhen), Japan (Tokyo), and Singapore (Singapore).
    3. In the Cloud Products column, find the service for which you want to enable the log audit feature, and specify the retention period for log data.
      You can also set Synchronization to Central Project for layer-7 access logs of SLB, OSS access logs, and DRDS audit logs. After you turn on the Synchronization to Central Project switch, the retention period is automatically reduced to the recommended period that is specified by the console. The project for regional storage serves as a temporary storage space.
    4. Authorize Log Service to collect and synchronize logs.
      You can select manual authorization or AccessKey pair-based authorization.
    5. Click OK.
  5. Configure log collection for multiple accounts in the Alibaba Cloud account where the project resides.
    Configure data collection for multiple accounts
    1. In the left-side navigation pane, choose Multi-Account Configurations > Global Configurations.
    2. On the Multi-Account Configurations page, click Modify.
    3. Authorize Log Service to collect and synchronize logs.
      You can select manual authorization or AccessKey pair-based authorization.
      • AccessKey pair-based authorization: In AccessKey Pair for Other Accounts to Authorize Log Service, enter the AccessKey IDs and AccessKey secrets of other accounts and the ID of the Alibaba Cloud account where the project resides. The AccessKey pairs are for temporary use and are not saved.

        If you enter the AccessKey pair of a RAM user, the RAM user must have RAM read and write permissions. Therefore, you can attach the AliyunRAMFullAccess policy to the RAM user.

      • Manual authorization: Enter one or more Alibaba Cloud account IDs. For more information about how to grant related permissions to the accounts, see Authorize Log Service to collect logs from the cloud services purchased by other Alibaba Cloud accounts.
  6. Use the resource directory to access the member accounts and authorize these accounts to synchronize logs.
    Skip this step if you have selected AccessKey Pair-Based Authorization in Step 5.
    1. Access the member accounts that you want to authorize by using the resource directory. For more information, see Step 1.
    2. Configure manual authorization for the member accounts. For more information, see Step 3 in Authorize Log Service to collect logs from the cloud services purchased by other Alibaba Cloud accounts.
  7. View the configuration result.

    After you complete the configuration, the initial synchronization requires about 2 minutes to complete. If an exception occurs, modify the configuration as prompted. For more information, see Configure log collection.

    Resource directory-results