This topic describes the alert rules for the log audit compliance of multiple Alibaba Cloud services. These services include Object Storage Service (OSS), ApsaraDB RDS, PolarDB, Server Load Balancer (SLB), Apsara File Storage NAS (NAS), and Container Service for Kubernetes. You can configure and enable alert rules in the Log Service console. This allows you to monitor the log audit compliance of these services. If an alert is triggered, you can identify the cause and fix the error at the earliest opportunity.
Alert rules
The following alert rules are supported. For information about how to set alert parameters,
configure whitelists, and perform other related operations, see Manage alert rules.
- Cloud Security Center Log Audit Configuration Check
- RDS Log Audit Configuration Check
- Log Audit Status Check
- PolarDB(DRDS) Log Audit Configuration Check
- K8s Log Audit Configuration Check
- ActionTrail Log Audit Configuration Check
- OSS Log Audit Configuration Check
- Web Application Firewall (WAF) Log Audit Configuration Check
- Bastion Log Audit Configuration Check
- NAS (File Storage) Log Audit Configuration Check
- APIGateway Log Audit Configuration Check
- SLB Log Audit Configuration Check
- Cloudfirewall Log Audit Configuration Check
Cloud Security Center Log Audit Configuration Check
ID | sls_app_audit_cis_at_sas_audit_check |
Name | Cloud Security Center Log Audit Configuration Check |
Version | 1 |
Type | Cloud Platform, Alicloud, CIS Standard, Log Audit Compliance |
Usage | Checks whether log audit is properly configured in the Log Audit Service application for Security Center logs. If the audit switch is turned off for Security Center logs or the storage duration is smaller than the value of the Min storage duration(ttl) parameter, an alert is triggered. |
Check Frequency | Fixed interval: 1 minute. |
Time Range | The data of the last 2 minutes is checked. |
Parameter Settings | Min storage duration(ttl): The minimum duration for which Security Center logs are stored. Default value: 180 days. |
External Configurations | None |
Solution | On the Log Audit Service page, choose Min storage duration(ttl) parameter. | . On the page that appears, turn on the Audit Logs switch next to Security Center(SAS). Make sure that the storage duration is greater than the value of the
Prerequisites | None |
RDS Log Audit Configuration Check
ID | sls_app_audit_cis_at_rds_audit_check |
Name | RDS Log Audit Configuration Check |
Version | 1 |
Type | Cloud Platform, Alicloud, CIS Standard, Log Audit Compliance |
Usage | Checks whether log audit is properly configured in the Log Audit Service application for RDS logs. If the audit switch is turned off for the RDS logs or the storage duration is smaller than the value of the Min storage duration(ttl) parameter, an alert is triggered. |
Check Frequency | Fixed interval: 1 minute. |
Time Range | The data of the last 2 minutes is checked. |
Parameter Settings | Min storage duration(ttl): The minimum duration for which RDS logs are stored. Default value: 180 days. |
External Configurations | None |
Solution | On the Log Audit Service page, choose Min storage duration(ttl) parameter. | . On the page that appears, turn on the SQL Audit Log switch next to RDS. Make sure that the storage duration is greater than the value of the
Prerequisites | None |
Log Audit Status Check
ID | sls_app_audit_cis_at_audit_status_check |
Name | Log Audit Status Check |
Version | 1 |
Type | Cloud Platform, Alicloud, CIS Standard, Log Audit Compliance |
Usage | Checks the status of the log audit service. If the status is abnormal, an alert is triggered. |
Check Frequency | Fixed interval: 1 minute. |
Time Range | The data of the last 2 minutes is checked. |
Parameter Settings | None |
External Configurations | None |
Solution | On the Log Audit Service page, choose | . On the page that appears, check the status of the log audit service and identify the cause of the abnormal status.
Prerequisites | None |
PolarDB(DRDS) Log Audit Configuration Check
ID | sls_app_audit_cis_at_drds_audit_check |
Name | PolarDB(DRDS) Log Audit Configuration Check |
Version | 1 |
Type | Cloud Platform, Alicloud, CIS Standard, Log Audit Compliance |
Usage | Checks whether log audit is properly configured in the Log Audit Service application for PolarDB logs. If the audit switch is turned off for the PolarDB (DRDS) logs or the storage duration is smaller than the value of the Min storage duration(ttl) parameter, an alert is triggered. |
Check Frequency | Fixed interval: 1 minute. |
Time Range | The data of the last 2 minutes is checked. |
Parameter Settings | Min storage duration(ttl): The minimum duration for which PolarDB logs are stored. Default value: 180 days. |
External Configurations | None |
Solution | On the Log Audit Service page, choose Min storage duration(ttl) parameter. | . On the page that appears, turn on the Audit Log switch next to PolarDB. Make sure that the storage duration is greater than the value of the
Prerequisites | None |
K8s Log Audit Configuration Check
ID | sls_app_audit_cis_at_k8s_audit_check |
Name | K8s Log Audit Configuration Check |
Version | 1 |
Type | Cloud Platform, Alicloud, CIS Standard, Log Audit Compliance |
Usage | Checks whether log audit is properly configured in the Log Audit Service application for Kubernetes logs, including Kubernetes audit logs, Kubernetes events, and Ingress access logs. If the audit switch is turned off for K8s logs or the storage duration is smaller than the value of the Min storage duration(ttl) parameter, an alert is triggered. |
Check Frequency | Fixed interval: 1 minute. |
Time Range | The data of the last 2 minutes is checked. |
Parameter Settings | Min storage duration(ttl): The minimum duration for which K8s logs are stored. Default value: 180 days. |
External Configurations | None |
Solution | On the Log Audit Service page, choose Min storage duration(ttl) parameter. | . On the page that appears, turn on the Kubernetes Audit Log switch, K8s Event Center switch and Ingress Log switch next to Kubernetes. Make sure that the storage duration is greater than the value of the
Prerequisites | None |
ActionTrail Log Audit Configuration Check
ID | sls_app_audit_cis_at_actiontrail_audit_check |
Name | ActionTrail Log Audit Configuration Check |
Version | 1 |
Type | Cloud Platform, Alicloud, CIS Standard, Log Audit Compliance |
Usage | Checks whether log audit is properly configured in the Log Audit Service application for ActionTrail logs. If the audit switch is turned off for the of Action Trail logs or the storage duration is smaller than the value of the Min storage duration(ttl) parameter, an alert is triggered. |
Check Frequency | Fixed interval: 1 minute. |
Time Range | The data of the last 2 minutes is checked. |
Parameter Settings | Min storage duration(ttl): The minimum duration for which Action Trail logs are stored. Default value: 180 days. |
External Configurations | None |
Solution | On the Log Audit Service page, choose Min storage duration(ttl) parameter. | . Turn on the Operations Log switch next to ActionTrail. Make sure that the storage duration is greater than the value of the
Prerequisites | None |
OSS Log Audit Configuration Check
ID | sls_app_audit_cis_at_oss_audit_check |
Name | OSS Log Audit Configuration Check |
Version | 1 |
Type | Cloud Platform, Alicloud, CIS Standard, Log Audit Compliance |
Usage | Checks whether log audit is properly configured in the Log Audit Service application for Object Storage Service (OSS) logs, including access logs and metering logs. If the audit switches are turned off for OSS logs or the storage duration is smaller than the value of the Min storage duration(ttl) parameter, an alert is triggered. |
Check Frequency | Fixed interval: 1 minute. |
Time Range | The data of the last 2 minutes is checked. |
Parameter Settings | Min storage duration(ttl): The minimum duration for which OSS logs are stored. Default value: 180 days. |
External Configurations | None |
Solution | On the Log Audit Service page, choose Min storage duration(ttl) parameter. | . Turn on the Metering Log switch and the Access Log switch next to OSS. Make sure that the storage duration is greater than the value of the
Prerequisites | None |
Web Application Firewall (WAF) Log Audit Configuration Check
ID | sls_app_audit_cis_at_waf_audit_check |
Name | Web Application Firewall (WAF) Log Audit Configuration Check |
Version | 1 |
Type | Cloud Platform, Alicloud, CIS Standard, Log Audit Compliance |
Usage | Checks whether log audit is properly configured in the Log Audit Service application for the Web Application Firewall (WAF) logs. If the audit switch is turned off for Web Application Firewall (WAF) logs or the storage duration is smaller than the value of the Min storage duration(ttl) parameter, an alert is triggered. |
Check Frequency | Fixed interval: 1 minute. |
Time Range | The data of the last 2 minutes is checked. |
Parameter Settings | Min storage duration(ttl): The minimum duration for which WAF Logs are stored. Default value: 180 days. |
External Configurations | None |
Solution | On the Log Audit Service page, choose Min storage duration(ttl) parameter. | . Turn on the Access Log switch next to Web Application Firewall (WAF). Make sure that the storage duration is greater than the value of the
Prerequisites | None |
Bastion Log Audit Configuration Check
ID | sls_app_audit_cis_at_bastion_audit_check |
Name | Bastion Log Audit Configuration Check |
Version | 1 |
Type | Cloud Platform, Alicloud, CIS Standard, Log Audit Compliance |
Usage | Checks whether log audit is properly configured in the Log Audit Service application for Bastionhost logs. If the audit switch is turned off for the Bastionhost log or its storage duration is smaller than the value of the Min storage duration(ttl) parameter, an alert is triggered. |
Check Frequency | Fixed interval: 1 minute. |
Time Range | The data of the last 2 minutes is checked. |
Parameter Settings | Min storage duration(ttl): The minimum duration for which Bastionhost log is stored. Default value: 180 days. |
External Configurations | None |
Solution | On the Log Audit Service page, choose Min storage duration(ttl) parameter. | . Turn on the Operations Log switch next to Bastion Host. Make sure that the storage duration is greater than the value of the
Prerequisites | None |
NAS (File Storage) Log Audit Configuration Check
ID | sls_app_audit_cis_at_nas_audit_check |
Name | NAS (File Storage) Log Audit Configuration Check |
Version | 1 |
Type | Cloud Platform, Alicloud, CIS Standard, Log Audit Compliance |
Usage | Checks whether log audit is properly configured in the Log Audit Service application for the Apsara File Storage NAS logs. If the audit switch is turned off for NAS (file storage) logs or the storage duration is smaller than the value of the Min storage duration(ttl) parameter, an alert is triggered. |
Check Frequency | Fixed interval: 1 minute. |
Time Range | The data of the last 2 minutes is checked. |
Parameter Settings | Min storage duration(ttl): The minimum duration for which NAS (file storage) logs are stored. Default value: 180 days. |
External Configurations | None |
Solution | On the Log Audit Service page, choose Min storage duration(ttl)parameter. | . Turn on the Access Log switch next to NAS. Make sure that the storage duration is greater than the value of the
Prerequisites | None |
APIGateway Log Audit Configuration Check
ID | sls_app_audit_cis_at_apigateway_audit_check |
Name | APIGateway Log Audit Configuration Check |
Version | 1 |
Type | Cloud Platform, Alicloud, CIS Standard, Log Audit Compliance |
Usage | Checks whether log audit is properly configured in the Log Audit Service application for the API Gateway logs. If the audit switch is turned off for API Gateway logs or the storage duration is smaller than the value of the Min storage duration(ttl) parameter, an alert is triggered. |
Check Frequency | Fixed interval: 1 minute. |
Time Range | The data of the last 2 minutes is checked. |
Parameter Settings | Min storage duration(ttl): The minimum duration for which API Gateway logs are stored. Default value: 180 days. |
External Configurations | None |
Solution | On the Log Audit Service page, choose Min storage duration(ttl) parameter. | . Turn on the Access Log switch next to API Gateway. Make sure that the storage duration is greater than the value of the
Prerequisites | None |
SLB Log Audit Configuration Check
ID | sls_app_audit_cis_at_slb_audit_check |
Name | SLB Log Audit Configuration Check |
Version | 1 |
Type | Cloud Platform, Alicloud, CIS Standard, Log Audit Compliance |
Usage | Checks whether log audit is properly configured in the Log Audit Service application for SLB logs. If the audit switch is turned off for SLB logs or the storage duration is smaller than the value of the Min storage duration(ttl) parameter, an alert is triggered. |
Check Frequency | Fixed interval: 1 minute. |
Time Range | The data of the last 2 minutes is checked. |
Parameter Settings | Min storage duration(ttl): The minimum duration for which SLB logs are stored. Default value: 180 days. |
External Configurations | None |
Solution | On the Log Audit Service page, choose Min storage duration(ttl) parameter. | . Turn on the Lay-7 Access Log switch next to SLB. Make sure that the storage duration is greater than the value of the
Prerequisites | None |
Cloudfirewall Log Audit Configuration Check
ID | sls_app_audit_cis_at_cloudfirewall_audit_check |
Name | Cloudfirewall Log Audit Configuration Check |
Version | 1 |
Type | Cloud Platform, Alicloud, CIS Standard, Log Audit Compliance |
Usage | Checks whether log audit is properly configured in the Log Audit Service application for Cloud Firewall logs. If the audit switch is turned off for the Cloud Firewall log or its storage duration is smaller than the value of the Min storage duration(ttl)parameter, an alert is triggered. |
Check Frequency | Fixed interval: 1 minute. |
Time Range | The data of the last 2 minutes is checked. |
Parameter Settings | Min storage duration(ttl): The minimum duration for which Cloud Firewall logs are stored. Default value: 180 days. |
External Configurations | None |
Solution | On the Log Audit Service page, choose Min storage duration(ttl) parameter. | . Turn on the Internet Access Log switch next to Cloud Firewall. Make sure that the storage duration is greater than the value of the
Prerequisites | None |