Bastionhost allows you to archive audit logs in Simple Log Service (SLS). After you configure the archiving settings for audit logs, Bastionhost automatically delivers the audit logs to Simple Log Service. This topic describes how to archive audit logs in Simple Log Service.
Background information
Audit logs record the O&M activities that Bastionhost users perform by using Bastionhost. The audit logs contain command audit records and operation logs. Bastionhost stores audit logs only for 180 days. If you want to store audit logs longer than 180 days, you can archive the audit logs in SLS. After you archive the audit logs in SLS, you can query and analyze the audit logs, specify a custom log retention period, and forward the audit logs to a third-party platform, such as Splunk, by using SLS. For more information, see Query and analysis or Ship data to Splunk by using the Splunk add-on for Simple Log Service.
After you archive the audit logs in SLS, the archiving operation does not affect the audit logs that are stored in Bastionhost. You can still view the audit logs on the Session Audit page of the console of a bastion host. For more information, see Search for sessions and view session details.
Procedure
Log on to the Simple Log Service console.
Follow the on-screen instructions to activate Simple Log Service.
Visit the Log Audit Service page.
In the left-side navigation pane, choose Access to Cloud Products > Global Configurations. Then, perform the following steps to complete the settings for collecting audit logs.
In the Region of the Central Project drop-down list, select a region for centralized storage of logs.
Find Bastion Host in the Cloud Products column, turn on Operations Log, and then specify a retention period for audit logs in the Storage Type column.
View audit logs.
On the left-side navigation sidebar, click the icon.
Choose Central > Bastionhost to view audit logs.
The following table describes the log fields of Bastionhost audit logs that are stored in Simple Log Service (SLS).
cmd.Command: command-related operation
cmd.Command.policy: command processed based on control policies
graph.Text: text graph
graph.Keyboard: graphical keyboard event
file.Upload: file upload
file.Download: file download
file.Rename: file renaming
file.Delete: file deletion
file.DeleteDir: directory deletion
file.CreateDir: directory creation
login.CSLogin: user Client/Server (C/S) logon
Session.session: session
Field
Description
__topic__
The topic of the log. The value is fixed as bastionhost.
owner_id
The ID of the Alibaba Cloud account.
region
The region in which the bastion host resides.
content
The operation that is recorded in the log, such as a command-related operation and file transmission.
event_type
The type of the event.
instance_id
The ID of the bastion host.
resource_address
The IP address of the asset on which the O&M operation is performed.
resource_name
The name of the asset on which the O&M operation is performed.
result
The result of the operation, such as a command-related operation and file transmission.
session_id
The session ID.
user_client_ip
The IP address of the Bastionhost user who access the bastion host.
user_id
The ID of the Bastionhost user.
user_name
The username of the Bastionhost user.