Log Audit Service allows you to collect logs across Alibaba Cloud accounts. You can collect logs from the cloud services of other Alibaba Cloud accounts and store the logs in the Logstores within your Alibaba Cloud account. You cannot collect Kubernetes logs across Alibaba Cloud accounts. This topic describes how to configure multi-account collection.

Prerequisites

Background information

Log Audit Service allows you to collect logs from cloud services across Alibaba Cloud accounts. You can configure multi-account collection in resource directory mode or custom authentication mode. Log Audit Service is integrated with Resource Directory to support the resource directory mode. You can invite other Alibaba Cloud accounts in your enterprise to join your resource directory by using a management account or a delegated administrator account. Then, you can collect logs from cloud services that belong to these Alibaba Cloud accounts. For more information about Resource Directory, see What is Resource Management?

For more information about the limits on the resource directory mode for multi-account collection, see Limits on resource directories.

ModeMethodDescription
Resource directory modeAll membersLog Audit Service automatically adds all members in your resource directory to the collection list and collects logs from the cloud services that belong to the members and have the log collection feature enabled.
  • After a member is added to your resource directory, the member is automatically included in the collection list.
  • After a member is removed from your resource directory, the member is automatically removed from the collection list.
CustomYou can manually specify and add members to the collection list. This way, Log Audit Service collects logs from the cloud services that belong to the members and have the log collection feature enabled.
  • After a member is added to your resource directory, the member is not automatically included in the collection list.
  • After a member is removed from your resource directory, the member is automatically removed from the collection list if the member is still in the list.
Custom authentication modeAccessKey pair-based authorizationYou can configure multi-account collection by using the AccessKey pair of an Alibaba Cloud account or a RAM user.
Manual authorizationYou must complete manual authorization before you can configure multi-account collection.
Important Manual authorization is prone to errors, which may cause Log Audit Service to be unavailable. This method is not recommended.
Important
  • After you configure multi-account collection in resource directory mode, you cannot switch to the custom authentication mode. If you want to switch to the custom authentication mode, you must clear the existing configurations.
  • If you reconfigure multi-account collection in resource directory mode after you configure multi-account collection in custom authentication mode, the configurations for the resource directory mode overwrite those for the custom authentication mode.
  • Before you can change the existing delegated administrator account, you must remove the configurations of multi-account collection for the delegated administrator account. If Configure Mode is set to All Members, change the value to Custom and clear all selected accounts.

Resource directory mode (recommended)

  1. Log on to the Log Service console.
  2. In the Log Application section, click the Audit & Security tab. Then, click Log Audit Service.
  3. In the left-side navigation pane, choose Multi-Account Configurations > Global Configurations.
  4. On the Resource Directory Mode tab, click Modify.
  5. In the AddAccount panel, select the accounts that you want to invite and click Confirm.

    In resource directory mode, the All Members and Custom modes are supported.

    • All Members: Log Audit Service automatically adds all members in your resource directory to the collection list and collects logs from the cloud services that belong to the members and have the log collection feature enabled.
    • Custom: You can manually specify and add members to the collection list. This way, Log Audit Service collects logs from the cloud services that belong to the members and have the log collection feature enabled.
    After the configuration is complete, wait for approximately 2 minutes to view the collection status of logs on the Access to Cloud Products > Status Dashboard page. If an exception occurs, modify the configurations by following the on-screen instructions. For more information, see Enable log collection.

Custom authentication mode

  1. In the left-side navigation pane, choose Multi-Account Configurations > Global Configurations.
  2. On the Custom Authentication Mode tab, click Modify.
  3. Specify the account that you want to invite and click OK.
    In custom authentication mode, the AccessKey Pair-Based Authorization and Manual Authorization modes are supported.
    • AccessKey Pair-Based Authorization: Enter the ID of the Alibaba Cloud account that you want to invite and the required AccessKey pair. The AccessKey pair is for temporary use and is not saved.

      If you enter the AccessKey pair of a RAM user, the RAM user must have the read and write permissions on RAM resources. To grant the permissions, you can attach the AliyunRAMFullAccess policy to the RAM user. For more information about how to obtain an AccessKey pair, see AccessKey pair.

    • Manual Authorization: Enter the ID of the Alibaba Cloud account that you want to invite. You can enter multiple IDs. You must separate multiple IDs with line breaks, commas (,), spaces, or vertical bars (|). For more information about how to grant permissions to an account, see Use a custom policy to authorize Log Service to collect and synchronize logs.
    After the configuration is complete, wait for approximately 2 minutes to view the collection status of logs on the Access to Cloud Products > Status Dashboard page. If an exception occurs, modify the configurations by following the on-screen instructions. For more information, see Enable log collection.