All Products
Search
Document Center

Cloud Governance Center:Deliver audit logs in a unified manner

Last Updated:Sep 22, 2023

You can deliver the ActionTrail logs and Cloud Config logs of all members of a resource directory to a log archive account in a centralized manner. You can deliver the logs to Object Storage Service (OSS) for persistent storage. You can also deliver the logs to Simple Log Service for real-time log analysis. If you deliver audit logs in a centralized manner, professional auditors can query and analyze the audit logs.

Background information

When you deliver audit logs to OSS or Simple Log Service, you are charged storage fees for the logs in OSS or Simple Log Service. Make sure that you fully understand the billing of OSS or Simple Log Service before you deliver audit logs to OSS or Simple Log Service. For more information, see Billing of OSS or Billing of Simple Log Service.

Deliver ActionTrail logs

Deliver the ActionTrail logs of all members of a resource directory to OSS or Simple Log Service.

  1. Log on to the Cloud Governance Center console.

  2. In the left-side navigation pane, click LandingZone Setup.

  3. In the Standard Blueprint or Standard Blueprint (CEN) section, click Build.

    In this example, a standard blueprint is used.

  4. In the Added Items section of the Configure Blueprint page, click Unified Delivery of ActionTrail Logs.

    Note

    If the item that you want to configure does not exist in the Added Items section, click Add Item. In the dialog box that appears, add the item and click Add.

  5. From the Accounts drop-down list, select an account to which you want to deliver logs.

    By default, audit logs are delivered to the log archive account that you created in Step 3: Create core accounts.

  6. Turn on the switch in the Deliver Logs to Log Service or Deliver Logs to OSS section. Then, configure the parameters.

    Destination

    Manual configuration

    Automatic configuration

    Deliver data to Simple Log Service

    • Region: the region where the destination Log Service Logstore resides.

    • Logstore Name: the name of the Logstore. The name must be globally unique. We recommend that you prefix the name with the name of your enterprise. Example: landingzone-actiontrail-xxxx.

    Cloud Governance Center creates a multi-account trail named landingzone-enterprise to track all types of events in all regions.

    Note

    If a multi-account trail is created in ActionTrail, Cloud Governance Center uses the existing multi-account trail and does not create another multi-account trail.

    Deliver data to OSS

    • Region: the region where the destination OSS bucket resides.

    • Bucket Name: the name of the bucket. The name must be globally unique. We recommend that you prefix the name with the name of your enterprise. Example: landingzone-actiontrail-xxxx.

Deliver Cloud Config logs

Deliver the resource change data of all members of a resource directory to OSS or Simple Log Service.

  1. Log on to the Cloud Governance Center console.

  2. In the left-side navigation pane, click LandingZone Setup.

  3. In the Standard Blueprint or Standard Blueprint (CEN) section, click Build.

    In this example, a standard blueprint is used.

  4. In the Added Items section of the Configure Blueprint page, click Unified Delivery of Cloud Config Logs.

    Note

    If the item that you want to configure does not exist in the Added Items section, click Add Item. In the dialog box that appears, add the item and click Add.

  5. From the Accounts drop-down list, select an account to which you want to deliver logs.

    By default, audit logs are delivered to the log archive account that you created in Step 3: Create core accounts.

  6. Turn on the switch in the Deliver Logs to Log Service or Deliver Logs to OSS section. Then, configure the parameters.

    Destination

    Manual configuration

    Automatic configuration

    Deliver data to Simple Log Service

    • Region: the region where the destination Simple Log Service Logstore resides.

    • Logstore Name: the name of the Logstore. The name must be globally unique. We recommend that you prefix the name with the name of your enterprise. Example: landingzone-config-xxxx.

    • Data Retention Period: the period of time for which audit logs can be retained in Simple Log Service. If the specified retention period expires, the audit logs are deleted.

    Cloud Governance Center creates a global account group named enterprise. Then, Cloud Governance Center centrally manages the resources, compliance packages, and rules of all members in your resource directory in the global account group.

    Note

    If a global account group is created in Cloud Config, Cloud Governance Center uses the existing global account group and does not create another global account group.

    Deliver data to OSS

    • Region: the region where the destination OSS bucket resides.

    • Bucket Name: the name of the bucket. The name must be globally unique. We recommend that you prefix the name with the name of your enterprise. Example: landingzone-config-xxxx.

Manage log delivery settings

After a log delivery task is initialized, you can change the destinations and modify the delivery settings. For example, you can turn on or turn off the switch for a destination, or change the OSS bucket or the Simple Log Service Logstore.

  1. Log on to the Cloud Governance Center console.

  2. In the left-side navigation pane, choose Multi-account Management > LogArchive.

  3. In the upper-right corner of the Deliver Logs to OSS or Deliver Logs to Log Service section, click Edit.

  4. Turn off the switch or modify the settings. Then, click OK.