Simple Log Service:Log applications

Log Audit Service

• Storage methods and regions

  Important

  Before you use Log Audit Service for centralized storage or regional storage, you must evaluate whether the region in which you want to store logs meets the security requirements of related laws and regulations.

  • Centralized storage

    Logs that are collected from multiple Alibaba Cloud accounts across different regions are stored in a central project of a central Alibaba Cloud account. A central project can reside in the following regions.

    Note

    When you change the region of the central project within a central Alibaba Cloud account, Log Service creates a central project in the new region. The original project is not deleted.

    • Chinese mainland: China (Qingdao), China (Beijing), China (Hohhot), China (Hangzhou), China (Shanghai), China (Shenzhen), and China (Hong Kong)

    • Outside the Chinese mainland: Singapore, Japan (Tokyo), Germany (Frankfurt), and Indonesia (Jakarta)

  • Regional storage

    For Server Load Balancer (SLB), Application Load Balancer (ALB), Object Storage Service (OSS), PolarDB-X 1.0, Virtual Private Cloud (VPC), and Alibaba Cloud DNS (DNS), if the logs are collected from multiple Alibaba Cloud accounts, Log Audit Service stores the collected logs in the projects that belong to the central Alibaba Cloud account and reside in the same regions as the cloud services. For example, if access logs are collected from an OSS bucket that resides in the China (Hangzhou) region, the access logs are stored in a project that also resides in the China (Hangzhou) region.

  • Synchronization to a central project

    For SLB, ALB, OSS, PolarDB-X 1.0, VPC and DNS, if regional storage is used, you can synchronize logs from the Logstores of regional projects to the Logstores of a central project. This way, you can query, analyze, and visualize the logs in a more efficient manner. You can also configure alerts for the logs and perform secondary development.

    The synchronization process is based on the data transformation feature of Log Service.

• Resources

  • A central Alibaba Cloud account has only one functioning central project. The name of a central project is in the following format: slsaudit-center-Alibaba Cloud account ID-Region specified for the central project. Example: slsaudit-center-117938634953****-cn-beijing. You cannot delete a central project in the Log Service console. If you want to delete a central project, you can use Alibaba Cloud CLI or call API operations.

  • For SLB, ALB, OSS, PolarDB-X 1.0, VPC and DNS, logs can be stored in multiple regional projects. The name of a regional project is in the following format: slsaudit-region-Alibaba Cloud account ID-Source region for collection. Example: slsaudit-region-117938634953****-cn-beijing. You cannot delete a regional project in the Log Service console. If you want to delete a regional project, you can use Alibaba Cloud CLI or call API operations.

  • If you enable log collection for a cloud service, Log Audit Service creates a dedicated Logstore. You can manage a dedicated Logstore in the same way that you manage other Logstores. A dedicated Logstore has the following limits:

    • To prevent data tampering, Log Service allows only the specified service to write logs to the dedicated Logstore. You cannot modify or delete indexes in the Logstore.

    • You can modify the retention period of logs or delete the dedicated Logstore only on the Global Configurations page of Log Audit Service or by calling API operations.

    • For SLB, ALB, OSS, PolarDB-X 1.0, VPC, and DNS, if Synchronization to Central Project is enabled, data transformation jobs are generated in the regional projects.

      • The data transformation job that is generated for OSS logs is named Internal Job: SLS Audit Service Data Sync for OSS Access. The data transformation job that is generated for SLB logs is named Internal Job: SLS Audit Service Data Sync for SLB. The data transformation job that is generated for ALB logs is named Internal Job: SLS Audit Service Data Sync for ALB. The data transformation job that is generated for PolarDB-X 1.0 logs is named Internal Job: SLS Audit Service Data Sync for DRDS. The data transformation job that is generated for VPC logs is named Internal Job: SLS Audit Service Data Sync for VPC. The data transformation job that is generated for DNS logs is named Internal Job: SLS Audit Service Data Sync for DNS.

      • You can stop the data transformation jobs only on the Global Configurations page of Log Audit Service or by calling API operations.

      • If you turn on Synchronization to Central Project, the logs in the Logstores of the regional projects are synchronized to the dedicated Logstores of the central project. You can no longer manage the Logstores of the regional projects. However, you can perform operations such as queries on the Logstores of the central project.

• Permissions

  If you want to use Log Audit Service to collect the audit logs of Kubernetes clusters, the events of K8s Event Center, and Ingress access logs, you must gain visibility into the following limits on permissions:

  • Log Audit Service allows you to collect Kubernetes logs only from a central Alibaba Cloud account. If multi-account collection is configured, you cannot collect Kubernetes logs from a different Alibaba Cloud account than the central Alibaba Cloud account.

  • Log Audit Service collects Kubernetes logs based on the data transformation feature. If you want to use Log Audit Service to collect Kubernetes logs, you must grant permissions to the central Alibaba Cloud account based on the following table.

• Data retention periods in days

  • In Log Audit Service, the audit logs, slow query logs, and error logs of ApsaraDB RDS instances are stored in the same Logstore, which is named rds_log. If log collection is enabled for all types of logs but the data retention periods are different, the largest value of the data retention periods is used.

  • In Log Audit Service, the audit logs, slow query logs, and error logs of PolarDB for MySQL clusters are stored in the same Logstore, which is named polardb_log. If log collection is enabled for all types of logs but the data retention periods are different, the largest value of the data retention periods is used.

  • In Log Audit Service, the traffic logs of the Internet firewall and VPC firewalls in Cloud Firewall are stored in the same Logstore, which is named cloudfirewall_log. If log collection is enabled for both types of traffic logs but the data retention periods are different, the larger value of the data retention periods is used.

  • In Log Audit Service, the access logs of Anti-DDoS Pro, Anti-DDoS Premium, and Anti-DDoS Origin are stored in the same Logstore, which is named ddos_log. If log collection is enabled for all types of access logs but the data retention periods are different, the largest value of the data retention periods is used.

  • In Log Audit Service, the audit logs of Kubernetes clusters and the events of K8s Event Center are stored in the same Logstore, which is named k8s_log. If log collection is enabled for the audit logs and events but the data retention periods are different, the larger value of the data retention periods is used.

  • In Log Audit Service, the change logs and resource non-compliance logs of Cloud Config are stored in the same Logstore named cloudconfig_log. If log collection is enabled for both types of logs but the data retention periods are different, the larger value of the data retention periods is used.

  Note

  The preceding list describes the types of logs whose data retention periods are affected by each other. If you enable both log collection and intelligent tiered storage for these types of logs, the hot retention period of the logs is the largest value of the hot retention periods for these types of logs. If you enable log collection for all these types of logs but enable intelligent tiered storage only for some types of logs, intelligent tiered storage is automatically disabled for all the logs.

  For example, if you enable log collection and intelligent tiered storage for the audit logs and error logs of ApsaraDB RDS instances, the larger value of the hot retention periods for the audit logs and error logs is used. If you enable log collection for the audit logs and error logs of ApsaraDB RDS instances but enable intelligent tiered storage only for the audit logs, intelligent tiered storage is disabled for the rds_log Logstore in which the logs are stored.

• Cloud Config

  • Log Audit Service requires the configuration information that is provided by Cloud Config. You must activate Cloud Config in the Cloud Config console and enable the monitoring of all resources.

  • If you want to collect, store, or query Cloud Config logs in Log Audit Service, you must grant Log Service the permissions to extract the logs that are recorded in Cloud Config. After Log Service is granted the permissions, your Cloud Config logs are automatically pushed to Log Service.

  • If you collect logs from multiple accounts in resource directory mode, Log Audit Service automatically activates Cloud Config for all members configured in the resource directory, and integrates Cloud Config with Log Service after the central account is granted the required permissions. If you collect logs from multiple accounts in custom authentication mode, other members must be granted the required permissions after the central account is granted the required permissions. For more information, see Use a custom policy to authorize Simple Log Service to collect and synchronize logs.

• Intelligent tiered storage

  The dedicated Logstores of Log Audit Service support the intelligent tiered storage feature. Compared with the hot storage tier, the Infrequent Access (IA) and Archive storage tiers provide lower storage costs and lower query and analysis performance. The performance of other features, such as alerting, visualization, transformation, and shipping, is not affected. For more information, see Enable hot and cold-tiered storage for a Logstore.

  Note

  Log Audit Service allows you to enable the intelligent tiered storage feature in the following regions: China (Qingdao), China (Beijing), China (Hohhot), China (Hangzhou), China (Shanghai), China (Shenzhen), China (Hong Kong), and Singapore.

  You can enable the intelligent tiered storage feature on the Global Configurations page of Log Audit Service. The hot data retention period must be greater than or equal to 7 days and cannot exceed the current data retention period. For example, if the data retention period of a central project is 180 days and the hot data retention period is 30 days, hot data whose retention period exceeds 30 days is stored in the IA or Archive storage tier.

• Data encryption

  Log Audit Service supports data encryption by using the built-in service keys of Log Service instead of Bring Your Own Key (BYOK) keys. The built-in service keys of Log Service support the Advanced Encryption Standard (AES) and SM4 encryption algorithms. For more information, see Data encryption.

  After you enable data encryption, Log Service automatically encrypts the dedicated Logstores of cloud services for which log collection is enabled. The dedicated Logstores of central projects and regional projects are included. For more information, see Enable encryption.

• Indexes

  Log Audit Service supports automatic updates of indexes. You can also manually change an index. For more information, see Enable the automatic update of indexes.

  If you manually change an index and the system prompts that This Logstore is dedicated to the Log Audit Service application. You cannot modify the index attributes of the Logstore or disable indexing., we recommend that you reconfigure Log Audit Service. You can click Modify on the Global Configurations page of Log Audit Service, reconfigure Log Audit Service, and then click OK.

  Important

  If you manually change an index, related built-in dashboards and built-in alerts may be unavailable. Proceed with caution.