Security Center provides the log analysis feature that allows you to query and analyze logs in real time. This topic describes how to enable log analysis.

Background information

You must enable log analysis in the Security Center console before you can use log analysis.

Before you use this feature, make sure that you use the Advanced, Enterprise, or Ultimate edition and have purchased log storage capacity. If you use the Basic or Anti-virus edition, upgrade Security Center to the Advanced, Enterprise, or Ultimate edition and purchase log storage capacity to use this feature. For more information about how to purchase and upgrade Security Center, see Purchase Security Center and Upgrade and downgrade Security Center. For more information about the features that each edition supports, see Features.

Notice By default, the following logs are enabled in Security Center: security logs, network logs, and host logs. Only users of the Security Center Enterprise and Ultimate editions can view network logs. Users of the Security Center Anti-virus or Advanced edition cannot view network logs. On the Log Analysis page of the Security Center console, users of the Anti-virus or Advanced edition can view only security and host logs.

After you enable log analysis in the Security Center console, Log Service automatically creates a dedicated Logstore to store Security Center logs. You can view information about the Logstore in the . For more information about Logstore limits, see Limits.

Note The log analysis feature is a value-added service that requires additional service fees. The storage fee for 1 TB of logs is USD 72.9 per month. As required by the Cyber Security Law, logs are retained for at least 180 days. We recommend that you allocate the log storage capacity of 40 GB to each server to store logs.

Procedure

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Investigation > Log Analysis.
  3. If you have not authorized Security Center to access your cloud resources, click Authorize Immediately.
    Security Center must be authorized to access your cloud resources. After Security Center is authorized, Resource Access Management (RAM) automatically creates a RAM role named AliyunServiceRoleForSas. Security Center uses this RAM role to access cloud resources of your services and protect the resources. For more information, see Service-linked roles.
  4. In the Activate Log Analysis wizard, click Activate now.
    Activate Log Analysis
  5. In the Purchase step, click Activate now.
  6. On the buy page of Security Center, configure the Edition and Log Analysis parameters. Configuration modification
    You must select the Advanced, Enterprise, or Ultimate edition. As required by the Cyber Security Law, logs are retained for at least 180 days. We recommend that you allocate the log storage capacity of 40 GB to each server to store logs.
  7. Click Buy Now.
  8. Read and select Security Center Agreement of Service and click Pay.
  9. Return to the Log Analysis page and click Log Analysis has been activated..
    After you enable log analysis, you can use it to query and analyze logs.