You can integrate Log Service with Security Center. After you integrate the two services, you can use Log Service to collect risk data from Security Center in real time. Then you can search, analyze, transform, and consume the data in Log Service. This way, you can monitor and handle potential risks and implement centralized management over your cloud resources. This topic describes the resources and limits for the analysis of Security Center logs.

Resources

  • Dedicated projects and Logstores

    After the log analysis feature is enabled in the Security Center console, a dedicated project named in the sas-log-Alibaba Cloud account ID-region name format and a Logstore named sas-log are automatically created.

    Note If you accidentally delete the dedicated Logstore, a message that indicates the sas-log Logstore does not exist is prompted. All log data in the Logstore is deleted. In this case, submit a ticket to restore the settings. After the settings are restored, you must re-enable the log analysis feature. The deleted data cannot be recovered.
  • Dedicated dashboards

    Security Center logs are classified into three types and fourteen subtypes.

    Log type Dashboard Description
    Network log DNS Access Center Provides an overview of the DNS queries on the server. The information includes the success rate of external DNS queries, and the distribution and trends of both internal and external DNS queries.
    Network Session Center Provides an overview of resource-related network sessions. The information includes the trend of network sessions and the distributions of network protocols, source and destination IP addresses, and relevant resources.
    Web Access Center Provides an overview of external HTTP requests and access to the web services of a host. The information includes the request success rate, access trends, success efficiency, distribution of accessed domain names, and other related distributions.
    Host log Login Center Provides an overview of the logon information of hosts. The information includes the geographic distribution of source and destination IP addresses, logon trends and ports, and the distribution of logon methods.
    Process Center Provides an overview of the startup of host processes. The information includes the trend of process startup and the distributions of processes, process types, and specific bash or Java processes.
    Connection Center Provides an overview of the network connections of hosts. The information includes the trends and distributions of network connections and the trends and distributions of sources and destinations of the connections.
    Security log Baseline Center Provides an overview of baseline checks. The information includes the distribution of pending issues, trend of new issues or resolved issues, and status of issues.
    Vulnerability Center Provides an overview of vulnerabilities. The information includes the distribution of vulnerabilities, number of new vulnerabilities, number of vulnerabilities that are under verification, and number of vulnerabilities that are being fixed.
    Alert Center Provides an overview of security alerts. The information includes the trend, distribution, and status of new and cleared alerts.

Limits

  • You can query and consume log data in the dedicated Logstore. You can also create alerts for the data. However, you can write only Security Center log data to the dedicated Logstore.
  • You are charged for using the log analysis feature of Security Center. For more information, see Billing methods.

    As required by the Cyber Security Law, logs are retained for at least 180 days. We recommend that you allocate a storage capacity of 30 GB to each server.

  • You are not charged for the read/write traffic, indexing traffic, storage space, number of shards, and number of read/write times in the dedicated Logstore. However, you are charged for traffic from an external network, data transformation, and data shipping in the Logstore. For more information, see Log Service pricing.