You can deliver resource change logs and resource non-compliance events to a Logstore
in a project in Log Service. After resource data is delivered to the specified Logstore
as logs, you can query and analyze the delivered logs.
Prerequisites
Log Service is activated. If Log Service is not activated, log on to the
Log Service console and follow the on-screen instructions to activate the service. For more information,
see
What is Log Service?.
Use an ordinary account
If you use an ordinary account, you can specify a Logstore to store the resource data
of the current account.
- Log on to the Cloud Config console.
- In the left-side navigation pane, choose .
- On the Deliver Logs to SLS page, turn on SLS Settings.
- Set the parameters to specify a Log Service Logstore to store resource data.
The following table describes the parameters.
Parameter |
Description |
Select Acceptable Content |
The type of resource data to be delivered to the Log Service Logstore. Valid values:
- Historical Configuration Changes: resource change logs. When the configuration of a resource changes, Cloud Config
delivers the resource change log to the Log Service Logstore.
- Non-compliance Events: resource non-compliance events. If a resource is evaluated as non-compliant, Cloud
Config delivers the resource non-compliance event to the Log Store Logstore.
|
Project Region |
The region in which the Log Service project resides. |
Project Name |
The name of the Log Service project. The project name must be unique within your Alibaba
Cloud account in the specified region.
- If you select Create a project in the account, specify a project name.
- If you select Select a project in the account, select an existing project from the Project Name drop-down list.
|
Logstore Name |
The name of the Logstore. The Logstore name must be unique within your Alibaba Cloud
account in the specified region.
- If you select Create a project in the account, specify a Logstore name.
- If you select Select a project in the account, select an existing Logstore from the Logstore Name drop-down list.
|
Recipient Address for Large Files |
The Object Storage Service (OSS) bucket that is used to receive the large files that
Cloud Config delivers to the Log Service Logstore.
- If you set this parameter, a file that Cloud Config delivers to the Logstore is automatically
transferred to the specified OSS bucket when the file size exceeds 1 MB.
- If you leave this parameter empty, the excess part of a file that Cloud Config delivers
to the Logstore is automatically discarded when the file size exceeds 1 MB.
Note The Region and Account parameters are automatically set based on the settings in the Content and Recipient Address section. You need to only select a bucket.
|
- Click OK.
Use a management account
If you use a management account, you can specify a Logstore to store the resource
data of the management account and the member accounts in the resource directory.
The delivery destination can be a Logstore that belongs to the management account
or a member account. Only management accounts are authorized to configure the delivery
settings of resource data. No member accounts have the relevant permissions.
Note If you have used the management account to specify a member account as the delegated
administrator account, the delegated administrator account can also be used to configure
the delivery settings. For more information about how to add a delegated administrator
account, see
Add a delegated administrator account.
- Log on to the Cloud Config console.
- In the left-side navigation pane, choose .
- On the Deliver Logs to SLS page, turn on SLS Settings.
- Set the parameters to specify a Log Service Logstore to store resource data.
You can create a project within the current management account or select an existing
project that belongs to the management account or a member account. The specified
project stores the resource data of the management account and its member accounts.
- To deliver resource data to a project that belongs to the management account, select
Create a project in the account or Select a project in the account, and set the parameters. The following table describes the parameters.
Parameter |
Description |
Select Acceptable Content |
The type of resource data to be delivered to the Log Service Logstore. Valid values:
- Historical Configuration Changes: resource change logs. When the configuration of a resource changes, Cloud Config
delivers the resource change log to the Log Service Logstore.
- Non-compliance Events: resource non-compliance events. If a resource is evaluated as non-compliant, Cloud
Config delivers the resource non-compliance event to the Log Store Logstore.
|
Project Region |
The region in which the Log Service project resides. |
Project Name |
The name of the Log Service project. The project name must be unique within the management
account in the specified region.
- If you select Create a project in the account, specify a project name.
- If you select Select a project in the account, select an existing project from the Project Name drop-down list.
|
Logstore Name |
The name of the Logstore. The Logstore name must be unique within the management account
in the specified region.
- If you select Create a project in the account, specify a Logstore name.
- If you select Select a project in the account, select an existing Logstore from the Logstore Name drop-down list.
|
Recipient Address for Large Files |
The Object Storage Service (OSS) bucket that is used to receive the large files that
Cloud Config delivers to the Log Service Logstore.
- If you set this parameter, a file that Cloud Config delivers to the Logstore is automatically
transferred to the specified OSS bucket when the file size exceeds 1 MB.
- If you leave this parameter empty, the excess part of a file that Cloud Config delivers
to the Logstore is automatically discarded when the file size exceeds 1 MB.
Note The Region and Account parameters are automatically set based on the settings in the Content and Recipient Address section. You need to only select a bucket.
|
- To deliver resource data to a project that belongs to a member account, select Select an existing project from other enterprise management accounts, and set the parameters. Before you set the parameters, make sure that the member
account has an available project. The following table describes the parameters.
Parameter |
Description |
Select Acceptable Content |
The type of resource data to be delivered to the Log Service Logstore. Valid values:
- Historical Configuration Changes: resource change logs. When the configuration of a resource changes, Cloud Config
delivers the resource change log to the Log Service Logstore.
- Non-compliance Events: resource non-compliance events. If a resource is evaluated as non-compliant, Cloud
Config delivers the resource non-compliance event to the Log Store Logstore.
|
Logstore ARN |
The Alibaba Cloud Resource Name (ARN) of the Logstore within the member account. The
ARN consists of the following information: the ID of the region in which the Logstore
resides, the ID of the member account, the name of the project, and the name of the
Logstore. You can select the region from the Region drop-down list, the member account from
the Member Accounts drop-down list, the project from the Project Name drop-down list,
and the Logstore from the Logstore Name drop-down list.
|
The role ARN that belongs to the destination account |
The ARN of the role to be assumed by the member account. The ARN consists of the following
information: the ID of the member account and the service-linked role for Cloud Config.
You can select the member account from the drop-down list and use the default service-linked
role.
|
Recipient Address for Large Files |
The Object Storage Service (OSS) bucket that is used to receive the large files that
Cloud Config delivers to the Log Service Logstore.
- If you set this parameter, a file that Cloud Config delivers to the Logstore is automatically
transferred to the specified OSS bucket when the file size exceeds 1 MB.
- If you leave this parameter empty, the excess part of a file that Cloud Config delivers
to the Logstore is automatically discarded when the file size exceeds 1 MB.
Note The Region and Account parameters are automatically set based on the settings in the Content and Recipient Address section. You need to only select a bucket.
|
- Click OK.
- In the The changes will apply to all member accounts in the organization. Are you sure you
want to apply the changes? message, click OK.
What to do next
After resource data is delivered to the specified Logstore as logs, you can specify
a time range to filter logs and then analyze logs. For more information, see Query and analyze logs.
For information about the sample resource change logs and resource non-compliance
events in the JSON format, see Examples of resource change logs and Example of resource non-compliance events.