You can deliver resource change logs and resource non-compliance events to a Logstore in a project in Log Service. After resource data is delivered to the specified Logstore as logs, you can query and analyze the delivered logs.

Prerequisites

Log Service is activated. If Log Service is not activated, log on to the Log Service console and follow the on-screen instructions to activate the service. For more information, see What is Log Service?.

Use an ordinary account

If you use an ordinary account, you can specify a Logstore to store the resource data of the current account.

  1. Log on to the Cloud Config console.
  2. In the left-side navigation pane, choose Delivery Channels > Deliver Logs to SLS.
  3. On the Deliver Logs to SLS page, turn on SLS Settings.
  4. Set the parameters to specify a Log Service Logstore to store resource data.
    The following table describes the parameters.
    Parameter Description
    Select Acceptable Content
    The type of resource data to be delivered to the Log Service Logstore. Valid values:
    • Historical Configuration Changes: resource change logs. When the configuration of a resource changes, Cloud Config delivers the resource change log to the Log Service Logstore.
    • Non-compliance Events: resource non-compliance events. If a resource is evaluated as non-compliant, Cloud Config delivers the resource non-compliance event to the Log Store Logstore.
    Project Region The region in which the Log Service project resides.
    Project Name The name of the Log Service project. The project name must be unique within your Alibaba Cloud account in the specified region.
    • If you select Create a project in the account, specify a project name.
    • If you select Select a project in the account, select an existing project from the Project Name drop-down list.
    Logstore Name The name of the Logstore. The Logstore name must be unique within your Alibaba Cloud account in the specified region.
    • If you select Create a project in the account, specify a Logstore name.
    • If you select Select a project in the account, select an existing Logstore from the Logstore Name drop-down list.
    Recipient Address for Large Files
    The Object Storage Service (OSS) bucket that is used to receive the large files that Cloud Config delivers to the Log Service Logstore.
    • If you set this parameter, a file that Cloud Config delivers to the Logstore is automatically transferred to the specified OSS bucket when the file size exceeds 1 MB.
    • If you leave this parameter empty, the excess part of a file that Cloud Config delivers to the Logstore is automatically discarded when the file size exceeds 1 MB.
    Note The Region and Account parameters are automatically set based on the settings in the Content and Recipient Address section. You need to only select a bucket.
  5. Click OK.

Use a management account

If you use a management account, you can specify a Logstore to store the resource data of the management account and the member accounts in the resource directory. The delivery destination can be a Logstore that belongs to the management account or a member account. Only management accounts are authorized to configure the delivery settings of resource data. No member accounts have the relevant permissions.
Note If you have used the management account to specify a member account as the delegated administrator account, the delegated administrator account can also be used to configure the delivery settings. For more information about how to add a delegated administrator account, see Add a delegated administrator account.
  1. Log on to the Cloud Config console.
  2. In the left-side navigation pane, choose Delivery Channels > Deliver Logs to SLS.
  3. On the Deliver Logs to SLS page, turn on SLS Settings.
  4. Set the parameters to specify a Log Service Logstore to store resource data.
    You can create a project within the current management account or select an existing project that belongs to the management account or a member account. The specified project stores the resource data of the management account and its member accounts.
    • To deliver resource data to a project that belongs to the management account, select Create a project in the account or Select a project in the account, and set the parameters. The following table describes the parameters.
      Parameter Description
      Select Acceptable Content
      The type of resource data to be delivered to the Log Service Logstore. Valid values:
      • Historical Configuration Changes: resource change logs. When the configuration of a resource changes, Cloud Config delivers the resource change log to the Log Service Logstore.
      • Non-compliance Events: resource non-compliance events. If a resource is evaluated as non-compliant, Cloud Config delivers the resource non-compliance event to the Log Store Logstore.
      Project Region The region in which the Log Service project resides.
      Project Name The name of the Log Service project. The project name must be unique within the management account in the specified region.
      • If you select Create a project in the account, specify a project name.
      • If you select Select a project in the account, select an existing project from the Project Name drop-down list.
      Logstore Name The name of the Logstore. The Logstore name must be unique within the management account in the specified region.
      • If you select Create a project in the account, specify a Logstore name.
      • If you select Select a project in the account, select an existing Logstore from the Logstore Name drop-down list.
      Recipient Address for Large Files
      The Object Storage Service (OSS) bucket that is used to receive the large files that Cloud Config delivers to the Log Service Logstore.
      • If you set this parameter, a file that Cloud Config delivers to the Logstore is automatically transferred to the specified OSS bucket when the file size exceeds 1 MB.
      • If you leave this parameter empty, the excess part of a file that Cloud Config delivers to the Logstore is automatically discarded when the file size exceeds 1 MB.
      Note The Region and Account parameters are automatically set based on the settings in the Content and Recipient Address section. You need to only select a bucket.
    • To deliver resource data to a project that belongs to a member account, select Select an existing project from other enterprise management accounts, and set the parameters. Before you set the parameters, make sure that the member account has an available project. The following table describes the parameters.
      Parameter Description
      Select Acceptable Content
      The type of resource data to be delivered to the Log Service Logstore. Valid values:
      • Historical Configuration Changes: resource change logs. When the configuration of a resource changes, Cloud Config delivers the resource change log to the Log Service Logstore.
      • Non-compliance Events: resource non-compliance events. If a resource is evaluated as non-compliant, Cloud Config delivers the resource non-compliance event to the Log Store Logstore.
      Logstore ARN The Alibaba Cloud Resource Name (ARN) of the Logstore within the member account. The ARN consists of the following information: the ID of the region in which the Logstore resides, the ID of the member account, the name of the project, and the name of the Logstore. You can select the region from the Region drop-down list, the member account from the Member Accounts drop-down list, the project from the Project Name drop-down list, and the Logstore from the Logstore Name drop-down list.
      The role ARN that belongs to the destination account The ARN of the role to be assumed by the member account. The ARN consists of the following information: the ID of the member account and the service-linked role for Cloud Config. You can select the member account from the drop-down list and use the default service-linked role.
      Recipient Address for Large Files
      The Object Storage Service (OSS) bucket that is used to receive the large files that Cloud Config delivers to the Log Service Logstore.
      • If you set this parameter, a file that Cloud Config delivers to the Logstore is automatically transferred to the specified OSS bucket when the file size exceeds 1 MB.
      • If you leave this parameter empty, the excess part of a file that Cloud Config delivers to the Logstore is automatically discarded when the file size exceeds 1 MB.
      Note The Region and Account parameters are automatically set based on the settings in the Content and Recipient Address section. You need to only select a bucket.
  5. Click OK.
  6. In the The changes will apply to all member accounts in the organization. Are you sure you want to apply the changes? message, click OK.

What to do next

After resource data is delivered to the specified Logstore as logs, you can specify a time range to filter logs and then analyze logs. For more information, see Query and analyze logs.

For information about the sample resource change logs and resource non-compliance events in the JSON format, see Examples of resource change logs and Example of resource non-compliance events.