You can deliver the ActionTrail logs and Cloud Config logs of all members in your resource directory to an Object Storage Service (OSS) bucket or Log Service Logstore that belongs to a specific log archive account in a unified manner. This helps auditors query and analyze the audit logs.

Background information

When you deliver audit logs to OSS or Log Service, you are charged for the storage of the logs in OSS or Log Service. Make sure that you fully understand the billing methods and pricing of OSS or Log Service before you deliver audit logs to OSS or Log Service. For more information, see What is OSS? or What is Log Service?.

Initialize a log delivery task

  1. Log on to the Cloud Governance Center console.
  2. In the left-side navigation pane, click Initialization Tasks.
  3. On the Initialization Tasks page, click Initialization Tasks for Log Archive.
  4. Click Start.
  5. On the Initialization Tasks for Log Archive page, turn on the switch for the delivery method that you want to use, configure the parameters, and then click Next.
    The following table describes the methods that you can use to deliver Cloud Config logs and ActionTrail logs. You can specify multiple delivery methods at a time.
    Alibaba Cloud service Delivery content Delivery method Manual configuration Automatic configuration
    Cloud Config Changes to resources and resource non-compliance events Delivers logs to an OSS bucket. You must configure the following parameters:
    • Region: the region in which the OSS bucket resides. The default value of this parameter is the same as the region where Cloud Governance Center is activated.
    • Bucket Name: the name of the bucket. You must specify the value in the following format: landingzone-config-xxxx.
    Cloud Governance Center creates a global account group named enterprise. Then, Cloud Governance Center centrally manages the resources, compliance packages, and rules of all members in your resource directory in the global account group.
    Note If a global account group is created in Cloud Config, Cloud Governance Center uses the existing global account group and does not create another global account group.
    Delivers logs to a Logstore of a Log Service project. You must configure the following parameters:
    • Region: the region in which the Log Service project resides. The default value of this parameter is the same as the region where Cloud Governance Center is activated.
    • Logstore Name: the name of the Logstore. You must specify the value in the following format: landingzone-config-xxxx.
    ActionTrail Events Delivers logs to an OSS bucket. You must configure the following parameters:
    • Region: the region in which the OSS bucket resides. The default value of this parameter is the same as the region where Cloud Governance Center is activated.
    • Bucket Name: the name of the bucket. You must specify the value in the following format: landingzone-actiontrail-xxxx.
    Cloud Governance Center creates a multi-account trail that is named landingzone-enterprise to track all types of events in all regions.
    Note If a multi-account trail is created in ActionTrail, Cloud Governance Center uses the existing multi-account trail and does not create another multi-account trail.
    Delivers logs to a Logstore of a Log Service project. You must configure the following parameters:
    • Region: the region in which the Log Service project resides. The default value of this parameter is the same as the region where Cloud Governance Center is activated.
    • Logstore Name: the name of the Logstore. You must specify the value in the following format: landingzone-actiontrail-xxxx.
    Note By default, Cloud Governance Center delivers audit logs to the log archive account that is created in Step 3: Create a core account.. Example: LogArchive. If you specified an account for log delivery in Cloud Config or ActionTrail before you initialize the log delivery task in Cloud Governance Center and the account that you specified is not the log archive account, Cloud Governance Center identifies this issue and prompts you to change the account when you initialize the log delivery task. You can click Change Account to change the specified account to the log archive account.

After you initialize the log delivery task, you can view the status of the task in the Overview of log archive section.

Change log delivery methods and modify parameter settings

After the log delivery task is initialized, you can change one or more log delivery methods and modify the parameter settings. For example, you can turn on or turn off the switch for a delivery method, or change the OSS bucket or the Log Service Logstore.

  1. In the left-side navigation pane, choose Management and Governance > Compliance Auditing > LogArchive.
  2. In the Log Delivery section, click Edit to the right of a delivery method.
  3. Turn off the switch or modify the parameter settings. Then, click OK.