You can deliver the ActionTrail logs and Cloud Config logs of all members in your resource directory to the Object Storage Service (OSS) bucket or Log Service Logstore that belongs to a specified log archive account in a unified manner. This way, auditors can query and analyze the audit logs in a convenient manner.

Background information

When you deliver audit logs to OSS or Log Service, you are charged for the storage of the logs in OSS or Log Service. Make sure that you fully understand the billing methods and pricing of OSS or Log Service. For more information, see What is OSS? and What is Log Service?.

Initialize the log delivery task

  1. Log on to the Cloud Governance Center console.
  2. In the left-side navigation pane, click Initialization Tasks.
  3. On the Initialization Tasks page, click Initialization Task for Audit Log Delivery.
  4. Click Start.
  5. On the Initialization Task for Audit Log Delivery page, turn on the switch for the delivery method that you want to use, configure the parameters, and then click Next.
    The following table lists the delivery methods for Cloud Config logs and ActionTrail logs. You can configure multiple delivery methods at the same time.
    Cloud service Delivery content Delivery method Manual configuration Automatic configuration
    Cloud Config Changes to resources and resource non-compliance events Delivers logs to an OSS bucket. You must configure the following parameters:
    • Region: the region to which the OSS bucket belongs. The default value of this parameter is the same as the region in which Cloud Governance Center is activated.
    • Bucket Name: the name of the bucket. You must specify the value in the following format: landingzone-config-xxxx.
    Cloud Governance Center creates a global account group that is named enterprise. Then, Cloud Governance Center centrally manages the resources, compliance packages, and rules of all members in your resource directory in the global account group.
    Note If a global account group is already created in Cloud Config, Cloud Governance Center uses the global account group and does not create another global account group.
    Delivers logs to a Logstore of a Log Service project. You must configure the following parameters:
    • Region: the region to which the Log Service project belongs. The default value of this parameter is the same as the region in which Cloud Governance Center is activated.
    • Logstore Name: the name of the Logstore. You must specify the value in the following format: landingzone-config-xxxx.
    ActionTrail Events Delivers logs to an OSS bucket. You must configure the following parameters:
    • Region: the region to which the OSS bucket belongs. The default value of this parameter is the same as the region in which Cloud Governance Center is activated.
    • Bucket Name: the name of the bucket. You must specify the value in the following format: landingzone-actiontrail-xxxx.
    Cloud Governance Center creates a multi-account trail that is named landingzone-enterprise to track all types of events in all regions.
    Note If a multi-account trail is already created in ActionTrail, Cloud Governance Center uses the multi-account trail and does not create another multi-account trail.
    Delivers logs to a Logstore of a Log Service project. You must configure the following parameters:
    • Region: the region to which the Log Service project belongs. The default value of this parameter is the same as the region in which Cloud Governance Center is activated.
    • Logstore Name: the name of the Logstore. You must specify the value in the following format: landingzone-actiontrail-xxxx.
    Note By default, Cloud Governance Center delivers audit logs to the log archive account (such as LogArchive) that is created in Step 4: Create member accounts. If you configured an account for log delivery in Cloud Config or ActionTrail before you initialize the log delivery task in Cloud Governance Center, and the account that you configured is not the log archive account, Cloud Governance Center detects this issue and prompts you to change the account when you initialize the log delivery task. You can click Change Account to change the configured account to the log archive account.

After you initialize the log delivery task, you can view the status of the task in the Delivery Overview of Audit Logs section.

Change log delivery methods and parameter settings

After you initialize the log delivery task, you can change one or more log delivery methods and the parameter settings. For example, you can turn on or off the switch for a delivery method or change the OSS bucket or the Log Service Logstore.

  1. In the left-side navigation pane, choose Compliance Auditing > Delivery of Audit Logs.
  2. In the Log Delivery section, click Edit to the right of a delivery method.
  3. Turn off the switch or change the parameter settings, Then, click OK.