IDaaS CIAM captures three categories of logs — management, user, and synchronization — stored in Alibaba Cloud Simple Log Service (SLS). Use these logs to monitor service health, audit administrator and user activity, and detect security anomalies in real time.
Log categories
| Log type | What it records |
|---|---|
| Management logs | Administrator operations: who performed the action, from which environment, what event occurred, and which object was affected |
| User logs | User behaviors: logon, registration, password modification, and similar actions |
| Synchronization logs | Data synchronization activity |
Log storage
All IDaaS CIAM logs are stored in Alibaba Cloud Simple Log Service (SLS).
Default retention: 180 days.
If you enable multiple log collection types with different retention periods, the actual duration is determined as follows:
| Storage mode | Effective retention period |
|---|---|
| Centralized storage | The longest retention period among all enabled log types |
| Tiered storage (hot tier) | The longest hot storage duration among all enabled log types |
Tiered storage is disabled by default.
Monitor service activity
IDaaS CIAM provides three monitoring dimensions:
| Dimension | What it shows |
|---|---|
| User access analytics | Logon frequency and usage patterns |
| Application access analytics | Application usage and permission call activity |
| User profile analysis | Anomaly detection and risk scoring to identify potential identity threats |
Set up keyword alerting
IDaaS CIAM monitors logs in real time and sends alerts when specified keywords are detected — for example, ERROR. To configure an alert:
Create a log monitoring rule and specify the target keyword.
Define the trigger condition.
Select one or more notification channels: phone call, SMS, email, or DingTalk Robot.
Query and analyze logs
To query or analyze logs, first use the SLS log delivery feature to sync your IDaaS CIAM log data to your own SLS environment.
After delivery, you can run SQL queries and use visual analytics dashboards in the SLS console.
Example queries:
| Scenario | How to query |
|---|---|
| Identify failed logon attempts | Filter on logon failed to locate users with repeated failures and identify potential security threats |
| Find performance bottlenecks | Query response time distribution across log entries to identify slow operations |
Audit logs
IDaaS CIAM logs all administrator and user activity to support security audits:
Administrator operation audit: records changes to system configuration and user management, including the operator identity and affected objects.
User behavior audit: records logon, registration, and password reset events for investigation and compliance tracking.
Security features
IDaaS CIAM provides the following security controls alongside its logging capabilities:
Multi-factor authentication (MFA): Supports MFA with dynamic environmental factors to verify user identity.
Risk governance policy: Detects abnormal behavior in real time and triggers secondary authentication based on IP address, logon location, commonly used devices, and access time periods.
Log tamper-proofing: Protects log integrity through encryption and integrity verification, preventing logs from being modified or deleted.
To further understand IDaaS CIAM features or obtain private deployment solutions, please contact the IDaaS product team for more support.