Log Audit Service allows you to enable the log collection feature with a few clicks. This topic describes how to enable the log collection feature and perform related operations.

Prerequisites

  • An Alibaba Cloud account is created.

    We recommend that you use a RAM user of the Alibaba Cloud account to enable log collection. The RAM user must be granted the read permissions on RAM resources and the read and write permissions on Log Service resources. To grant the required permissions to the RAM user, you can attach the AliyunRAMReadOnlyAccess and AliyunLogFullAccess policies to the RAM user.

  • The required features are enabled for the Alibaba Cloud services from which you want to collect logs. For more information, see Supported Alibaba Cloud services.

Initially configure Log Audit Service

Notice
  • The account that you use to complete the authorization must have the permissions specified by the AliyunRamFullAccess policy.
  • You need to complete the authorization only once.
  1. Log on to the Log Service console.
  2. In the Log Application section, click the Audit & Security tab. Then, click Log Audit Service.
  3. Complete authorization by following the on-screen instructions.
    After you complete the authorization, Log Audit Service assumes the AliyunServiceRoleForSLSAudit service-linked role to collect logs from Alibaba Cloud services. For more information, see Manage the AliyunServiceRoleForSLSAudit service-linked role.

Enable log collection

  1. In the left-side navigation pane, choose Access to Cloud Products > Global Configurations.
  2. In the Region of the Central Project drop-down list, select the region of the project in which you want to centrally store the collected logs.
    • Chinese mainland: China (Qingdao), China (Beijing), China (Hohhot), China (Hangzhou), China (Shanghai), China (Shenzhen), and China (Hong Kong)
    • Outside the Chinese mainland: Singapore (Singapore), Japan (Tokyo), Germany (Frankfurt), and Indonesia (Jakarta)
  3. In the Cloud Products column, find the service for which you want to enable log collection and specify the retention period of logs.
    If you want to collect Layer 7 access logs from Server Load Balancer (SLB), Layer 7 access logs from Application Load Balancer (ALB), access logs from Object Storage Service (OSS), and audit logs from PolarDB-X 1.0, you can turn on the corresponding switches in the Synchronization to Central Project column. After you turn on a switch in the Synchronization to Central Project column, Log Service stores data in the regional project of the service only for the recommended period of time. The regional project of the service is used only as temporary storage.
  4. Click Save.
    After the configuration is complete, wait for approximately 2 minutes to view the collection status of logs on the Access to Cloud Products > Status Dashboard page. If an exception occurs, modify the configurations by following the on-screen instructions. For more information, see Enable log collection.

What to do next

Stop log collection

If you no longer need to collect logs from an Alibaba Cloud service but you want to retain the collected logs, perform the following steps. Log Service deletes logs after the retention period of the logs elapses.

  1. In the left-side navigation pane, choose Access to Cloud Products > Global Configurations.
  2. On the Global Configurations page, click Modify in the upper-right corner.
  3. Find the Alibaba Cloud service and turn off the switch in the Audit-Related Logs column. Then, click OK.

Delete audit resources

If you want to delete Log Audit Service resources, such as projects, Logstores, dashboards, and alerts, perform the following steps:

  1. In the left-side navigation pane, choose Access to Cloud Products > Global Configurations.
  2. On the Global Configurations page, click Delete Audit Resources in the upper-right corner.
  3. In the Delete All Resources of Log Audit Service dialog box, click Disable Log Collection for Cloud Services.
  4. In the Confirm message, click OK.
  5. In the Delete All Resources of Log Audit Service dialog box, copy commands based on your business requirements.
    If you want to delete all resources, copy all commands. If you want to delete specific resources, copy the required commands. Sample commands:
    Note
    • Run commands in sequence to delete a regional project before a central project.
    • Before you delete a project, wait for 1 to 2 minutes to make sure that log collection is disabled for all Alibaba Cloud services.
    • Sample command to delete a regional project
      aliyunlog log delete_project --project_name=slsaudit-region-12****34-cn-huhehaote --region-endpoint=cn-huhehaote.log.aliyuncs.com
    • Sample command to delete a central project
      aliyunlog log delete_project --project_name=slsaudit-center-12****34-cn-huhehaote --region-endpoint=cn-huhehaote.log.aliyuncs.com

    In the preceding commands, 12****34 specifies the ID of the Alibaba Cloud account, and cn-huhehaote specifies the region of the projects. region-endpoint specifies the access endpoint of the projects. For more information, see Endpoints.

  6. In the top navigation bar, click the Cloud Shell icon.
  7. On the cloudshell tab, run the commands that you copied.
    The system runs the commands one by one to delete audit resources.