All Products
Search

This Product

    CloudOps Orchestration Service:Enable and configure Log Audit Service of Log Service for a DingTalk application

    Document Center

    CloudOps Orchestration Service:Enable and configure Log Audit Service of Log Service for a DingTalk application

    Last Updated:Dec 28, 2023

    Overview

    CloudOps Orchestration Service (OOS) allows you to enable and configure Log Audit Service of Log Service for DingTalk applications to deliver application logs to Log Service. Log Service audits and analyzes the application logs and sends alerts if abnormal operations are detected. This helps you identify abnormal behaviors that illegally obtain data or proactively disclose data.

    Procedure

    Step 1: Enable Log Audit Service and view the initialized service configurations

    1. Enable Log Audit Service.

    On the Overview tab of the DingTalk application for which you want to enable Log Audit Service, click Enable next to Audit Log to initialize a Log Service project, a Logstore, and a Logtail configuration for the DingTalk application. The name of the Logtail configuration is the ID of the DingTalk application. In this example, the ID of the DingTalk application is 031001.

    2. View the initialized configurations of Log Audit Service.

    After Log Audit Service is enabled, click View next to Audit Log. You are navigated to the details page of the created Logstore in the Log Service console.

    The following content describes the endpoint of the Logstore:

    Specify the project name and Logstore name in the endpoint. 
- dingtalk-application-cn-{regionId}: the name of the project. Set the regionId parameter to the ID of the region in which the application group is deployed.
- dingTalkAppId: the name of the Logstore. Set the dingTalkAppId parameter to the ID of the DingTalk application.

Format:
https://sls.console.aliyun.com/lognext/project/dingtalk-application-{regionId}/logsearch/{dingTalkAppId}

Example:
https://sls.console.aliyun.com/lognext/project/dingtalk-application-cn-chengdu/logsearch/031001

    A project, a Logstore, and a Logtail configuration are initialized for the DingTalk application. Then, proceed to Step 2 to view the details of the Logtail configuration.

    Step 2: View the default Logtail configuration

    A Logtail configuration is initialized for the DingTalk application in the Logstore under Logtail Configurations. A Logtail configuration is a set of policies that are used by Logtail to collect logs. For more information, see Logtail configurations.

    The following table describes the parameters initialized for the Logtail configuration.

    Parameter

    Initial value

    Description

    Config Name

    031001

    The name of the Logtail configuration. The name is the ID of the DingTalk application.

    Log Path

    /home/logs/∗∗/031001.log

    The path from which logs are collected. All files that conform to the file naming conventions in the specified folder are monitored. The file name can be a complete name or a name that contains wildcards.

    Mode

    Full Regex Mode

    The mode in which logs are collected.

    Log Sample

    2022-03-09 18:36:13.236 INFO LogHelper.printProviderLog(85): ANTL_41A46571-0B69-1BD0-851C-35A893395774 userId=1309208528360047,sourceIpAddress=106.11.XX.XXX,userName=root,eventName=AddUserToGroup,request=requestBody,response=responseBody

    The text of a sample log. Compute Nest presets the sample text and field parsing mode for the Logtail configuration.

    Regex to Match First Line

    \d+-\d+-\d+\s\d+:\d+:\d+\.\d+\s.*

    The regular expression that is used to generate a key-value pair. The key of each key-value pair is specified by the user. If you do not use the system time, you must specify the key of a key-value pair as time.

    Extract Field

    Enabled

    Specifies whether to extract fields.

    RegEx

    (\d+-\d+-\d+\s\S+)\s+([a-zA-Z]+)\s+([^:]+):\s([a-zA-Z0-9_-]+)\suserId=(null|\d+),sourceIpAddress=(null|\d+\.\d+\.\d+\.\d+),userName=([a-zA-Z0-9_-]+),eventName=([a-zA-Z0-9_-]+),request=(.*),response=(.*)

    The regular expression that is used to extract fields. The log text is parsed based on the regular expression.

    Extracted Content

    Name of an extracted field

    Value of an extracted field

    Field extracted by using the regular expression

    *eventTime

    2022-03-09 18:36:13.236

    The time when the event occurred.

    *eventLevel

    INFO

    The severity of the event.

    *eventFunction

    LogHelper.printProviderLog(85)

    The name of the function used to process the event.

    *eventId

    ANTL_41A46571-0B69-1BD0-851C-35A893395774

    The ID of the event.

    userId

    1309208528360047

    The ID of the user.

    sourceIpAddress

    106.11.41.212

    The IP address.

    *userName

    root

    The name of the user.

    *eventName

    AddUserToGroup

    The name of the event.

    requestParameters

    requestBody

    The request parameters.

    responseParameters

    responseBody

    The response parameters.

    Step 3: Create a machine group

    On the Logstore page, choose Resources > Machine Groups in the left-side navigation pane. On the page that appears, click Create Machine Group.

    In the Create Machine Group panel, specify the name and one or more IP addresses for the machine group. In this example, the name of the machine group is app-test. Take note of the following items: Only Elastic Compute Service (ECS) instances in the same region as the project are supported. The IP addresses must be the internal IP addresses of ECS instances. You cannot add both Windows and Linux instances to the same machine group.

    Step 4: Associate the machine group with the Logtail configuration

    On the Logtail Configurations tab, click Modify. In the Machine Groups section, move the app-test machine group that you created from Source Server Groups to Applied Server Groups.

    Step 5: Configure indexes for the Logstore

    You can enable the indexing feature for the Logstore as needed. After the indexing feature is enabled, you can use the feature of automatic index generation to simplify the index creation process. For more information, see Configure indexes.

    Step 6: Collect a sample log

    Create a log file on an ECS instance that belongs to the machine group created in the previous step and write test data to the log file. 

    mkdir -p /home/logs
touch /home/logs/031001.log
echo "2022-03-09 18:36:13.236 INFO LogHelper.printProviderLog(85): ANTL_41A46571-0B69-1BD0-851C-35A893395774 userId=1309208528360047,sourceIpAddress=106.11.41.212,userName=root,eventName=AddUserToGroup,request=requestBody,response=responseBody" >> /home/logs/031001.log

    After 3 to 5 seconds, a sample log is displayed on the monitoring panel. The log collection is successful.

    Log query and analysis

    On the monitoring panel, enter a statement for query and analysis, specify a time range, and then click Search & Analyze.

    In this example, requestBody is entered as the keyword. After you click Search & Analyze, all log entries that contain requestBody are displayed.

    You can also enter multiple keywords and specify the logical relationships among them.

    You can also enter the value of a field for search.

    Only some of the simplest query methods are described in this section. The log query and analysis feature of Log Service supports many query methods and provides several functions that are easy to use. For more information, see related topics.