All Products
Search

This Product

    Secure Access Service Edge:Log analysis

    Document Center

    Secure Access Service Edge:Log analysis

    Last Updated:Nov 24, 2025

    The log analysis feature collects and stores logs from devices that access Secure Access Service Edge (SASE). Based on Alibaba Cloud Simple Log Service, this feature supports query analysis, statistical charts, and alerting. This lets you focus on analysis instead of tedious query and data organization tasks. This topic describes how to enable and view analysis logs.

    Prerequisites

    The log storage service for SASE is enabled.

    Enable the log storage service

    1. Log on to the SASE console.

    2. In the navigation pane on the left, choose Log Analysis > Log Analysis.

    3. On the Log Analysis page, click Activate Now.

    4. Set the log storage service and log storage capacity based on your requirements. Click Buy Now and complete the payment.

      After you purchase the log analysis feature, Simple Log Service automatically creates a dedicated project for SASE to manage SASE log data. You can view the dedicated SASE project in the Project list on the home page of the Simple Log Service console.

    Enable log collection and storage

    1. Log on to the SASE console.

    2. In the navigation pane on the left, choose Log Analysis > Log Analysis.

    3. In the upper-right corner of the Log Analysis page, click Log Status to enable log collection and storage.

      image

      Log types that SASE can store

      • Private access log

      • PA sensitive file audit log

      • Accelerate log

      • Client logon log

      • Client status log

      • DLP 1og

      • Internet access log

      • Dynamic decision log

    View logs and enable log delivery

    1. Click the drop-down list in the upper-left corner of the page.

    2. Select the log type that you want to view. You can filter the query results by specifying conditions.

    3. Click the switch next to a log type to enable or disable log delivery for that log type.

      image

    4. Enter a search statement in the search box and set a time range.

      image

      A query analysis statement consists of a search statement and an analytic statement, separated by a vertical bar (|). The format is: Search statement|Analytic statement.

      Statement type

      Optional

      Description

      Search statement

      Required

      The search condition. It can be a keyword, a fuzzy query, a numeric value, a numeric range, or a combination of conditions.

      If left empty or set to an asterisk (*), no filter conditions are applied to the data within the current time range, and all data is returned. For more information, see Query syntax and features.

      Analytic statement

      Optional

      Computes and aggregates the query results or full data.

      If left empty, only the query results are returned, and no statistical analysis is performed. For more information, see Query and analysis overview.

      Note

      • You can omit the from table_name clause, which is from log, from the analytic statement as specified in standard SQL syntax.

      • By default, the first 100 log entries are returned. You can use the LIMIT clause to change the number of returned entries.

      Common log analysis search statements

      SASE client online status

      Before you use the following search statements, you must manually add an index for the app_status field. For more information, see Create an index.

      • Query the number of online devices

        * AND log_type : client_status_log | select username,app_status,COUNT(*) AS cn GROUP BY username,app_status order by cn desc limit 10000

      • Query the number of offline devices

        * AND log_type : client_status_log AND app_status:offline | select username,app_status,COUNT(*) AS cn GROUP BY username,app_status order by cn desc limit 10000

      SASE client logon

      Query device logon actions

      * AND log_type : client_logon_log | select username,action,COUNT(*) AS cn GROUP BY username,action order by cn desc limit 10000

      Intranet access

      • Query the devices and users that access the intranet

        * AND log_type : pa_access_log | select username,device_type,COUNT(*) AS cn GROUP BY username,device_type order by cn desc limit 10000

      • Query the reasons why access is blocked

        * AND log_type : pa_access_log AND action:block | select username,block_info,COUNT(*) AS cn GROUP BY username,block_info order by cn desc limit 10000

      Detect sensitive files

      Query the number of times a sensitive file policy is matched

      * AND log_type : dlp_log | select username,matched_policy,COUNT(*) AS cn GROUP BY username,matched_policy order by cn desc limit 10000

    5. Click Search & Analyze to view the analysis results.

      The SLS Logs feature provides query analysis results in formats such as a log distribution histogram and Raw Logs. It also supports operations such as setting alerts, creating saved searches, refreshing, and sharing. For more information, see Description of the Query/Analysis page.

    View data reports

    You can view Data Report for Internet access log.

    1. From the drop-down list, select Internet access log, and then click the Data Report tab.

      image

    2. On the Data Report tab, view the log data.

      • Time Range: In the upper-right corner of the list, select a time range to display report data for that period.

      • Drill Down: In the upper-right corner of the report, click image. In the Drill Down dialog box, you can view data from different data sources.

        image

    Log field descriptions

    Field name

    Meaning and description

    Example

    __time__

    Operation time.

    2018-02-27 11:58:15

    aliuid

    Alibaba Cloud account ID.

    141681795035****

    username

    Name of the enterprise employee.

    John Doe

    department

    Department of the enterprise employee.

    Test Department

    action

    The value of this field varies based on the log type you query. This field is supported for the following log types: intranet access logs and client logon logs.

    For intranet access logs, the valid values are:

    • allow: The current policy allows the user or device to access the specified application.

    • block: The current policy denies the user or device access to the specified application.

    For client logon logs, the valid values are:

    • logon: The device logs on to the SASE client.

    • logout: The device logs out of the SASE client.

    • exit: The SASE client is closed on the device.

    block

    device_type

    Device type. Valid values:

    • Windows

    • macOS

    • Linux

    • Android

    • iOS

    Windows

    device_tag

    The unique ID of the device.

    ccabaebc-77b3-a877-23f1-31b89b59****

    domain

    The domain name of the website accessed on the intranet.

    www.aliyundoc.com

    dst_addr

    Destination address for intranet access .

    10.2.XX.XX

    dst_port

    Destination port for intranet access .

    80

    Source address

    Source address for intranet access .

    10.4.XX.XX

    src_port

    Source port for intranet access .

    30001

    in_bytes

    Inbound traffic. Unit: byte.

    234

    out_bytes

    Outbound traffic. Unit: byte.

    567

    log_type

    Log type. Valid values:

    • pa_access_log: Intranet access log

    • client_logon_log: Client logon log

    • dlp_log: Log of detected sensitive file exfiltration

    • client_status_log: Client online status log

    ia_access_log

    policy_name

    Policy name.

    test

    protocol

    Protocol. Valid values:

    • All

    • tcp

    • udp

    tcp

    request_uri

    Request URI.

    /test.php

    app_status

    Device status. Valid values:

    • Online

    • Offline

    Online

    event_time

    The time when the event occurred. This is a UNIX timestamp. Unit: seconds.

    1675278754

    unixtime

    The time when the event was recorded. This is a UNIX timestamp. Unit: seconds.

    1675278754