Log analysis centralizes all security-related full logs from your assets — security alerts, vulnerabilities, baseline check results, and more — into a single platform for queries, compliance audits, and forensic analysis.
Prerequisites
Before you begin, ensure that you have:
A Security Center subscription (or are ready to purchase one)
Assets deployed in the Chinese Mainland or Outside Chinese Mainland region
Before you enable
Note the following before you start:
Log storage region is fixed. Logs from assets in the Chinese Mainland are stored in China (Hangzhou); logs from assets Outside the Chinese Mainland, including Hong Kong (China), are stored in Singapore. You cannot change the storage region.
A RAM role is created automatically. After authorization, Security Center creates the service-linked role
AliyunServiceRoleForSasto access your resources in other Alibaba Cloud services.Log analysis is billed separately. The fee is based on subscribed log storage capacity, independent of your Security Center edition fee.
Do not delete the auto-created Project or Logstore. Deletion causes permanent, unrecoverable data loss.
Enable and configure log analysis
Go to the Risk Governance > Log Analysis of the Security Center console. In the upper-left corner, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland.
If this is your first time using log analysis, follow the on-screen instructions and click Authorize Immediately.
After authorization, the system automatically creates the RAM role
AliyunServiceRoleForSas. For details, see Service-linked roles for Security Center.On the Security Center purchase page, configure the following parameters:
Parameter Description Edition Select the Security Center edition you need. See Editions for a comparison. Log Analysis > Purchase or Not Set to Yes. Log Analysis > storage capacity Set the monthly storage capacity based on your expected log volume. See Billing for sizing guidance. Subscription Duration Select the subscription duration. Select I have read and agree to the Security Center Product Agreement, click Order Now, and complete the payment.
After the purchase completes, Security Center automatically creates a Project (
sas-log-{Alibaba Cloud account ID}-{region ID}) and a Logstore (sas-log) in Simple Log Service (SLS) in the region where your assets are located.ImportantDo not delete the Project or Logstore. If either is deleted, all log data is permanently lost and cannot be recovered.
Billing
Log analysis is a value-added feature. Its fees are separate from your Security Center edition fees.
| Item | Details |
|---|---|
| Billing method | Subscription only |
| Billable item | Subscribed log storage capacity |
| PriceUSD 0.1 per GB per month | $0.1/GB/month |
| Unused capacity | Does not carry over to the next month |
Sizing guidance: China's Cybersecurity Law requires storing logs for at least 180 days. Allocate 50 GB of log storage capacity per server, then adjust based on your actual log volume.
Cost example: 10 servers x 50 GB = 500 GB total. Monthly storage fee: 500 GB x $0.1/GB = $50/month.
Limitations
Log storage regions
The log storage region is determined by the region where your assets are located. You cannot customize it.
| Asset region | Log Project region | Region ID |
|---|---|---|
| Chinese Mainland | China (Hangzhou) | cn-hangzhou |
| Outside Chinese Mainland | Singapore | ap-southeast-1 |
Assets Outside the Chinese Mainland, including Hong Kong (China), are stored in the Singapore region.
Logstore restrictions
The dedicated sas-log Logstore has the following restrictions to preserve data integrity and a unified format:
You cannot write data to the Logstore via API or SDK.
You cannot modify Logstore properties such as the storage period.
FAQ
What happens when storage capacity is exhausted?
New logs cannot be written. To expand capacity, go to the Overview page of the Security Center console, find the Subscription section, and click Change Specifications > Upgrade Now. See Upgrade and downgrade Security Center for details.
I already use Simple Log Service. Do I still need to enable log analysis for Security Center?
Yes. Self-managed SLS typically collects operating system or application logs from servers. The Security Center log analysis feature goes further — it centrally stores and analyzes security event logs generated by Security Center itself, including security alerts, vulnerabilities, and baseline check results, providing a unified platform for security audits and forensic analysis.
I accidentally deleted the `sas-log` Logstore. What should I do?
All data stored in the Logstore is permanently lost and cannot be recovered. Log analysis is immediately interrupted. Return to the Log Analysis page in the Security Center console and re-enable the feature as prompted. The system will create a new Project and Logstore, but historical data cannot be retrieved.
What's next
After enabling log analysis, you can:
Query logs: Use the Log Analysis page to search and filter security event logs.
Run compliance reports: Use the stored logs to meet compliance audit requirements, including China's Cybersecurity Law 180-day log retention requirement.