Log Management stores and indexes security logs from Alibaba Cloud Security Center, so your team can query events, trace attacks, and meet compliance archiving requirements from a single place.
Log types
Security Center supports two categories of logs with different operational purposes:
Security Center logs are raw logs generated by Security Center modules — including vulnerability scans, security alerts, and client events. Use these for real-time alert investigation and day-to-day operational queries. Requires enabling Log Management.
Standardized logs are logs that Agentic SOC normalizes into a common schema after ingesting traffic from connected sources. Use these for cross-source correlation, custom detection rules, and compliance archiving. Requires enabling both Log Management and Agentic SOC.
The following table summarizes the data sources and field references for each log type.
| Log type | Data source | Field reference |
|---|---|---|
| Security Center logs | Vulnerability logs, security alert logs, and client event logs generated by Security Center modules | Log categories and field descriptions |
| Standardized logs | Logs normalized from Agentic SOC ingestion traffic (Real-time Consumption) and custom rules (endpoint detection and response (EDR) alert logs, firewall alert logs) | In the Security Center console, go to Agentic SOC > Integration Center. On the Standardized Rule tab, click View Standard Fields to open the Standard Fields panel. |
Billing
Log Management offers two billing methods. Choose based on how predictable your log volume is:
Subscription — best for stable, high-volume environments where you want predictable costs. Priced at USD 100 per 1,000 GB-month. Minimum purchase is 1,000 GB; increments are 1,000 GB.
Pay-as-you-go — best for variable or lower-volume environments. Billed daily at USD 7.2 per 1,000 GB based on total daily storage usage.
Pay-as-you-go billing rounds up to the nearest 1,000 GB. For example, 1,900 GB of daily usage is charged as 2,000 GB.
Querying and exporting logs from the Security Center console is free. After Log Management delivers logs to Simple Log Service (SLS), additional SLS fees may apply for data transformation or data shipping:
Pay-by-feature Logstore: Data transformation, data shipping, and internet-facing stream reads are charged. See Billable items in the pay-by-feature billing mode.
Pay-by-ingested-data Logstore: Data transformation and data shipping are free. Internet read traffic is charged. See Billable items in the pay-by-ingested-data billing mode.
Log storage
When you enable Log Management, Security Center automatically creates a dedicated SLS project named aliyun-cloudsiem-data-<Alibaba Cloud account ID>-<RegionID> and a Logstore to store your logs.
The storage region depends on the region you select in the upper-left corner of the Security Center console:
Chinese Mainland — logs are stored in China (Shanghai) by default.
Outside Chinese Mainland — logs are stored in the Singapore region by default.
You can change the log storage region only in the dialog box that appears when you enable pay-as-you-go billing. If you purchase on a subscription basis, the region is fixed at purchase time.
You can view the project and Logstore in the Simple Log Service console. Do not delete them. If the Logstore is deleted, the log data is permanently lost, and you must submit a ticketticket to reset the system.
Once log delivery is active, logs are retained until the configured retention period ends, then automatically deleted. For subscription billing, if storage capacity is exhausted, new log delivery stops. Security Center sends a notification when usage reaches 80% of your purchased capacity. See Notification settings to configure alerts.
Enable or disable Log Management
Enable Log Management
Log Management can be enabled using either the subscription or pay-as-you-go billing method.
Log on to the Security Center consoleSecurity Center console.Log on to the Security Center console.
In the left navigation pane, choose Detection and Response > Log Management. In the upper-left corner, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland.
If you have purchased Agentic SOC log ingestion traffic on a subscription basis or enabled pay-as-you-go for Agentic SOC, the navigation entry changes to Agentic SOC > Log Management.
On the Log Management page, click Activate Subscription or Activate Pay-as-you-go.
Subscription: On the purchase page, under Agentic SOC, set Purchase or Not to Yes, select the log storage capacity, click Order Now, and complete the payment. See Purchase Security Center for details on other purchasable features.
Pay-as-you-go: In the dialog box, read the billing rules, select a storage region, and click Activate and Authorize.
If you have already purchased Agentic SOC log ingestion traffic, click Enable Pay-as-you-go for Log Management in the upper-right corner of the page, or upgrade your service to add log storage capacity for Agentic SOC. See Upgrades and downgrades.
Disable Log Management
Log on to the Security Center consoleSecurity Center console.Log on to the Security Center console.
In the left navigation pane, choose Agentic SOC > Log Management. In the upper-left corner, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland.
On the Log Management page, verify that Log Usage shows 0 GB. If log usage is not 0, click Clear in the upper-right corner, wait for the logs to be cleared, then continue.
Disable the service based on your billing method:
Subscription
Method 1 — Downgrade:
On the Overview page, click Change > Downgrade.
On the Order Downgrade tab, set Log Storage Capacity in the Agentic SOC section to 0 GB.
Accept the Security Center Service Agreement and click Order Now.
Method 2 — Unsubscribe: Submit a ticketticket to unsubscribe from your Security Center instance.
Pay-as-you-go: On the Overview page of the Security Center console, in the Pay-as-you-go section, turn off the Log Management switch. > Warning: Turning off the Log Management switch automatically disables log delivery and deletes the corresponding Logstore. Deleted log data cannot be recovered.
Using Agentic SOC log ingestion traffic without log storage capacity
If you have purchased Agentic SOC log ingestion traffic (subscription or pay-as-you-go) but have not purchased log storage capacity, you can query a subset of standardized logs on the Log Management page — specifically, logs from access policies where Standardization Method is set to Scan Query.
In this configuration:
Security Center logs cannot be delivered or viewed.
Standardized logs from Real-time Consumption access policies cannot be delivered or viewed.
For a full comparison of features available under different billing configurations, see Purchase and enable the Agentic SOC feature.
Security Center logs
Enable log delivery
After you purchase log storage capacity, Agentic SOC enables delivery for all Security Center log types by default. If you have not purchased the corresponding value-added services (such as application protection or malicious file detection), the delivery switches for those log types remain disabled.
Click Log Settings on the Log Management page to view and update delivery status for each log type.
Query Security Center logs
The method for querying logs in the Log Management feature is the same as that in the Log Analysis feature of Security Center. For more information, see Custom log query and analysis.
In the left navigation pane, choose Agentic SOC > Log Management. In the upper-left corner, select the region where your assets are located.
In the upper-left corner of the Log Management page, click Security Center Logs and select the log type to view.
Set a time range and use search statements to retrieve logs and view analysis results.
Standardized logs
How delivery works
Standardized logs are produced when Agentic SOC normalizes ingested logs into a common schema. Delivery is automatic — you cannot enable or disable it manually. Delivery is triggered in two scenarios:
When an access policy's Standardization Method is set to Real-time Consumption, Agentic SOC delivers the normalized logs to the corresponding Logstore, organized by standardized category. A log delivery task is created automatically when you create the access policy.
When custom rules generate alert logs (such as EDR alert logs or firewall alert logs), those logs are also delivered automatically.
On the Standardized Log tab of the Log Settings panel, the Number of references column shows how many access policies with Real-time Consumption are associated with each standardized category and structure.
Query standardized logs
Agentic SOC supports searching logs by standardized structure and querying across multiple Logstores using datasets (StoreView). For cross-Logstore query and analysis examples, see Common query/analysis result examples.
Log storage management
Modify the log retention period
The default retention period for delivered logs is 180 days. Modify it as needed to meet your compliance or cost requirements.
In the left navigation pane, choose Agentic SOC > Log Management. In the upper-left corner, select your region.
In the upper-right corner of the Log Management page, click Log Settings.
On the Security Center Logs or Standardized Log tab, click the
icon in the Log Retention Period column to update the value.
Increase or clear storage capacity
On the Agentic SOC > Log Management page, you can view your current log usage and total purchased capacity.
Scale Out: Click Scale Out to purchase additional log storage capacity. Make sure you have sufficient capacity — when it is exhausted, new logs cannot be stored.
Clear: Click Clear to delete all stored logs. The deletion process takes 0–24 hours.
Cleared logs cannot be restored. Export and back up any logs you need to retain before clearing.
FAQ
Why can't I enable pay-as-you-go billing for Log Management?
There are three common reasons:
Reason 1: You have an active subscription for Agentic SOC log storage or log analysis.
Unsubscribe from the existing subscription, then enable pay-as-you-go for Log Management.
Reason 2: Your Agentic SOC feature is on the 1.0 architecture.
Upgrade the Agentic SOC feature from 1.0 to 2.0, then enable pay-as-you-go for Log Management.
If you prefer not to upgrade to the 2.0 architecture, you can still use Log Management by purchasing log storage capacity on a subscription basis.
Reason 3: You purchased Agentic SOC log storage on or before April 26, 2024.
After upgrading to the 2.0 architecture, your original subscription capacity is preserved and Log Management continues to work normally. To switch from subscription to pay-as-you-go, follow the steps for Reason 1. For architecture upgrade details, see [Notice] Upgrade of the Agentic SOC feature.
What is the difference between Log Analysis and Log Management?
Both features provide security log query and analysis in Security Center, but they differ in scope and flexibility.
| Feature | Supported log types | Billing | Storage region | Retention period |
|---|---|---|---|---|
| Log Management (recommended) | Security Center logs and standardized logs | Subscription or pay-as-you-go | Default: China (Shanghai). Changeable only when enabling pay-as-you-go. | Configurable in the Log Settings panel |
| Log Analysis | Security Center logs only | Subscription only | Default: China (Hangzhou). Not changeable. | 180 days. Not changeable. |
Use Log Management if you need standardized log storage, flexible billing, or configurable retention — for example, to meet classified protection compliance requirements.
What's next
Export logs: Download logs or query results to your local machine from the Security Center console, Cloud Shell, or a CLI. See Export logs.
Ship logs to OSS: Deliver logs to OSS for long-term archiving. See Create an OSS data shipping job (new version).
Set up capacity alerts: Enable notifications so you are alerted before storage runs out. See Notification settings.