Log management - Security Center - Alibaba Cloud Documentation Center

The Log Management feature lets you store and query logs to help you accurately locate alerts, trace the source of attacks, and improve your response speed. This topic describes the Log Management service and explains how to use it.

Log types

Log type	Prerequisites	Data source	Supported categories and field descriptions
Security Center logs	Enable the log management feature.	Stores logs generated by various functional modules of Alibaba Cloud Security Center. Examples include vulnerability logs, security alert logs, and client event logs.	Log categories and field descriptions
Standardized logs	Enable the log management feature and the threat analysis and response feature.	Stores standardized logs that are generated after you purchase log ingestion traffic on a subscription basis or enable the pay-as-you-go billing method for CTDR, and the standardization method for the access policy is Real-time Consumption. After you create custom rules, stores standardized alert logs generated by the custom rules, such as endpoint detection and response alert logs and firewall alert logs.	In the Security Center console, navigate to CTDR > Integration Center. On the Standardized Rule tab, click View Standard Fields to view the categories and field descriptions of standardized logs in the Standard Fields panel.

Billing

Subscription: You are charged based on your purchased log storage capacity and subscription duration. The price is USD 100 per 1,000 GB-month. The minimum purchase is 1,000 GB, and the purchase increment is 1,000 GB.
Pay-as-you-go: After you enable the pay-as-you-go billing method for Log Management, the system calculates the total daily storage usage in GB for each calendar day and charges you USD 7.2/1,000 GB daily.
Important
The pay-as-you-go billing method for Log Management bills in units of 1,000 GB. Usage that is less than a full unit is rounded up to the next 1,000 GB. For example, if your daily usage is 1,900 GB, you are charged for 2,000 GB.

You are not charged for querying and exporting logs in the Security Center console. After the Log Management feature delivers logs to Simple Log Service, additional fees may apply if you perform data transformation or data shipping in the Simple Log Service console.

If the Logstore uses the pay-by-feature billing method, you are charged when you transform or ship logs. You are also charged for read traffic when you read logs in stream mode over the internet. These fees are included in your Simple Log Service bills. For more information, see Billable items in the pay-by-feature billing mode.
If the Logstore uses the pay-by-ingested-data billing method, you are not charged for data transformation or data shipping. You are charged only for read traffic from the internet. These fees are included in your Simple Log Service bills. For more information, see Billable items in the pay-by-ingested-data billing mode.

Log storage

After you enable the Log Management service, the system automatically creates a dedicated project named aliyun-cloudsiem-data-Alibaba Cloud account ID-RegionID and a Logstore in Simple Log Service to store Security Center logs and standardized logs. The log storage region depends on the region that you select in the upper-left corner of the Security Center console.

If you select Chinese Mainland, logs are stored in the China (Shanghai) region by default.
If you select Outside Chinese Mainland, logs are stored in the Singapore region.

Important

You can change the log storage region only in the dialog box that appears when you enable the pay-as-you-go billing method for Log Management. If you purchase log storage capacity on a subscription basis, you cannot change the log storage region.
You can log on to the Simple Log Service console to view the dedicated project and Logstore. Do not delete the project or Logstore.
If you accidentally delete the Logstore, the corresponding log data is lost. In this case, you must submit a ticket to reset the system. The lost log data cannot be recovered.

When a data shipping job is enabled, Security Center automatically delivers logs to the corresponding Logstore. The system retains the logs until the specified storage duration ends, at which point the logs are automatically deleted. If you purchase the service on a subscription basis and the log storage capacity is exhausted, the delivery of new logs stops. When log storage usage exceeds 80% of your purchased capacity, Security Center sends a notification. For more information about notification settings, see Notification settings.

Enable or disable the log management service

Enable the log management service

You can enable the Log Management service using either the subscription or pay-as-you-go billing method.

Log on to the Security Center console.
In the navigation pane on the left, select Detection and Response > Log Management. In the upper-left corner of the console, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland.
If you have purchased CTDR log ingestion traffic on a subscription basis or enabled the pay-as-you-go billing method for CTDR, the entry in the navigation pane on the left changes to CTDR > Log Management.
On the Log Management page, click Activate Subscription or Activate Pay-as-you-go.
Note
If you have purchased log ingestion traffic for the threat analysis and response feature on a subscription basis or enabled the pay-as-you-go billing method for the feature, you must click Enable Pay-as-you-go for Log Management in the upper-right corner of the page, or upgrade your service to purchase log storage capacity for the threat analysis and response feature. For more information, see Upgrades and downgrades.
- Subscription: On the purchase page, for Threat Analysis and Response, set Purchase or Not to Yes, select the required log storage capacity, click Order Now, and complete the payment.
  You can purchase other features of Security Center as needed. For more information, see Purchase Security Center.
- Pay-as-you-go: In the dialog box that appears, read the billing rules, select a storage region, and then click Activate and Authorize.

Disable the log management service

Log on to the Security Center console.
In the navigation pane on the left, select CTDR > Log Management. In the top-left corner of the console, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland.
On the Log Management page, make sure that Log Usage is 0 GB.
If the log usage is not 0, click Clear in the upper-right corner of the page, wait for the logs to be cleared, and then proceed to the next step.
You can disable the Log Management service using one of the following methods:
- Subscription
  - Method 1: Downgrade
    1. On the Overview page, click Change Specifications > Downgrade.
    2. On the Order Downgrade tab, set Log Storage Capacity in the CTDR section to 0 GB.
    3. Read and select the Security Center Service Agreement, and then click Order Now.
  - Method 2: Unsubscribe from your purchased Security Center instance
    For more information about unsubscribing, submit a ticket.
- Pay-as-you-go: On the Overview page of the Security Center console, in the Pay-as-you-go section, turn off the Log Management switch.
  Important
  After you turn off the Log Management switch, log delivery is automatically disabled and the corresponding Logstore is deleted. The deleted log data cannot be recovered. Proceed with caution.

Description of purchasing only log ingestion traffic or enabling the pay-as-you-go billing method for the threat analysis and response feature

If you have purchased CTDR log ingestion traffic on a subscription basis or enabled the pay-as-you-go billing method for CTDR, and have not purchased log storage capacity, you can query some standardized logs on the Log Management page. You can view logs that are associated with access policies for which the Standardization Method is set to Scan Query.

In this scenario, you cannot deliver or view Security Center logs, nor can you deliver standardized logs generated by access policies where the Standardization Method is set to Real-time Consumption. For more information about the features supported by different billable items, see Purchase and enable the threat analysis and response feature.

Security Center logs

Enable log delivery

After you purchase log storage capacity, the threat analysis and response feature delivers all types of Security Center logs by default. If you have not purchased the corresponding Security Center value-added services, such as application protection and malicious file detection, the delivery switches for the corresponding log types remain disabled.

On the Log Management page, you can click Log Settings to view and set the delivery status for each log type.

Query logs

In the navigation pane on the left, select CTDR > Log Management. In the upper-left corner of the console, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland.
In the upper-left corner of the Log Management page, click Security Center Logs and select the log type that you want to view.
Specify a query time range and use search statements to retrieve logs and view log analysis statistics.
The method for querying logs in the Log Management feature is the same as that in the Log Analysis feature of Security Center. For more information, see Custom log query and analysis.

Standardized logs

Delivery description

Standardized logs are logs with standardized categories and structures that are generated after the threat analysis and response feature processes and analyzes ingested logs. You cannot enable or disable standardized log delivery manually. Standardized log delivery is enabled in the following scenarios:

When the Standardization Method of an access policy is set to Real-time Consumption, CTDR delivers the standardized logs to the corresponding Logstore by default, based on the standardized categories. When you create an access policy, a log delivery task is created at the same time.
After you create custom rules, standardized alert logs are generated by the custom rules, such as endpoint detection and response alert logs and firewall alert logs.

On the Log Management page, click Log Settings. On the Standardized Log tab of the Log Settings panel, you can view the number of references for the standardized structure. This number represents the quantity of access policies for the corresponding standardized category and structure for which the Standardization Method is Real-time Consumption.

Query logs

The threat analysis and response feature lets you search logs by standardized log structure and query data in multiple Logstores using datasets (StoreView). For more information about Logstore query and analysis, see Common query/analysis result examples.

Log storage management

Modify the log retention period

The default retention period for delivered logs is 180 days. You can modify the log retention period as needed.

In the navigation pane on the left, select CTDR > Log Management. In the upper-left corner of the console, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland.
In the upper-right corner of the Log Management page, click Log Settings.
In the Log Settings panel, on the Security Center Logs or Standardized Log tab, click the icon in the Log Retention Period column to modify the log retention period.

Increase or clear the storage capacity

On the CTDR > Log Management page, you can view your current log usage and total capacity. You can increase your log storage capacity or clear stored logs as needed.

Click Scale Out to purchase more log storage capacity.
Ensure that you have sufficient log storage capacity. If your capacity is insufficient, new logs cannot be stored.
Click Clear to delete all stored logs. The deletion process takes approximately 0 to 24 hours to complete.
Warning
You cannot restore logs after they are cleared. Proceed with caution. We recommend that you export and back up logs before you clear them.

FAQ

Why am I unable to enable the pay-as-you-go billing method for log management?

You may be unable to enable the pay-as-you-go billing method for Log Management for one of the following reasons:

Reason 1: You have purchased log storage capacity or log analysis for the threat analysis and response feature on a subscription basis.
Solution:
1. Unsubscribe from the log storage capacity or log analysis for the threat analysis and response feature that you purchased on a subscription basis.
2. Enable the pay-as-you-go billing method for Log Management.
Reason 2: Your threat analysis and response feature uses the 1.0 architecture.
Solution:
1. Upgrade the architecture of the threat analysis and response feature from 1.0 to 2.0.
2. Enable the pay-as-you-go billing method for Log Management.
Note
If you decide not to upgrade to the 2.0 architecture of the threat analysis and response feature and need to use the Log Management feature, you can purchase log storage capacity for the threat analysis and response feature on a subscription basis.
Reason 3: You purchased log storage capacity for the threat analysis and response feature on a subscription basis on or before April 26, 2024, to use related features.
After you upgrade to the 2.0 architecture of the threat analysis and response feature, you retain the same amount of log storage capacity on a subscription basis as you originally purchased and can use the Log Management feature normally. If you want to switch from the subscription billing method to the pay-as-you-go billing method, see the solution for Reason 1. For more information about the architecture upgrade of the threat analysis and response feature, see [Notice] Upgrade of the threat analysis and response feature.

What are the differences between the log analysis and log management features of Security Center?

Both the Log Analysis and Log Management features provide security log query and analysis capabilities in Security Center. Compared with the Log Analysis feature, the Log Management feature not only lets you deliver and analyze logs from various Security Center modules, such as vulnerabilities, security alerts, and client events, but also supports the delivery and storage of logs that are standardized by the threat analysis and response feature. If you have requirements for classified protection compliance or need other security log storage and analysis capabilities, we recommend that you use the Log Management feature.

The following table describes the differences between the two features:

Feature

Supported log types

Billing method

Storage region management

Log retention period management

Log Management (Recommended)

Security Center logs
Standardized logs

Subscription
Pay-as-you-go

The default region is China (Shanghai).

You can change the storage region only in the dialog box that appears when you enable the pay-as-you-go billing method.

You can set the log retention period in the Log Settings panel.

Log Analysis

Security Center logs

Subscription

The default region is China (Hangzhou). You cannot change the region.

The default retention period is 180 days. You cannot change the period.

References

You can download logs or query and analysis results to your local computer from the Security Center console, Cloud Shell, or a command line interface. For more information, see Export logs.
You can deliver logs to OSS for storage. For more information, see Create an OSS data shipping job (new version).
If your log storage capacity is insufficient, new logs cannot be stored. You can enable notifications for insufficient log storage capacity for the threat analysis and response feature. When you receive a notification, you can increase your log storage capacity. For more information, see Notification settings.