All Products
Search

This Product

    Simple Log Service:Log applications

    Document Center

    Simple Log Service:Log applications

    Last Updated:Sep 03, 2024

    This topic describes the limits of log applications.

    Log Audit Service

    • Storage methods and regions

      Important

      Before you use Log Audit Service for centralized storage or regional storage, you must evaluate whether the region in which you want to store logs meets the security requirements of related laws and regulations.

      • Centralized storage

        Logs that are collected from multiple Alibaba Cloud accounts across different regions are stored in a central project of a central Alibaba Cloud account. A central project can reside in the following regions.

        Note

        When you change the region of a central project within a central Alibaba Cloud account, Simple Log Service creates a central project in the new region. The original project is retained.

        • Chinese mainland: China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Hangzhou), China (Shanghai), China (Shenzhen), and China (Hong Kong)

        • Outside the Chinese mainland: Singapore, Japan (Tokyo), Germany (Frankfurt), Indonesia (Jakarta), and Malaysia (Kuala Lumpur)

      • Regional storage

        For Server Load Balancer (SLB), Application Load Balancer (ALB), Object Storage Service (OSS), PolarDB-X 1.0, Virtual Private Cloud (VPC), and Alibaba Cloud DNS (DNS), Log Audit Service stores the logs collected from multiple Alibaba Cloud accounts in the projects that belong to the central Alibaba Cloud account and reside in the same regions as these cloud services. For example, the access logs that are collected from an OSS bucket in the China (Hangzhou) region are also stored in a project in the China (Hangzhou) region.

      • Synchronization to a central project

        For SLB, ALB, OSS, PolarDB-X 1.0, VPC, and DNS, if regional storage is used, Log Audit Service can synchronize logs from the Logstores of regional projects to the Logstores of a central project. This way, you can query, analyze, and visualize the logs in a more efficient manner. You can also configure alerts for the logs and perform secondary development.

        The synchronization process is based on the data transformation feature of Simple Log Service.

    • Resources

      • A central Alibaba Cloud account has only one functioning central project. The name of a central project is in the following format: slsaudit-center-Central Alibaba Cloud account ID-Region specified for the central project. Example: slsaudit-center-117938634953****-cn-beijing. You cannot delete a central project in the Simple Log Service console. If you want to delete a central project, you can use Alibaba Cloud CLI or call API operations.

      • For SLB, ALB, OSS, PolarDB-X 1.0, VPC, and DNS, logs can be stored in multiple regional projects. The name of a regional project is in the following format: slsaudit-region-Central Alibaba Cloud account ID-Source region for collection. Example: slsaudit-region-117938634953****-cn-beijing. You cannot delete a regional project in the Simple Log Service console. If you want to delete a regional project, you can use Alibaba Cloud CLI or call API operations.

      • If you enable log collection for a cloud service, Log Audit Service creates a dedicated Logstore. You can manage a dedicated Logstore in the same way that you manage other Logstores. A dedicated Logstore has the following limits:

        • To prevent data tampering, Simple Log Service allows only the specified service to write logs to the dedicated Logstore. You cannot modify or delete indexes in the Logstore.

        • You can change the retention period of logs or delete the dedicated Logstore only on the Global Configurations page of Log Audit Service or by calling API operations.

        • For SLB, ALB, OSS, PolarDB-X 1.0, VPC, and DNS, if Synchronization to Central Project is turned on, data transformation jobs are generated in the regional projects.

          • The data transformation job that is generated for OSS logs is named Internal Job: SLS Audit Service Data Sync for OSS Access. The data transformation job that is generated for SLB logs is named Internal Job: SLS Audit Service Data Sync for SLB. The data transformation job that is generated for ALB logs is named Internal Job: SLS Audit Service Data Sync for ALB. The data transformation job that is generated for PolarDB-X 1.0 logs is named Internal Job: SLS Audit Service Data Sync for DRDS. The data transformation job that is generated for VPC logs is named Internal Job: SLS Audit Service Data Sync for VPC. The data transformation job that is generated for DNS logs is named Internal Job: SLS Audit Service Data Sync for DNS.

          • You can stop the data transformation jobs only on the Global Configurations page of Log Audit Service or by calling API operations.

          • If you turn on Synchronization to Central Project, the logs in the Logstores of the regional projects are synchronized to the dedicated Logstores of the central project. In this case, you can no longer manage the Logstores of the regional projects. However, you can perform operations such as queries on the Logstores of the central project.

    • Permissions

      If you want to use Log Audit Service to collect audit logs of Kubernetes clusters, events of K8s Event Center, and Ingress access logs, you must understand the following limits on permissions:

      • Log Audit Service allows you to collect Kubernetes logs only from a central Alibaba Cloud account. If multi-account collection is configured, you cannot collect Kubernetes logs from an Alibaba Cloud account other than the central Alibaba Cloud account.

      • Log Audit Service collects Kubernetes logs based on the data transformation feature. If you want to use Log Audit Service to collect Kubernetes logs, you must grant permissions to the central Alibaba Cloud account based on the descriptions in the following table.

        Item

        Central Alibaba Cloud account: not upgraded

        Central Alibaba Cloud account: upgraded

        Role of the current central Alibaba Cloud account

        sls-audit-service-monitor

        AliyunServiceRoleForSLSAudit

        Additional permissions

        The sls-audit-service-monitor role must have the AliyunLogAuditServiceMonitorAccess permission and the AliyunLogAuditServiceK8sAccess permission. The following code shows a policy that grants the AliyunLogAuditServiceK8sAccess permission: 

        {
    "Version": "1",
    "Statement": [
        {
            "Action": "log:*",
            "Resource": [
                "acs:log:*:*:project/k8s-log-*"
            ],
            "Effect": "Allow"
        }
    ]
}

        Only the permissions of the AliyunServiceRoleForSLSAudit role are required. No additional permissions are required.

    • Data retention periods in days

      • In Log Audit Service, the Private DNS logs, Public Authoritative DNS logs, and Global Traffic Manager logs are stored in the same Logstore named dns_log. If log collection is enabled for all types of logs but the data retention periods are different, the longest data retention period is used.

      • In Log Audit Service, the audit logs, slow query logs, and error logs of ApsaraDB RDS instances are stored in the same Logstore named rds_log. If log collection is enabled for all types of logs but the data retention periods are different, the longest data retention period is used.

      • In Log Audit Service, the audit logs, slow query logs, and error logs of PolarDB for MySQL clusters are stored in the same Logstore named polardb_log. If log collection is enabled for all types of logs but the data retention periods are different, the longest data retention period is used.

      • In Log Audit Service, the traffic logs of the Internet firewall and VPC firewalls in Cloud Firewall are stored in the same Logstore named cloudfirewall_log. If log collection is enabled for both types of traffic logs but the data retention periods are different, the longer data retention period is used.

      • In Log Audit Service, the access logs of Anti-DDoS Proxy (Chinese Mainland), Anti-DDoS Proxy (Outside Chinese Mainland), and Anti-DDoS Origin are stored in the same Logstore named ddos_log. If log collection is enabled for all types of access logs but the data retention periods are different, the longest data retention period is used.

      • In Log Audit Service, the audit logs of Kubernetes clusters and the events of K8s Event Center are stored in the same Logstore named k8s_log. If log collection is enabled for the audit logs and events but the data retention periods are different, the longer data retention period is used.

      • In Log Audit Service, the change logs and resource non-compliance logs of Cloud Config are stored in the same Logstore named cloudconfig_log. If log collection is enabled for both types of logs but the data retention periods are different, the longer data retention period is used.

      Note

      The preceding list describes the types of logs whose data retention periods are affected by each other. If you enable both log collection and intelligent tiered storage for these types of logs, the hot data retention period of the logs is the longest one of the hot data retention periods for these types of logs. If you enable log collection for all these types of logs but enable intelligent tiered storage only for some types of logs, intelligent tiered storage is automatically disabled for all the logs.

      For example, if you enable log collection and intelligent tiered storage for the audit logs and error logs of ApsaraDB RDS instances, the longer one of the hot data retention periods for the audit logs and error logs is used. If you enable log collection for the audit logs and error logs of ApsaraDB RDS instances but enable intelligent tiered storage only for the audit logs, intelligent tiered storage is disabled for the rds_log Logstore in which the logs are stored.

    • Cloud Config

      • Log Audit Service requires the configuration information that is provided by Cloud Config. You must activate Cloud Config in the Cloud Config console and enable the monitoring of all resources.

      • If you want to collect, store, or query Cloud Config logs in Log Audit Service, you must grant Simple Log Service the permissions to extract the logs that are recorded in Cloud Config. After Simple Log Service is granted the permissions, your Cloud Config logs are automatically pushed to Simple Log Service.

      • If you collect logs from multiple accounts in resource directory mode, Log Audit Service automatically activates Cloud Config for all members configured in the resource directory, and integrates Cloud Config with Simple Log Service after the central account is granted the required permissions. If you collect logs from multiple accounts in custom authentication mode, other members must be granted the required permissions after the central account is granted the required permissions. For more information, see Use a custom policy to authorize Simple Log Service to collect and synchronize logs.

    • Intelligent tiered storage

      The dedicated Logstores of Log Audit Service support the intelligent tiered storage feature. Compared with the hot storage tier, the Infrequent Access (IA) and Archive storage tiers provide lower storage costs and lower query and analysis performance. The performance of other features, such as alerting, visualization, transformation, and shipping, is not affected. For more information, see Enable intelligent tiered storage.

      Note

      Log Audit Service allows you to enable the intelligent tiered storage feature in the following regions: China (Qingdao), China (Beijing), China (Hohhot), China (Hangzhou), China (Shanghai), China (Shenzhen), China (Hong Kong), and Singapore.

      You can enable the intelligent tiered storage feature on the Global Configurations page of Log Audit Service. The hot data retention period must be at least 7 days and cannot exceed the current data retention period. For example, if the data retention period of a central project is 180 days and the hot data retention period is 30 days, hot data whose retention period reaches 30 days is moved to the IA or Archive storage tier.

    • Data encryption

      Log Audit Service supports data encryption by using the built-in service keys of Simple Log Service instead of Bring Your Own Key (BYOK) keys. The built-in service keys of Simple Log Service support the Advanced Encryption Standard (AES) and SM4 encryption algorithms. For more information, see Data encryption.

      After you enable data encryption, Simple Log Service automatically encrypts the dedicated Logstores of cloud services for which log collection is enabled. The dedicated Logstores of central projects and regional projects are included. For more information, see Enable encryption.

    • Indexes

      Log Audit Service supports automatic updates of indexes. You can also manually modify indexes. For more information, see Create indexes.

      If the system prompts that This Logstore is dedicated to the Log Audit Service application. You cannot modify the index attributes of the Logstore or disable indexing. when you manually modify an index, we recommend that you reconfigure Log Audit Service by performing the following operations: Click Modify on the Global Configurations page of Log Audit Service, reconfigure Log Audit Service, and then click OK.

      Important

      If you manually modify an index, related built-in dashboards and built-in alerts may be unavailable. Proceed with caution.