Collect Security Center logs from multiple regions and accounts to one project - Simple Log Service

Simple Log Service provides the new version of Log Audit Service. You can use the application to collect Security Center logs from multiple regions and accounts to one project. Then, you can manage and analyze the logs in a centralized manner.

How it works

After you enable the log analysis feature for Security Center, Security Center logs are automatically collected and stored in a Logstore named sas-log of a project named sas-log-${Alibaba Cloud account ID}-${Region ID}. If you use the new version of Log Audit Service, you can collect Security Center logs from multiple regions and accounts to one project.

Prerequisites

The log analysis feature is enabled for Security Center. You can log on to the Security Center console to enable the feature. For more information, see Enable log analysis.
A resource directory is enabled, and a delegated administrator account is added. If you want to collect logs from multiple Alibaba Cloud accounts, make sure that this prerequisite is met. For more information, see Enable a resource directory. You can use a management account to add a delegated administrator account in the Resource Management console. For more information, see Manage a delegated administrator account.

1. Associate a project

Security Center logs are stored in a project that you associate.

Log on to the Simple Log Service console. In the Log Application section, click the Audit & Security tab. Then, click Log Audit Service (New Version).
On the Log Audit (New Version) page, click Associate Project. In the Associate Project dialog box, configure the parameters and click Confirm. In this topic, the a-multi-accounts-security-log-center project is used.

2. Create a collection rule

2.1 Configure a collection rule

On the Log Audit (New Version) page, click the project that you want to manage.
On the Policies tab, click Create Collection Rule. In this example, specify China (Hangzhou) and Singapore for the Region field of the Resource Attributes parameter. Set the Destination Store for Centralized Storage parameter to Select Existing Resource and select the central-sas-log Logstore in the drop-down list. This way, Security Center logs from the China (Hangzhou) and Singapore regions and two accounts are collected and stored in the central-sas-log Logstore of the a-multi-accounts-security-log-center project.

2.2 Verify collection results

On the Policies tab, click the collection rule that is created.
In the left-side navigation pane, click Query and Analysis. Then, use search syntax to query and analyze logs. For more information, see Search syntax. For more information about the types of and fields in Security Center logs, see Log types and log fields.

References

If you want to use a Resource Access Management (RAM) user to manage the new version of Log Audit Service, you must use your Alibaba Cloud account to grant the required permissions to the RAM user. For more information, see Grant a RAM user the permissions to use the new version of Log Audit Service.
You can create, view, modify, and delete collection rules in the new version of Log Audit Service. For more information, see Manage collection rules in the new version of Log Audit Service.
In this topic, Security Center logs are used only as an example. For more information about the log types, default project and Logstore names, and billing details for other cloud services that you want to collect to the new version of Log Audit Service, see Usage notes of cloud service configuration.