Manage SLS log audit collection rules - create modify disable delete - Simple Log Service

After you enable log collection for cloud services with Log Audit Service (New Version), you can create, modify, disable, and delete collection rules in the associated project.

Procedure

Console

Go to the collection rules page.
1. Log on to the Simple Log Service console. In the Log Application area, on the Audit & Security tab, click Log Audit Service (New Version).
2. Click the name of the target project. On the Cloud Products tab, click a cloud service card, or on the Rules tab, click Create Collection Rule.
You can Create, Modify, Disable, or Delete collection rules.
Important
- When you modify a collection rule, you cannot change the log type or cloud service name.
- The service merges rules per instance. Log collection stops for an instance only after all its associated rules are disabled or deleted.
- Disabling or deleting a rule stops collection only for instances enabled by that rule. Instances with manually enabled log collection in the cloud service console or in CloudLens are not affected.

API

Important

When you call API operations, you must use the endpoint for the China (Shanghai) or Singapore region.
Disabling or deleting a rule stops collection only for instances enabled by that rule. Instances with manually enabled log collection in the cloud service console or in CloudLens are not affected.
The service merges rules per instance. Log collection stops for an instance only after all its associated rules are disabled or deleted.
When you modify a collection rule, you cannot change the log type or cloud service name.

Manage collection rules with the following API operations:

Collection rule parameters

Basic parameters

Parameter	Description
Rule Name	Must be globally unique within your account, 3 to 63 characters long, and start with a letter.
Cloud Service Name	Supported cloud services are listed in Usage notes on cloud service log collection.
Log Type	Supported log types are listed in Usage notes on cloud service log collection.
Resource Matching Mode	All Resources (`all`): Collects logs from all instances of the specified cloud service. Attribute Mode (`attributeMode`): Collects logs only from instances that match a specified combination of regions and resource tags. Instance Mode (`instanceMode`): Collects logs only from instances with the specified instance IDs.
Instance List	This parameter takes effect only when Instance Mode is set to Instance Mode. The service collects logs only from the instances whose IDs are in this list. Note If the drop-down list is empty, enter instance IDs manually. The list populates automatically after you create at least one collection rule for the cloud service.
Region List, Resource Tags	These parameters take effect only when Attribute Mode is set to Attribute Mode. The service collects logs only from instances that match a specified combination of regions and resource tags. Leaving Region or Resource Tags empty disables the corresponding filter.
Global Log Storage Region	Available only when Log Type is a global log type. Specifies the storage region for global logs during initial configuration. Use the same storage region for all log types of a cloud service. For example, store global audit logs, global error logs, and performance metrics for SLS in a project within the default region. The global log storage region takes effect immediately after the initial configuration. Important Do not change the global log storage region. To change it, first delete all collection rules for the corresponding log type, including default rules created by CloudLens and rules created automatically with new projects. Global logs for SLS are configured in Enable log collection. OSS metering logs are global logs. See Log fields.

Centralized configuration

The service transforms logs and writes them to the centralized destination logstore. If logs from a default logstore are delivered to multiple destination logstores, ensure all destination logstores exist. Remove all associated collection rules before deleting a destination logstore, or writes to other logstores may be affected.

Parameter	Description
Centralized Destination Project	Fixed to the project associated with the collection rule. Cannot be modified.
Centralized Destination Logstore	Select Existing: Select an existing logstore in the destination project. Create New: Create a new logstore in the destination project. Default retention: 30 days (range: 1–3,650 days). Longer retention increases storage costs. Adjust the retention period in Manage a logstore. How do I reduce log storage costs?.
Centralized Log Retention Period	Takes effect only when creating a new logstore. Sets the initial retention period. Does not modify existing logstores.

Multi-account configuration

Build a multi-account structure with Resource Directory. Only a Resource Directory administrator or delegated administrator can enable multi-account mode.
1. Use the management account to log on to the Resource Management console and enable Resource Directory.
2. Create a folder.
3. Create or invite members into the Resource Directory, then move them to the appropriate folder.
  
  Create a member, Invite an Alibaba Cloud account to join a resource directory, Move a member.
4. Add a delegated administrator account.

Configure the Multi-account Mode.

Multi-account mode	Description
All (`all`)	Collects logs of the specified cloud service from all member accounts. Rules configured by the management or delegated administrator account apply to all members. Adding or changing members automatically creates or updates the rule.
Custom (`custom`)	Collects logs of the specified cloud service from selected member accounts. Rules configured by the management or delegated administrator account apply only to the specified member accounts.

Error codes and messages

Error code	Error message	Description
DeregisterDA.Deny.TrustedService	Forbidden. The current management account has configured a unified access API under the Resource Directory. Update or delete the unified access configuration first.	You cannot remove a Resource Directory, trusted service, or delegated administrator while collection rules exist under the delegated administrator account. Solution: Log on with the delegated administrator account and list the collection rules for cloud service logs. From the delegated administrator account, delete all cross-account rules. You must delete the rules for which `resourceDirectory.accountGroupType` is not empty. Return to the Resource Directory console with the management account to remove the delegated administrator.
NotMatch	The product code or data code does not match the current product code or data code.	When you modify a rule, you cannot change the log type or product code. Otherwise, a mismatch error occurs.
PolicyNotExist	The collection policy does not exist.	The rule that you are trying to query or delete does not exist.
InvalidSLR	The service-linked role (SLR) does not exist or failed to be created.	The SLR does not exist or failed to be created. Log Audit Service automatically creates AliyunServiceRoleForSLSAudit in the current account and in member accounts when Resource Directory is enabled.
InvalidRAM	The RAM user permissions are insufficient to perform this action. Check the RAM policy for the current account.	The RAM user lacks permissions for Log Audit Service. Grant permissions as described in Authorize a RAM user to use Log Audit Service (New Version).
InvalidProductData	Invalid product code or data code.	The product code or log type code is invalid.
InvalidProductData	Invalid policy name.	The rule name is invalid.
InvalidPolicyConfig	Policy configuration error: resourceMode must be 'all', 'instanceMode', or 'attributeMode'.	The resource matching mode supports only `all` (All Resources), `instanceMode` (Instance Mode), and `attributeMode` (Attribute Mode).
InvalidPolicyConfig	Policy configuration error: resourceMode must be 'all' for the CloudLens global log type.	For global log types from CloudLens, the resource mode must be set to `all` (All Resources).
InvalidPolicyConfig	Policy configuration error: resourceMode must be 'attributeMode' for the security log type.	For security log types, the resource mode must be set to `attributeMode` (Attribute Mode).
InvalidPolicyConfig	Policy configuration error: You must set at least one central region for the security log type.	For security log types, you must configure at least one primary central source region.
InvalidPolicyConfig	Policy configuration error: You cannot configure instance IDs for this product code and data code.	For security log types, you cannot configure the instance list.
InvalidConfig	Check whether the project or logstore belongs to you and is in the correct region.	The project or logstore for the centralized configuration does not belong to the current account, or the configured region does not match the region of the logstore.
InvalidConfig	The policy code and data code are required to list policies by instance ID.	When you search for matching rules by instance ID, you must provide the product code and log type code.
InvalidCentralizeConfig	When centralized collection is enabled, you must provide at least one centralized configuration.	When centralized configuration is enabled, you must specify the corresponding centralized logstore information.
InvalidCentralizeConfig	A centralized configuration is required for security product log collection.	For security log types, centralized configuration is required.
InvalidCentralizeConfig	When centralized collection is enabled, the destination project, logstore, region, and TTL cannot be empty.	When centralized configuration is enabled, the centralized destination project, logstore, region, and retention period cannot be empty.
InvalidCentralizeConfig	The destination project for the centralized configuration is invalid.	The project specified for centralized configuration is invalid.
InvalidCentralizeConfig	The destination logstore for the centralized configuration is invalid.	The logstore specified for centralized configuration is invalid.
InvalidCentralizeConfig	The destination region for the centralized configuration is invalid.	The region specified for centralized configuration is invalid.
InvalidResourceDirectoryConfig	Resource Directory configuration error: When you configure Resource Directory, you must set the account group type first.	When you configure a Resource Directory, you must first set the Multi-account Mode.
InvalidResourceDirectoryConfig	Resource Directory configuration error: You cannot configure Resource Directory when in instance mode.	If multi-account collection is enabled through Resource Directory, you cannot set the resource matching mode to instance mode.
InvalidResourceDirectoryConfig	Resource Directory configuration error: The members list cannot be empty.	When Multi-account Mode is set to Custom, you must specify a non-empty list of members.
InvalidResourceDirectoryConfig	Resource Directory configuration error: Centralized configuration is required for Resource Directory.	Multi-account collection requires centralized log shipping.
InvalidResourceDirectoryConfig	Resource Directory configuration error: Resource Directory is not enabled for the account.	Resource Directory is not enabled for the current account.
InvalidResourceDirectoryConfig	Resource Directory configuration error: The account is a member account, not a management account or delegated administrator.	The current account is a member account, not a management or delegated administrator account. It cannot configure multi-account collection rules.
InvalidResourceDirectoryConfig	Resource Directory configuration error: The custom members list includes an invalid account.	When Multi-account Mode is set to Custom, the specified member list contains an invalid account ID.
InvalidDataConfig	Data configuration error: The data region is not valid.	The configured default delivery region for global logs is invalid.
InvalidDataConfig	Data configuration error: You cannot set the data configuration for this product type.	This configuration is not allowed because the current product or log type is not a global type.
InvalidDataConfig	Data configuration error: The data region is already defined in another policy and cannot be changed.	For global log types, the default delivery region is effective immediately upon first configuration and cannot be changed.

Simple Log Service:Cloud service collection rules