Before you begin
This topic describes the limitations and billing for Log Audit Service.
Limitations
-
Storage methods and regional restrictions
ImportantBefore you use Log Audit Service for regional or centralized log storage, you must evaluate whether your selected storage region complies with applicable laws, regulations, and security requirements.
-
Centralized storage
Logs collected from different Alibaba Cloud accounts and regions are stored in a central project under the central account. The following regions are available for centralized storage.
NoteIf you change the region of the central account, Simple Log Service (SLS) creates a new central project. The original project is not deleted.
-
Chinese mainland: China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Hangzhou), China (Shanghai), China (Shenzhen), and China (Hong Kong)
-
Regions outside the Chinese mainland: Singapore, Japan (Tokyo), Germany (Frankfurt), Indonesia (Jakarta), and Malaysia (Kuala Lumpur)
-
-
Regional storage
For SLB, ALB, OSS, PolarDB-X 1.0, VPC, and DNS, Log Audit Service supports regional storage. This means logs collected from each Alibaba Cloud account are stored in a Simple Log Service (SLS) project that belongs to the central account and is in the same region as the source service instance. For example, access logs from an OSS bucket in the China (Hangzhou) region are stored in a project in the China (Hangzhou) region.
-
Synchronization to Central Project
For regional storage of logs from SLB, ALB, OSS, PolarDB-X 1.0, VPC, and DNS, you can synchronize logstores from different regions to a central logstore. This enables centralized queries, analysis, alerting, visualization, and custom development.
NoteThis synchronization mechanism relies on the data transformation feature of SLS. To avoid affecting the synchronization speed, adjust the shard resources of your regional logstores based on the data transformation performance guide.
-
-
Resource restrictions
-
You can have only one central project for a central account. The project is named slsaudit-center-CentralAccountID-ConfiguredRegion, for example, slsaudit-center-117938634953****-cn-beijing. You cannot delete the central project in the console. To delete it, you must use the command line or an API.
-
For SLB, ALB, OSS, PolarDB-X 1.0, VPC, and DNS, you can have multiple regional projects. A project is named slsaudit-region-CentralAccountID-CollectionRegion, for example, slsaudit-region-117938634953****-cn-beijing. You cannot delete a regional project in the console. To delete it, you must use the command line or an API.
-
After configuring log collection for a cloud product, Log Audit Service creates a dedicated logstore. This logstore provides all the features of a standard SLS logstore but has the following restrictions:
-
To prevent data tampering, you cannot write data to the logstore or modify or delete its indexes.
-
To modify the storage duration or delete the logstore, you must use the Log Audit Service configuration page or an API.
-
For SLB, ALB, OSS, PolarDB-X 1.0, VPC, and DNS, if you enable the Synchronization to Central Project feature, a data transformation task is automatically created in the corresponding regional project.
-
The data transformation task is named
Internal Job: SLS Audit Service Data Sync for OSS Access,Internal Job: SLS Audit Service Data Sync for SLB,Internal Job: SLS Audit Service Data Sync for ALB,Internal Job: SLS Audit Service Data Sync for DRDS,Internal Job: SLS Audit Service Data Sync for VPC, orInternal Job: SLS Audit Service Data Sync for DNS. -
To stop this data transformation task, you must use the Log Audit Service configuration page or an API.
-
A regional logstore for which the Synchronization to Central Project feature is enabled is synchronized to a dedicated logstore. You cannot perform any operations on this dedicated logstore. To run queries or perform other operations, use the central logstore.
-
-
-
-
Permission restrictions
When you use Log Audit Service to collect Kubernetes logs, such as Kubernetes audit logs, Kubernetes Event Center logs, and Ingress access logs, be aware of the following permission restrictions.
-
Log Audit Service can collect Kubernetes logs only from the central account. It cannot collect Kubernetes logs from other member accounts in a multi-account configuration.
-
Log Audit Service relies on the data transformation feature to collect Kubernetes logs. Therefore, the central account must be granted the following permissions.
Item
Before upgrade
After upgrade
Current role of the central account
sls-audit-service-monitor
AliyunServiceRoleForSLSAudit
Additional permissions
The
sls-audit-service-monitorrole requires the AliyunLogAuditServiceMonitorAccess permission and the following custom permission (AliyunLogAuditServiceK8sAccess).{ "Version": "1", "Statement": [ { "Action": "log:*", "Resource": [ "acs:log:*:*:project/k8s-log-*" ], "Effect": "Allow" } ] }Only the AliyunServiceRoleForSLSAudit role is required. No additional permissions are needed.
-
-
Storage duration dependencies
-
In Log Audit Service, internal DNS logs (centralized), public DNS resolution logs, and Global Traffic Manager logs share the
dns_loglogstore. If you enable collection for these log types with different storage durations, the longest duration applies to the entire logstore. -
In Log Audit Service, ApsaraDB RDS audit logs, slow query logs, and error logs share the
rds_loglogstore. If you enable collection for these log types with different storage durations, the longest duration applies to the entire logstore. -
In Log Audit Service, PolarDB for MySQL audit logs, slow query logs, and error logs share the
polardb_loglogstore. If you enable collection for these log types with different storage durations, the longest duration applies to the entire logstore. -
In Log Audit Service, internet boundary firewall traffic logs and VPC boundary firewall traffic logs from Cloud Firewall share the
cloudfirewall_loglogstore. If you enable collection for these log types with different storage durations, the longest duration applies to the entire logstore. -
In Log Audit Service, access logs from Anti-DDoS Proxy (Chinese Mainland), Anti-DDoS Proxy (Outside Chinese Mainland), and Anti-DDoS Origin share the
ddos_loglogstore. If you enable collection for these log types with different storage durations, the longest duration applies to the entire logstore. -
In Log Audit Service, Kubernetes audit logs and Kubernetes Event Center logs share the
k8s_loglogstore. If you enable collection for these log types with different storage durations, the longest duration applies to the entire logstore. -
In Log Audit Service, Cloud Config change logs and resource non-compliance logs share the
cloudconfig_loglogstore. If you enable collection for these log types with different storage durations, the longest duration applies to the entire logstore.
NoteFor log types with storage duration dependencies, if you enable both log collection and intelligent tiered storage, the longest hot storage duration is applied. Furthermore, if you enable log collection for multiple log types that share a logstore, you must enable intelligent tiered storage for all of them. Otherwise, this feature is disabled by default for that logstore.
For example, you enable collection for ApsaraDB RDS audit logs and error logs. If you enable intelligent tiered storage for both, the longer of the two hot storage durations is used. If you enable intelligent tiered storage only for ApsaraDB RDS audit logs but not for error logs, the intelligent tiered storage feature is disabled for their shared logstore (
rds_log). -
-
Cloud Config
-
Log Audit Service relies on configuration information from Cloud Config. You must enable the Cloud Config service and configure it to monitor all resources in the Cloud Config console.
-
To collect, store, or query Cloud Config logs in Log Audit Service, you must authorize SLS to retrieve logs from Cloud Config. After authorization, your Cloud Config logs are automatically sent to SLS.
-
In resource directory mode, Log Audit Service automatically enables Cloud Config and integrates with SLS for all accounts in the resource directory after the central account is authorized. In custom authorization mode, however, member accounts require separate authorization. For more information, see Use custom authorization to collect and synchronize logs.
-
-
Intelligent tiered storage
Dedicated logstores in Log Audit Service support intelligent tiered storage. Compared with hot storage, IA storage is more cost-effective but provides lower query and analysis performance. Other features, such as alerting, visualization, data transformation, and data shipping, are not affected. For more information, see Manage intelligent tiered storage.
NoteIntelligent tiered storage is supported in the following audit center regions: China (Qingdao), China (Beijing), China (Hohhot), China (Hangzhou), China (Shanghai), China (Shenzhen), China (Hong Kong), and Singapore.
You can enable intelligent tiered storage on the Global Configurations page of Log Audit Service. The hot storage duration must be 7 days or more and cannot exceed the total storage duration. For example, if the total storage duration is 180 days and you set the hot storage duration to 30 days, logs are converted to IA storage after 30 days.
NoteLog Audit Service (Legacy) does not support enabling Archive Storage from the Global Configurations page. To enable this feature, you must submit a ticket to have your account added to an allowlist. After your account is on the allowlist, the storage duration set in the global configurations is applied only upon the initial creation of a logstore. Subsequently, the actual storage duration is determined by the settings in the logstore console.
-
Data encryption
Log Audit Service supports data encryption by using service-managed keys from SLS. Bring Your Own Key (BYOK) is not supported. The service-managed key encryption method supports the AES algorithm (default) and the SM4 algorithm. For more information, see Data encryption.
Once you enable log encryption, SLS automatically encrypts dedicated logstores where log collection is active, including those in both central and regional projects. For details, see Enable encryption.
-
Index restrictions
Log Audit Service supports automatic index updates and manual index modifications. For more information, see Create indexes.
When you modify an index, if the system prompts This Logstore is a dedicated Logstore for the SLS App Log Audit Service. Modifying index attributes or disabling the index is not supported., on the Global Configuration page of Log Audit Service, click Modify and then click OK to rebuild the Log Audit Service configuration.
ImportantManually modifying indexes may cause built-in dashboards, alerts, and other features to become unavailable. Use this feature with caution.
Billing
-
Simple Log Service (SLS)
To collect logs from other Alibaba Cloud accounts, the central account must have Simple Log Service (SLS) and the Log Audit Service application enabled. In most cases, these other accounts do not need to have SLS enabled and will not incur SLS-related fees, but some cloud products may have specific dependencies. Log Audit Service is currently free of charge, but you are charged on a pay-as-you-go basis for the underlying SLS resources that you use, such as data storage, read/write traffic, and data transformation. For more information, see Pay-as-you-go billing items.
Important-
When you enable the Synchronization to Central Project feature for logs from SLB, ALB, OSS, PolarDB-X 1.0, VPC, DNS, and Container Service for Kubernetes, data is synchronized by using the data transformation feature. You are charged on a pay-as-you-go basis for data transformation and cross-network traffic. For more information, see Pay-as-you-go billing items.
-
You can collect cloud product logs using either Log Audit Service or standard SLS collection methods. Fees are calculated separately for each, and using both methods results in two copies of the data being stored in SLS. The two methods are intended for different use cases:
-
Log Audit Service: Provides automated, real-time, and centralized log collection from multiple accounts, primarily for compliance auditing.
-
Standard SLS methods: Support regional collection and decentralized management, primarily for data analysis. For more information, see Overview of cloud service logs.
-
A free tier is provided. You can also use resource plans that you have purchased to offset fees.
-
-
Cloud products
Enabling Log Audit Service for certain cloud products may incur additional costs from those products, as described below.
Cloud product
Additional fees
Web Application Firewall (WAF)
Purchase the Log Service module in the WAF console. For more information about billing, see Billing methods.
Security Center
Enable the Log Analysis feature in the Security Center console. For more information about billing, see Billing.
Cloud Firewall
Purchase the Log Analysis module in the Cloud Firewall console. For more information about billing, see Billing of the log analysis feature.
ApsaraDB RDS
Enabling audit log collection for ApsaraDB RDS automatically activates the paid SQL Explorer and Audit feature for eligible instances (non-basic editions of RDS for MySQL, and high-availability editions of RDS for PostgreSQL). For more information about billing, see Billing items.
Note-
If you have enabled the trial version of SQL Explorer and Audit for an RDS instance, Log Audit Service automatically disables the trial version and enables the paid version after enabling log collection.
-
The default storage duration for SQL Explorer and Audit is 30 days. To modify the duration, go to the ApsaraDB RDS console. For more information, see Modify the storage duration of SQL logs. This duration is independent of the log retention period set in Log Audit Service.
If you set the storage duration in the ApsaraDB RDS console to less than 30 days, log shipping requirements are not met, and Log Audit Service automatically resets the duration to 30 days.
-
If you have stopped collecting RDS audit logs and want to disable the SQL Explorer and Audit feature, you can manually disable it in the RDS console. For more information, see Disable SQL Explorer and Audit.
PolarDB
Enabling audit log collection for PolarDB automatically activates the paid SQL Explorer and Audit feature for MySQL clusters. For more information about billing, see Billing overview.
Note-
If you have enabled the trial version of SQL Explorer and Audit for a PolarDB instance, Log Audit Service automatically disables the trial version and enables the paid version after enabling log collection.
-
The default storage duration for SQL Explorer and Audit is 30 days. To modify the duration, go to the PolarDB console. For more information, see Modify the storage duration for SQL logs. This duration is independent of the log retention period set in Log Audit Service.
If you set the storage duration in the PolarDB console to less than 30 days, log shipping requirements are not met, and Log Audit Service automatically resets the duration to 30 days.
-
After you stop collecting PolarDB audit logs, you must manually disable the SQL Explorer and Audit feature in the PolarDB console if it is no longer needed. For more information, see Disable SQL Explorer and Audit.
Anti-DDoS
Purchase the Log Analysis module in the Anti-DDoS Proxy (Chinese Mainland) console. For more information about billing, see Overview.
VPC
Fees for flow logs include a flow log generation fee and SLS service fees. For more information, see Flow log billing.
Note-
VPC flow log collection can be enabled independently in either the Log Audit Service console or the VPC console. Enabling or disabling collection in one console does not affect the other. Flow log fees, which include the flow log generation fee and the SLS service fee, are calculated separately for each method.
-
Before you delete a project related to Log Audit Service, you must first disable VPC flow log collection. Otherwise, the flow log feature for the corresponding VPC instance remains enabled.
DNS
You are charged for traffic analysis. For more information, see DNS.
-