All Products
Search
Document Center

Simple Log Service:Collect cloud service logs from multiple accounts

Last Updated:Sep 10, 2024

Log Audit Service allows you to collect logs across Alibaba Cloud accounts. You can collect logs from the cloud services of Alibaba Cloud accounts other than your Alibaba Cloud account and store the collected logs in the Logstores within your Alibaba Cloud account. You cannot collect Kubernetes logs across Alibaba Cloud accounts. This topic describes how to configure multi-account collection.

Prerequisites

Background information

Log Audit Service allows you to collect logs from cloud services across Alibaba Cloud accounts. You can configure multi-account collection in resource directory mode or custom authentication mode. Log Audit Service is integrated with Resource Directory to support the resource directory mode. You can invite other Alibaba Cloud accounts in your enterprise to join your resource directory by using a management account or a delegated administrator account. Then, you can collect logs from cloud services that belong to these Alibaba Cloud accounts. For more information about resource directories, see What is Resource Management?

For more information about the limits on the resource directory mode for multi-account collection, see Limits on resource directories.

Mode

Method

Description

Resource directory mode

All members

Log Audit Service automatically adds all members in your resource directory to the collection list and collects logs from the cloud services that belong to the members and have the log collection feature enabled.

  • After a member is added to your resource directory, the member is automatically included in the collection list.

  • After a member is removed from your resource directory, the member is automatically removed from the collection list.

Custom

You can manually specify and add members to the collection list. This way, Log Audit Service collects logs from the cloud services that belong to the members and have the log collection feature enabled.

  • After a member is added to your resource directory, the member is not automatically included in the collection list.

  • After a member is removed from your resource directory, the member is automatically removed from the collection list if the member is in the list.

Custom authentication mode

AccessKey pair-based authorization

You can configure multi-account collection by using the AccessKey pair of an Alibaba Cloud account or a Resource Access Management (RAM) user.

Manual authorization

You must complete manual authorization before you can configure multi-account collection.

Important

Manual authorization is prone to errors, which may cause Log Audit Service to be unavailable. This method is not recommended.

Important
  • After you configure multi-account collection in resource directory mode, you cannot switch to the custom authentication mode. If you want to switch to the custom authentication mode, you must clear the existing configurations.

  • If you reconfigure multi-account collection in resource directory mode after you configure multi-account collection in custom authentication mode, the configurations for the resource directory mode overwrite those for the custom authentication mode.

  • Before you can change the existing delegated administrator account, you must remove the configurations of multi-account collection for the delegated administrator account. If Configure Mode is set to All Members, change the value to Custom and clear all selected accounts.

Resource directory mode (recommended)

  1. Log on to the Simple Log Service console.

  2. In the Log Application section, click the Audit & Security tab. Then, click Log Audit Service.

  3. In the left-side navigation pane, choose Multi-Account Configurations > Global Configurations.

    Important

    If Multi-Account Configurations > Global Configurations is not displayed in the left-side navigation pane, the log collection feature provided by Log Audit Service is not enabled for the central account. For more information, see Enable and manage log collection.

  4. On the Resource Directory Mode tab, click Modify.

  5. In the AddAccount panel, select the accounts that you want to add and click Confirm.

    In resource directory mode, the All Members and Custom modes are supported.

    • All Members: Log Audit Service automatically adds all members in your resource directory to the collection list and collects logs from the cloud services that belong to the members and have the log collection feature enabled.

    • Custom: You can manually specify and add members to the collection list. This way, Log Audit Service collects logs from the cloud services that belong to the members and have the log collection feature enabled.

    After the configuration is complete, wait for approximately 2 minutes to view the collection status of logs on the Access to Cloud Products > Status Dashboard page. If an exception occurs, modify the configurations by following the on-screen instructions. For more information, see Enable and manage log collection.

Custom authentication mode

  1. In the left-side navigation pane, choose Multi-Account Configurations > Global Configurations.

  2. On the Custom Authentication Mode tab, click Modify.

  3. Specify the account that you want to add and click OK.

    In custom authentication mode, the AccessKey Pair-based Authorization and Manual Authorization modes are supported.

    • AccessKey Pair-based Authorization: Enter the ID of the Alibaba Cloud account that you want to add and the required AccessKey pair. The AccessKey pair is for temporary use and is not saved.

      If you enter the AccessKey pair of a RAM user, the RAM user must have the read and write permissions on RAM resources. To grant the permissions, you can attach the AliyunRAMFullAccess policy to the RAM user. For more information about how to obtain an AccessKey pair, see AccessKey pair.

    • Manual Authorization: Enter the ID of the Alibaba Cloud account that you want to add. You can enter multiple IDs. You must separate multiple IDs with line breaks, commas (,), spaces, or vertical bars (|). For more information about how to grant permissions to an account, see Use a custom policy to authorize Simple Log Service to collect and synchronize logs.

    After the configuration is complete, wait for approximately 2 minutes to view the collection status of logs on the Access to Cloud Products > Status Dashboard page. If an exception occurs, modify the configurations by following the on-screen instructions. For more information, see Enable and manage log collection.