Set Up Multi-Account Log Audit in SLS - Simple Log Service

Log Audit Service allows you to collect cloud product logs (excluding Kubernetes-related logs) from multiple Alibaba Cloud accounts and centralize them in a LogStore within your current account. This topic describes how to configure multi-account collection.

Prerequisites

Resource directory mode (recommended)
- A member is created or invited. For more information, see Create a member or Invite an Alibaba Cloud account to join a resource directory.
- The log collection feature is enabled. For more information, see Enable and manage log collection.
Custom authentication mode
The log collection feature is enabled. For more information, see Enable and manage log collection.

Background information

Log Audit Service allows you to collect logs from cloud services across Alibaba Cloud accounts. You can configure multi-account collection in resource directory mode or custom authentication mode. Log Audit Service is integrated with Resource Directory to support the resource directory mode. You can invite other Alibaba Cloud accounts in your enterprise to join your resource directory by using a management account or a delegated administrator account. Then, you can collect logs from cloud services that belong to these Alibaba Cloud accounts. For more information about resource directories, see What is Resource Management?

For more information about the limits on the resource directory mode for multi-account collection, see Limits on resource directories.

Mode	Method	Description
Resource directory mode	All members	Log Audit Service automatically adds all members in your resource directory to the collection list and collects logs from the cloud services that belong to the members and have the log collection feature enabled. After a member is added to your resource directory, the member is automatically included in the collection list. After a member is removed from your resource directory, the member is automatically removed from the collection list.
Resource directory mode	Custom	You can manually specify and add members to the collection list. This way, Log Audit Service collects logs from the cloud services that belong to the members and have the log collection feature enabled. After a member is added to your resource directory, the member is not automatically included in the collection list. After a member is removed from your resource directory, the member is automatically removed from the collection list if the member is in the list.
Custom authentication mode	AccessKey pair-based authorization	You can configure multi-account collection by using the AccessKey pair of an Alibaba Cloud account or a Resource Access Management (RAM) user.
Custom authentication mode	Manual authorization	You must complete manual authorization before you can configure multi-account collection. Important Manual authorization is prone to errors, which may cause Log Audit Service to be unavailable. This method is not recommended.

Important

After you configure multi-account collection in resource directory mode, you cannot switch to the custom authentication mode. If you want to switch to the custom authentication mode, you must clear the existing configurations.
If you reconfigure multi-account collection in resource directory mode after you configure multi-account collection in custom authentication mode, the configurations for the resource directory mode overwrite those for the custom authentication mode.
Before you can change the existing delegated administrator account, you must remove the configurations of multi-account collection for the delegated administrator account. If Configure Mode is set to All Members, change the value to Custom and clear all selected accounts.

Resource directory mode (recommended)

Log on to the Simple Log Service console.
Go to the Log Audit Service page.
Note
Starting January 21, 2025, the console entry for the Log Audit Service will be removed. However, existing users who activated the service before this date can still see the entry. New users who need to use the old version can access the Log Audit Service (New Version) and use its Back to Old Version feature.
1. In the Log Application section, on the Audit & Security tab, click Log Audit Service (New Version).
2. In the upper-right corner of the Log Audit Service (New Version) page, click Back to Old Version. Then continue to use the old version of Log Audit Service.
In the left-side navigation pane, choose Multi-Account Configurations > Global Configurations.
Important
If Multi-Account Configurations > Global Configurations is not displayed in the left-side navigation pane, the log collection feature provided by Log Audit Service is not enabled for the central account. For more information, see Enable and manage log collection.
On the Resource Directory Mode tab, click Modify.
In the AddAccount panel, select the accounts that you want to add and click Confirm.
In resource directory mode, the All Members and Custom modes are supported.
- All Members: Log Audit Service automatically adds all members in your resource directory to the collection list and collects logs from the cloud services that belong to the members and have the log collection feature enabled.
- Custom: You can manually specify and add members to the collection list. This way, Log Audit Service collects logs from the cloud services that belong to the members and have the log collection feature enabled.
After the configuration is complete, wait for approximately 2 minutes to view the collection status of logs on the Access to Cloud Products > Status Dashboard page. If an exception occurs, modify the configurations by following the on-screen instructions. For more information, see Enable and manage log collection.

Custom authentication mode

In the left-side navigation pane, choose Multi-Account Configurations > Global Configurations.
On the Custom Authentication Mode tab, click Modify.
Specify the account that you want to add and click OK.
In custom authentication mode, the AccessKey Pair-based Authorization and Manual Authorization modes are supported.
- AccessKey Pair-based Authorization: Enter the ID of the Alibaba Cloud account that you want to add and the required AccessKey pair. The AccessKey pair is for temporary use and is not saved.
  
  The AccessKey pair must belong to a RAM user with read and write permissions on RAM. For example, you can attach the AliyunRAMFullAccess policy to the RAM user. To learn how to obtain an AccessKey pair, see AccessKey pair.
- Manual Authorization: Enter the ID of the Alibaba Cloud account that you want to add. You can enter multiple IDs. You must separate multiple IDs with line breaks, commas (,), spaces, or vertical bars (|). For more information about how to grant permissions to an account, see Use a custom policy to authorize Simple Log Service to collect and synchronize logs.
After the configuration is complete, wait for approximately 2 minutes to view the collection status of logs on the Access to Cloud Products > Status Dashboard page. If an exception occurs, modify the configurations by following the on-screen instructions. For more information, see Enable and manage log collection.