After you enable the real-time log query feature for an Object Storage Service (OSS) bucket, the logs of the bucket are automatically collected to the default Logstore for the bucket. If you need to aggregate the logs of multiple OSS buckets across regions to the same Logstore for further analysis, you can use the new version of Log Audit Service.
Background information
How it works
This topic uses the logs of OSS buckets under the same account as an example. As shown in the following diagram, the logs of OSS buckets are first stored in their respective default Logstores. After a collection rule is configured, Log Audit Service automatically creates a data transformation task to aggregate the logs of the default Logstores into the user's associated project and Logstore.
Billing
While Log Audit Service itself is free, activating it incurs charges for log storage and log traffic. For more information, see Billing.
Prerequisites
The real-time log query feature for the OSS buckets are enabled. For more information, see Enable the real-time log query feature.
If you use a RAM user to perform operations, the RAM user must have the related permissions. For more information, see Grant a RAM user the permissions to use the new version of Log Audit Service.
Procedure
Step 1: Associate a project
Log on to the Simple Log Service console. On the Audit & Security tab of the Log Application section , click Log Audit Service (New Version).
On the Log Audit Service (New Version) page, click Associate Project, configure the project in the dialog box, and then click Confirm.
Step 2: Create a collection rule
On the Log Audit (New Version) page, click the name of the project associated in the previous step.
On the Policies tab, click Create Collection Rule.
On the Create Collection Rule dialog box, configure the collection rule, as shown in the following figure. The recommended name for the new Logstore (Destination Store for Centralized Storage) is
central-{productCode}-{dataCode}-{policyName}. For more information about the collection rule parameters, see Usage notes of cloud service log collection.NoteIf the Resource Matching Mode parameter is set to Instance Mode , you must enter the bucket name in the Instances field for the first time. Next time when you create a collection rule, you can simply select buckets from the Instances drop-down list.
Step 3: Verify the collection results
On the Policies tab, click the name of the collection rule you just created.
Select Query and Analysis > Access Logs to view the logs. You can use the search syntax to specify query conditions. For the field descriptions of the access logs, see Access logs.
References
For the steps to view, create, modify, and delete collection rules, see Manage the collection rules of cloud services.
To collect logs from OSS buckets across multiple accounts, start by enabling a resource directory. Then use the resource directory administrator or a delegated administrator to configure the collection rules for logs from member accounts, aggregating the logs into the specified project. For more information, see Multi-account configuration.