The new Log Audit Service centralizes log collection across Alibaba Cloud services and runtime environments to help you meet compliance and data governance requirements.
Why use the Log Audit Service
As enterprises migrate to the cloud, managing and auditing logs at scale becomes critical.
-
Log auditing is a legal requirement. Regulations such as cybersecurity and data security laws mandate that you monitor network status, record security events, and retain logs for at least six months.
-
Data compliance requires managing data across regions in accordance with local regulations while enabling orderly cross-region data flow.
-
The new Log Audit Service addresses these challenges by supporting both cloud service and runtime data ingestion. You can centralize, query, and analyze logs across projects to meet regional compliance requirements.
Basic features
Built on Simple Log Service (SLS), the Log Audit Service adds the following capabilities:
Ingest cloud service logs
-
Cloud service coverage: Supports storage (SLS, OSS), networking (CLB, ALB, VPC, DNS), databases (RDS, PolarDB), security (Security Center, Cloud Firewall, WAF, Anti-DDoS), and auditing (ActionTrail, Cloud Config).
-
Automated log collection: After you connect a cloud service, logs are automatically written to the destination Logstore. New instances and property changes are detected and collected based on your rules.
-
Orchestrated collection rules: Three resource selection modes are available: all resources, filter by instance, and filter by properties.
-
Cross-region data aggregation: Uses data transformation to aggregate logs across regions. SLS automatically creates transformation tasks based on the delivery relationship between default and centralized Logstores.
-
Multiple log centers: Ingest logs once and aggregate them into different projects or Logstores through data transformation. For example, aggregate logs from China (Beijing) and China (Hangzhou) to Shanghai, or from Malaysia and Indonesia to Singapore.
-
Multi-account support via Resource Directory: An administrator or delegated administrator account can aggregate logs from all member accounts.
Ingest runtime logs
-
Runtime log collection: Uses Logtail to collect runtime logs from open-source agents such as Tetragon and Falco into a Logstore.
-
Systemd Journal logs: Uses Logtail to collect Systemd Journal logs, including from container hosts in Docker and Kubernetes environments.
How it works
Ingest cloud service logs
-
Cloud service logs are first stored in their default Logstores.
-
Cloud service logs and their Logstore names are listed in Notes on collecting logs from cloud services.
-
If a cloud service instance matches multiple collection rules, its logs are collected into the default Logstore as long as at least one rule matches.
-
-
The Log Audit Service automatically creates data transformation tasks to aggregate logs from the default Logstore into your associated project.
-
Log types are determined by your configured collection rules.
-
The service automatically detects new or changed instances in each region and updates collection rules accordingly.
-
-
If an administrator or delegated administrator account of Resource Directory configures a multi-account collection rule, logs are first collected in each member account's default Logstore, then aggregated into the centralized Logstore of the administrator or delegated administrator account through an automatic data transformation job.
-
Collection rule 1: Collects logs based on the region property. It delivers cloud service logs from the China (Hangzhou) and China (Shenzhen) regions to a centralized Logstore named
xxx_log_center. This Logstore belongs to the centralized projectcenter-A-cn-shanghai. -
Collection rule 2: Collects logs based on the region property. It delivers cloud service logs from the Singapore region to a centralized Logstore named
xxx_log_center. This Logstore belongs to the centralized projectcenter-A-ap-southeast-1.
-
Ingest runtime logs
In Docker and Kubernetes environments, use Tetragon and Falco to collect container runtime logs to directory files or standard output, then deliver them to an SLS Logstore through Logtail.
Application comparison
New Log Audit Service vs. old Log Audit Service
New Log Audit Service vs. CloudLens for XX series
Both the Log Audit Service and CloudLens for PolarDB can enable PolarDB audit logs. The following table compares these solutions by scenario.
|
Scenario |
Recommended solution |
Advantages |
|
Manual control over log collection |
Simple operation and flexible configuration. |
|
|
Automated collection of cloud service logs |
Use the Simple Log Service API to automate the collection of cloud service logs. |
Batch configuration. |
|
Centralized cross-region dumps |
Enable the relevant rules in the new Log Audit Service console. |
Real-time, cross-region log synchronization helps you meet data compliance requirements. |
|
Cross-account centralized log delivery (based on Resource Directory) |
Enable the relevant rules in the new Log Audit Service console. |
Unified management of logs from multiple accounts helps you meet enterprise-level data governance needs. |
New Log Audit Service vs. cloud service consoles
The following table compares log collection methods for Security Center and WAF.
|
Cloud service |
Cloud service console |
New Log Audit Service |
|
Security Center |
Enable Simple Log Service to collect logon logs in the Security Center console. |
The Log Audit Service is used only for centralized delivery. Use the Log Audit Service console in these scenarios:
|
|
WAF |
Limits
-
The Log Audit Service is currently available only on the public cloud.
-
The new Log Audit Service is in public preview. If you encounter any issues, submit a ticket.
Billing
The Log Audit Service itself is free. After you enable it, you are charged for log storage and traffic. Fees include the following:
|
Fee type |
Description |
|
Fees for the default Logstore for cloud service logs |
|
|
Data transformation fees |
|
|
Fees for Logstores associated with the Log Audit Service |
|
|
Cloud service feature fees |
Some logs require enabling a cloud service feature first (for example, the flow log feature for VPC flow logs and the SQL Explorer feature for RDS audit logs), which incurs additional fees from that service. Notes on collecting logs from cloud services. |
|
Runtime log fees |
Same as a standard Logstore with no extra fees. Billable items: Billable items for the pay-by-feature billing method, Billable items for the pay-by-ingested-data billing method. To reduce costs: How do I reduce log storage costs?. |
Cloud service ingestion types
The Log Audit Service classifies cloud service ingestion into the following types. Specific limits are documented in Notes on collecting logs from cloud services.
|
Cloud service ingestion type |
Classification criteria |
Limits and description |
Applicable cloud services and log types |
|
Instance class |
Rules configured at the instance level by instance ID, region, or tags. |
Logs are delivered to a Logstore in the region where the instance resides. |
|
|
Global log |
Rules configured at the global level only. |
Logs are delivered to a Logstore in a fixed region. |
|
|
Security |
Rules use the resource property mode to retrieve default delivery regions. |
Log collection must be enabled in the cloud service console first. The Log Audit Service only centralizes and processes these logs. |
|
|
ActionTrail and Cloud Config |
No collection rules required. Association is established through the Logstore name. |
Configure a trail or delivery rule in the cloud service console and associate it with the current project. |
|