All Products
Search

This Product

    Simple Log Service:Version comparison

    Document Center

    Simple Log Service:Version comparison

    Last Updated:Jun 04, 2026

    Learn about the differences between Log Audit Service (New) and Log Audit Service (Legacy).

    Version comparison

    Criteria

    Legacy: Limitations

    New version: Upgrade highlights

    Connection type

    • Logs are collected to a dedicated Logstore (slsaudit-center-<AlibabaCloudAccountID>-<ConfiguredRegion>).

    • Log field and content updates lag behind cloud service changes.

    • Duplicate collection may occur if log collection is already enabled on the cloud service, causing extra storage costs.

    • Logs are first collected to the cloud service's default destination Logstore. For example, ApsaraDB RDS, PolarDB, ALB, and CLB logs are delivered to aliyun-product-data-<AlibabaCloudAccountID>-<ConfiguredRegion> by default.

    • Log fields and content stay fully synchronized with the cloud service.

    • Logs are collected only once. No extra storage costs if centralized collection is disabled.

    Logstore storage property configuration

    Configurable only on the global configuration page.

    • Storage period

    • IA storage class period (formerly cold storage)

    Not supported:

    • Billing mode

    • Archive Storage

    • Logstore deletion

    • Log storage period

    • IA storage class (formerly cold storage)

    • Billing mode

    • Archive Storage

    • Logstore deletion

    Central log project

    • Centralized log collection supports only one project.

    • After selecting a central region, logs can only go to a project and Logstore with fixed names.

    • Centralized log collection supports multiple projects for cross-region data compliance.

    • Central region, project, and Logstore are all selectable.

    Cross-account feature

    Only one audit collection destination is supported.

    • If an Alibaba Cloud account enables Log Audit Service with member accounts configured, those member accounts cannot independently enable Log Audit Service. Otherwise, a conflict error occurs.

    • If a member account enables Log Audit Service independently, the multi-account configuration of the parent account cannot include that member account. Otherwise, a log delivery conflict occurs.

    Multiple audit collection destinations are supported.

    Data transformation fees for centralized synchronization

    When the Sync to Center feature is enabled, data transformation fees apply for synchronizing logs from regional Logstores to a central Logstore.

    The following fees are waived when collecting logs from a cloud service's default destination Logstore to a central Logstore:

    • Data transformation traffic

    • Write traffic

    • Write operations

    Collection filtering

    • Requires configuring a collection policy, which requires understanding how to use collection policies.

    • Only one collection policy per cloud service.

    • Three resource modes are provided: Select All, Resource Properties, and Instance List.

    • Multiple rules for different scenarios enable flexible orchestration.

    Collect runtime logs

    Not supported.

    Supports collecting runtime logs from open source agents (such as Tetragon and Falco) to a Logstore via Logtail.

    OpenAPI

    No external OpenAPI is provided.

    • Control log collection using Collection rules of cloud services.

    • Collection rules for cloud services are decoupled from Log Audit Service and are associated using a central project.

    Terraform

    Coupled cloud service configuration:

    • Collection configurations for multiple cloud services depend on a single configuration file.

    Configurations are independent and defined per cloud service. Terraform is supported. Usage example.

    Log field comparison

    Cloud service

    New version

    Previous version

    Description (In the new version, log fields match those displayed in the cloud service console)

    Details

    ActionTrail

    Log fields

    ActionTrail

    The field structure is different.

    The new version adds resource and identity fields (e.g., event.resourceName, event.userIdentity.sessionContext). The previous version included event.requestParameters.HostId, event.requestParameters.Name, and event.requestParameters.Region.

    The event.requestParameters and event.requestParameterJson fields replace the previous output.

    Cloud Config

    Log fields

    Cloud Config

    The field content is different.

    The new version adds log fields for scheduled resource snapshots.

    Object Storage Service

    Log fields

    Object Storage Service

    The field content is different.

    • Access log: The new version adds bucket_location, ec, user_defined_log_fields, and archive_direct_read_size.

    • Batch delete log: The new version does not have the owner_id field.

    • Hourly metering log: The new version adds the bucket_location field.

    RDS

    Log fields

    ApsaraDB RDS

    The field content is different.

    • Audit log: The previous version includes owner_id, region, instance_name, db_type, db_version, threat_client_ip, and hash fields not present in the new version.

    • Slow query log: The previous version includes the instance_name field not present in the new version.

    Server Load Balancer

    Log fields

    Server Load Balancer

    The field content is different.

    The previous version includes owner_id, region, instance_id, instance_name, network_type, and vpc_id fields not present in the new version.

    VPC

    Log fields

    VPC

    The field content is different.

    The previous version includes the __topic__ and region fields not present in the new version.

    Cloud Firewall

    Log fields

    Cloud Firewall

    No differences.

    -

    Anti-DDoS

    Fields in logs

    Anti-DDoS

    The field content is different.

    In the new version, all log fields are categorized into event fields, traffic detection fields, and traffic scrubbing fields. Log field description.

    Anti-DDoS Proxy

    Fields included in full logs

    Anti-DDoS

    The field content is different.

    The new version adds more client request parameters, such as ssl_protocol, ssl_cipher, and ssl_handshake_time.

    Security Center

    Log categories and field description

    Security Center

    The field content is different.

    The new version provides more log fields. Log categories.

    API Gateway

    Log fields

    API Gateway

    No differences.

    -

    File Storage NAS

    Log fields

    File Storage

    The field content is different.

    • The previous version supports only General-purpose NAS.

    • The new version contains more log fields. Extreme NAS file system.

    Web Application Firewall 3.0

    Log field description

    Web Application Firewall

    The field content is different.

    The new version of WAF supports optional fields, which the previous version does not.

    Bastionhost

    Bastionhost

    Bastionhost

    No differences.

    -