All Products
Search

This Product

    :Log management

    Document Center

    :Log management

    Last Updated:Mar 26, 2026

    After you integrate logs from your cloud services, you can use the log management feature to centrally store and query them. This helps you pinpoint alerts, trace attack sources, accelerate incident response, and simplify log management in complex, multi-resource environments, strengthening your security posture. The log storage solution complies with the requirements of China's Cybersecurity Law and the Multi-Level Protection Scheme (MLPS) 2.0.

    How it works

    The log management feature is a centralized log storage and analysis capability for multi-cloud, multi-account, and multi-service environments, jointly provided by Cloud Threat Detection and Response (CTDR) and SLS.

    After you purchase log storage capacity for CTDR, the service automatically creates a dedicated project (named aliyun-cloudsiem-data-your Alibaba Cloud account ID-RegionID) and a dedicated Logstore (named cloud_siem) in SLS. This project and Logstore are used to store all log data collected by CTDR. The storage region for CTDR logs depends on the service region that you select in the upper-left corner of the Security Center console.

    • If you select China, logs collected by CTDR are stored in the China (Shanghai) region.

    • If you select Outside China, logs collected by CTDR are stored in the Singapore region.

    Important

    You can log on to the SLS console to view the dedicated project and Logstore for CTDR. Do not delete the project or Logstore.

    When you enable log delivery for a specific log type, CTDR automatically delivers the logs to the cloud_siem Logstore. Delivered logs are retained for the configured number of retention days and then automatically deleted. If your log storage capacity is full, new log delivery will stop. Security Center can send you a notification when your used log capacity exceeds 80% of the total capacity. For instructions on how to configure notifications, see Notification settings.

    Billing

    This feature uses a subscription billing model based on your purchased log storage capacity and subscription duration. Operations such as querying or exporting logs on the Security Center console do not incur additional fees.

    After log management delivers logs to SLS, you may incur additional charges for operations on the SLS console, such as data transformation or data shipping.

    • When the Logstore uses the pay-by-feature billing model, you are charged by SLS for data transformation, data delivery, and read traffic from public endpoints. For more information, see Billable items for the pay-by-feature billing model.

    • When the Logstore uses the pay-by-ingested-data billing model, operations such as data transformation and delivery are free of charge. You are charged only for reading data from public endpoints according to standard SLS rates. For more information, see Billable items for the pay-by-ingested-data billing model.

    Multi-account management

    In a multi-account management setup, if you use a global administrator account to log on to the Security Center console, you must switch views before managing logs on the Log Management page. The views are described as follows:

    • Current Account View: View and manage log data stored in the current account.

    • Global Account View: View and manage logs that are delivered from Alibaba Cloud accounts within the CTDR management scope to the current account for storage.

    Important

    • Log delivery enabled in both the Current Account View and the Global Account View consumes the log storage capacity purchased by the global administrator account. The stored log data belongs to the global administrator account.

    • If an Alibaba Cloud account managed by the CTDR global administrator account needs to manage its own logs, the account owner must separately purchase log storage capacity for CTDR and enable log delivery on the Agentic SOC > Log Management page on the Security Center console.

    Prerequisites

    Step 1: Enable log delivery

    1. Log on to the Security Center console.

    2. In the left-side navigation pane, choose Agentic SOC > Manage > Integration Settings. In the upper-left corner, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland.

    3. On the Service Integration page, click Log Settings in the upper-right corner.

    4. In the Log Delivery Management section, turn on the switch in the Deliver Log to Hot Data/Enabled and Disabled At column for the desired log type.

      You can also select multiple log types and then click Batch Deliver Log To.

      Alternatively, on the Log Management page, you can enable delivery for a log type by turning on the switch next to it.

      image

    5. (Optional) In the left-side navigation pane, choose Agentic SOC > Log. In the upper-left corner, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland. On the Log Management page, click Deliver All Data in the upper-right corner to enable log delivery for all integrated data sources.

    Note

    If you no longer need to store a specific type of log, you can turn off its delivery switch. Log management will stop receiving new logs of that type.

    Step 2: Query logs

    1. In the left-side navigation pane, choose Agentic SOC > Log. In the upper-left corner, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland.

    2. In the upper-left corner of the Log Management page, click All Data Sources. In the All Data Sources drop-down list, select the data source that you want to view (a cloud service and a log type).

    3. Set a time range, enter query statements to search for logs, and then view the analysis results.

      The log query method in CTDR is the same as in the Security Center log analysis feature. For more information, see Custom log query and analysis.

    More operations

    Modify log retention period

    By default, delivered logs from cloud services are stored for 180 days. You can modify the number of retention days as needed.

    1. In the left-side navigation pane, choose Agentic SOC > Manage > Integration Settings. In the upper-left corner, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland.

    2. On the Service Integration page, click Log Settings in the upper-right corner.

    3. In the Log Management panel, click Retention Days in the Modify column to change the log retention period.

    Log storage management

    On the Agentic SOC > Log page, you can view your current log usage and total capacity, and scale out or clear the storage space as needed.

    • Click Scale Out to purchase more log storage capacity.

      Ensure you have sufficient log storage capacity, as new logs cannot be written if the storage is full.

    • Click Clear to clear the storage space.

      Warning

      Cleared log data cannot be restored. Use this feature with caution. We recommend that you first export and save your logs locally.

    image

    Related topics

    • You can download logs or query results by using the console, Cloud Shell, or a command-line interface (CLI). For more information, see Export logs.

    • You can create an OSS data shipping job to store logs in OSS. For more information, see Create an OSS data shipping job (New).

    • If your log storage space is full, new logs cannot be written. You can enable notifications for CTDR log over-limit alerts so you can scale out your log storage capacity in a timely manner. For more information, see Notification settings.