Overview of Log Audit Service - Simple Log Service - Alibaba Cloud Documentation Center

This topic describes the features, background information, scenarios, and benefits of Log Audit Service. This topic also describes the Alibaba Cloud services that are supported by Log Audit Service.

Features

Log Audit Service supports all features of Simple Log Service. Log Audit Service also supports automated and centralized log collection from cloud services across Alibaba Cloud accounts in real time. This allows you to audit the collected logs. Log Audit Service also stores data that is required for auditing and allows you to query and aggregate the data. You can use Log Audit Service to audit the logs that are collected from the following Alibaba Cloud services: ActionTrail, Container Service for Kubernetes (ACK), Object Storage Service (OSS), File Storage NAS, Server Load Balancer (SLB), Application Load Balancer (ALB), API Gateway, Virtual Private Cloud (VPC), ApsaraDB RDS, PolarDB-X 1.0, PolarDB, Web Application Firewall (WAF), Anti-DDoS, Cloud Firewall, and Security Center. You can also use Log Audit Service to audit the logs that are collected from third-party cloud services and self-managed security operations centers (SOCs).

Background information

Log audit is required by law.
Log audit is required by enterprises around the world to meet regulatory requirements. The Cybersecurity Law of the People's Republic of China came into effect in the Chinese mainland in 2017. In addition, the Multi-Level Protection Scheme (MLPS) 2.0 came into effect in December 2019.
Log audit is the foundation for the data security compliance of enterprises.
A large number of enterprises have compliance and audit teams that are capable of auditing device operations, network behavior, and logs. You can use Log Audit Service to consume raw logs, audit logs, and generate compliance audit reports. You can use your self-managed SOC or Alibaba Cloud Security Center to consume logs in Log Audit Service.
Log audit is crucial for data security and protection.
The M-Trends 2018 report published by FireEye stated that most enterprises, especially enterprises in Asia Pacific, are vulnerable to cybersecurity attacks. The global median dwell time was 101 days. In Asia Pacific, the median dwell time was 498 days. The dwell time indicates a period from when an attack occurs to when the attack is detected. To shorten the dwell time, enterprises require reliable log data, durable storage, and audit services.

Scenarios

Simple Log Service-based audit
Simple Log Service allows you to collect, cleanse, analyze, and visualize logs from end to end. You can also configure alerts for logs. You can use Simple Log Service in DevOps, operations, security, and audit scenarios.
Typical log audit
The following requirements for log audit are classified into four levels.
- Basic requirements: Most small and medium enterprises require automatic log collection and storage. These enterprises need to meet the basic requirements that are specified in MLPS 2.0 and implement automatic maintenance.
- Intermediate requirements: Multinational enterprises, large enterprises, and some medium enterprises have multiple departments that use different Alibaba Cloud accounts and pay separate bills. However, logs required for audit must be automatically collected in a centralized manner. In addition to basic requirements, these enterprises need to collect logs and manage accounts in a centralized manner. In most cases, these enterprises have audit systems and need to synchronize their audit systems with Log Audit Service in real time.
- Advanced requirements: Large enterprises that have dedicated compliance and audit teams need to monitor logs, analyze logs, and configure alerts for logs. Some of the enterprises collect logs and send the logs to their audit systems for further processing. Other enterprises that want to build an audit system on the cloud can use the audit-related features provided by Simple Log Service. The features include query, analysis, alerting, and visualization.
- Top requirements: Most large enterprises that have professional compliance and audit teams have self-managed SOCs or audit systems. These enterprises need to synchronize their SOCs or audit systems with Log Audit Service and manage data in a centralized manner.
Log Audit Service of Simple Log Service meets all the four levels of requirements.

Benefits

Centralized log collection
- Log collection across accounts: You can collect logs from multiple Alibaba Cloud accounts to a project within one Alibaba Cloud account. You can configure multi-account collection in custom authentication mode or resource directory mode. We recommend that you use the resource directory mode. For more information, see Collect cloud service logs from multiple accounts.
- Ease of use: You need to only configure collection policies once. Then, Log Audit Service collects logs in real time from Alibaba Cloud resources that belong to different accounts when new resources are detected. The new resources include newly created ApsaraDB RDS instances, SLB instances, and OSS buckets.
- Centralized storage: Logs are collected and stored in the central project of a region. This way, you can query, analyze, and visualize the collected logs in a more efficient manner. You can also configure alerts for the logs and perform secondary development.
Comprehensive audit
- Log Audit Service supports all features of Simple Log Service. For example, you can query, analyze, transform, visualize, and export logs, and configure alerts for logs. Log Audit Service also allows you to audit logs in a centralized manner.
- You can use Log Audit Service together with Alibaba Cloud services, open source software, and third-party SOCs to create more value from data.

Supported Alibaba Cloud services

You can use Log Audit Service to audit the logs that are collected from the following Alibaba Cloud services: ActionTrail, ACK, OSS, NAS, SLB, ALB, API Gateway, VPC, ApsaraDB RDS, PolarDB-X 1.0, PolarDB, WAF, Cloud Firewall, Security Center, and Anti-DDoS. Logs that are collected from Alibaba Cloud services are automatically stored in Logstores and Metricstores. Dashboards are automatically generated for the Logstores and Metricstores. The following table describes the details.

Alibaba Cloud service	Audited log	Supported region for collection	Prerequisite	Simple Log Service resource
ActionTrail	Resource Access Management (RAM) logon logs Resource operation logs of Alibaba Cloud services Logs of API operations	China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Hong Kong), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Japan (Tokyo), US (Silicon Valley), US (Virginia), Germany (Frankfurt), UK (London) and UAE (Dubai)	None	Logstore actiontrail_log Dashboard ActionTrail Audit Center ActionTrail Core Configuration Center ActionTrail Login Center
Cloud Config	Configuration change logs Resource non-compliance events	All regions supported by Cloud Config	If you want to collect, store, or query logs of Cloud Config in Log Audit Service, you must authorize Simple Log Service to extract the logs that are recorded in Cloud Config. After you complete the authorization, the logs of Cloud Config are automatically pushed to Simple Log Service.	Logstore cloudconfig_log Dashboard None
SLB	Layer 7 network logs of HTTP or HTTPS listeners	China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), Singapore, Japan (Tokyo), Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), UK (London), UAE (Dubai), US (Silicon Valley), US (Virginia), and Germany (Frankfurt)	None	Logstore slb_log Dashboard SLB Audit Center SLB Access Center SLB Overall Data View
ALB	Layer 7 network logs of HTTP or HTTPS listeners	China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Ulanqab), China (Shenzhen), China (Guangzhou), China (Chengdu), China (Hong Kong), Japan (Tokyo), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Germany (Frankfurt), US (Silicon Valley) and US (Virginia)	None	Logstore alb_log Dashboard ALB Operation Center ALB Access Center
API Gateway	Access logs	All supported regions	None	Logstore apigateway_log Dashboard API Gateway Audit Center
VPC	Flow logs	China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Japan (Tokyo), US (Silicon Valley), US (Virginia), UAE (Dubai), Germany (Frankfurt) and UK (London)	After the flow log feature is enabled for a VPC or a vSwitch, the feature cannot capture information about ECS instances that belong to the following instance families in the VPC or vSwitch. The feature can capture information about only other ECS instances that meet the requirements. The feature cannot be enabled for elastic network interfaces (ENIs) that are bound to ECS instances if the ECS instances belong to the following instance families. ecs.c1, ecs.c2, ecs.c4, ecs.ce4, ecs.cm4, ecs.d1, ecs.e3, ecs.e4, ecs.ga1, ecs.gn4, ecs.gn5, ecs.i1, ecs.m1, ecs.m2, ecs.mn4, ecs.n1, ecs.n2, ecs.n4, ecs.s1, ecs.s2, ecs.s3, ecs.se1, ecs.sn1, ecs.sn2, ecs.t1, and ecs.xn4	Logstore vpc_log Dashboard VPC Flow Log Overview VPC Flow Log Rejection Center VPC Flow Log Traffic Center
DNS	Intranet private DNS logs	China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Shenzhen), China (Guangzhou), China (Hong Kong), and Singapore	Go to the Alibaba Cloud DNS console of the new version to activate Alibaba Cloud DNS PrivateZone.	Logstore dns_log Dashboard None
	Public DNS resolution logs	N/A	Go to the Alibaba Cloud DNS console of the new version to enable the DNS traffic analysis feature and enable the feature for the required domain names. Chinese domain name-related logs cannot be stored.	Logstore dns_log Dashboard None
	Global Traffic Manager logs	N/A	Go to the Alibaba Cloud DNS console of the new version to activate Global Traffic Manager and purchase a Global Traffic Manager instance. Chinese domain name-related logs cannot be stored. Global Traffic Manager is available only for users in the required whitelist. To add a user to the whitelist, you must submit a ticket to Alibaba Cloud DNS engineers.	Logstore dns_log Dashboard None
WAF	Access logs Attack logs	All supported regions	Your WAF instance must be of the Enterprise or Business edition. The Simple Log Service for WAF feature must be enabled in the WAF console. For more information, see Get started with the Simple Log Service for WAF feature.	Logstore waf_log Dashboard WAF Audit Center WAF Security Center WAF Access Center
Security Center	Nine types of host logs Four types of network logs Seven types of security logs	China (Hangzhou) and Singapore	Your Security Center must be of the Enterprise edition. The log analysis feature must be enabled in the Security Center console. For more information, see Enable the log analysis feature.	Logstore sas_log Dashboard SAS Alarm Center SAS Connection Center SAS DNS Access Center SAS Baseline Center SAS Login Center SAS Process Center SAS Network Session Center SAS Vulnerability Center SAS Web Access Center
Cloud Firewall	Traffic logs of the Internet firewall and VPC firewalls	N/A	Your Cloud Firewall must be of the Premium Edition or higher. The log analysis feature must be enabled in the Cloud Firewall console. For more information, see Enable the log analysis feature.	Logstore cloudfirewall_log Dashboard Cloud Firewall Audit Center
Bastionhost	Operation logs	All supported regions	Your Bastionhost must be of V3.2 or later.	Logstore bastion_log Dashboard None
OSS	Resource operation logs Data operation logs Data access logs and metering logs Deletion logs of expired files CDN back-to-origin traffic logs	China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), Japan (Tokyo), South Korea (Seoul), Thailand (Bangkok), Germany (Frankfurt), UAE (Dubai), UK (London), US (Virginia), and US (Silicon Valley)	None	Logstore oss_log Dashboard OSS Audit Center OSS Access Center OSS Operation Center OSS Performance Center OSS Overall Data View
ApsaraDB RDS	Audit logs of ApsaraDB RDS for MySQL instances Slow query logs of ApsaraDB RDS for MySQL instances Performance logs of ApsaraDB RDS for MySQL instances Error logs of ApsaraDB RDS for MySQL instances Audit logs of ApsaraDB RDS for PostgreSQL instances Slow query logs of ApsaraDB RDS for PostgreSQL instances Error logs of ApsaraDB RDS for PostgreSQL instances	Audit logs of ApsaraDB RDS for MySQL instances: all supported regions except China (Nanjing - Local Region), China (Fuzhou-Local Region), China (Heyuan), and Philippines (Manila) Slow query logs, performance logs, and error logs of ApsaraDB RDS for MySQL instances: all supported regions except China (Nanjing - Local Region), China (Fuzhou-Local Region), and Philippines (Manila) Audit logs of ApsaraDB RDS for PostgreSQL instances: China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Hong Kong), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Germany (Frankfurt), and United States (Virginia) Slow query logs and error logs of ApsaraDB RDS for PostgreSQL instances: China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), Germany (Frankfurt), UK (London), and US (Virginia)	Audit logs ApsaraDB RDS for MySQL instances are supported, except those running the RDS Basic Edition. ApsaraDB RDS for PostgreSQL instances that run the RDS High-availability Edition are supported. The SQL Explorer or SQL Audit feature must be enabled. The features are automatically enabled by Log Audit Service. Slow query logs and error logs ApsaraDB RDS for MySQL instances are supported, except those running the RDS Basic Edition. ApsaraDB RDS for PostgreSQL instances that run the RDS High-availability Edition are supported. Performance logs ApsaraDB RDS for MySQL instances are supported, except those running the RDS Basic Edition.	Audit logs Logstore rds_log Dashboard RDS Audit Center RDS Security Center RDS Performance Center RDS Overall Data View Slow query logs and error logs Logstore rds_log Dashboard None Performance logs Metricstore rds_metrics Dashboard RDS Performance Monitor
PolarDB	Audit logs of PolarDB for MySQL clusters Slow query logs of PolarDB for MySQL clusters Performance logs of PolarDB for MySQL clusters Error logs of PolarDB for MySQL clusters	All supported regions	Audit logs PolarDB for MySQL clusters are supported. The SQL Explorer or SQL Audit feature must be enabled. The features are automatically enabled by Log Audit Service. Slow query logs, performance logs, and error logs Only PolarDB for MySQL clusters are supported.	Slow query logs, audit logs, and error logs Logstore polardb_log Dashboard None Performance logs Metricstore polardb_metrics Dashboard PolarDB Performance Monitor
PolarDB-X 1.0	PolarDB-X 1.0 audit logs	China (Qingdao), China (Shenzhen), China (Shanghai), China (Beijing), China (Hangzhou), China (Zhangjiakou), China (Chengdu), and China (Hong Kong)	None	Logstore drds_log Dashboard DRDS Operation Center DRDS Security Center DRDS Performance Center
NAS	Access logs	All supported regions	None	Logstore nas_log Dashboard NAS Summary NAS Audit Center NAS Operation Center
ACK	Kubernetes audit logs Kubernetes event centers Ingress access logs	China (Shanghai), China (Beijing), China (Hangzhou), China (Shenzhen), China (Hohhot), China (Zhangjiakou), China (Chengdu), and China (Hong Kong)	You must manually enable the log collection feature for Kubernetes logs. Note You must use projects that are automatically created and are named in the k8s-log-{ClusterID} format. Projects that are manually created are not supported. The collection of Kubernetes logs is based on the data transformation feature. When you collect Kubernetes logs, you are charged for the data transformation feature. For more information, see Billable items of pay-by-feature. You cannot collect Kubernetes logs across accounts. For more information about the prerequisites before you use Kubernetes audit logs, see Collect text logs from Kubernetes containers in DaemonSet mode. For more information about the prerequisites before you use Kubernetes event centers, see Create and use an event center. For more information about the prerequisites before you use Ingress access logs, see Analyze and monitor the access logs of nginx-ingress-controller.	Logstore k8s_log k8s_ingress_log Dashboard Kubernetes Audit Center Overview Kubernetes Event Center Kubernetes Resource Operation Overview Ingress Overview Ingress Access Center
Anti-DDoS	Anti-DDoS Proxy (Chinese Mainland) access logs Anti-DDoS Proxy (Outside Chinese Mainland) access logs Anti-DDoS Origin access logs	N/A	Anti-DDoS Proxy (Chinese Mainland): The log analysis feature must be enabled in the Anti-DDoS Proxy (Chinese Mainland) console. For more information, see Use the log analysis feature. Anti-DDoS Proxy (Outside Chinese Mainland): The log analysis feature must be enabled in the Anti-DDoS Proxy (Outside Chinese Mainland) console. For more information, see Use the log analysis feature. Anti-DDoS Origin: The log analysis feature must be enabled in the Anti-DDoS Origin console. For more information, see Enable the log analysis feature.	Logstore ddos_log Dashboard Anti-DDoS Premium Access Center Anti-DDoS Premium Operation Center Anti-DDoS Pro Access Center Anti-DDoS Pro Operation Center Anti-DDoS Origin Events Report Anti-DDoS Origin Mitigation Report
Cloud Service Bus (CSB) App Connect	Operation logs	N/A	None	Logstore appconnect_log Dashboard None

Note

If an ApsaraDB RDS instance or a PolarDB for MySQL cluster is restarted, Log Audit Service may fail to collect some logs that are generated within 5 minutes after the restart.