Bastionhost allows you to archive audit logs in Simple Log Service (SLS). After you configure the archiving settings for audit logs, Bastionhost automatically delivers the audit logs to Simple Log Service in real time. This topic describes how to archive audit logs in Simple Log Service.
Only audit logs that are generated after the archiving settings are configured can be archived in Simple Log Service.
Background information
Audit logs record the O&M activities that Bastionhost users perform by using Bastionhost. The audit logs contain command audit records and operation logs. Bastionhost stores audit logs only for 180 days. If you want to store audit logs longer than 180 days, you can archive the audit logs in SLS. After you archive the audit logs in SLS, you can query and analyze the audit logs, specify a custom log retention period, and forward the audit logs to a third-party platform, such as Splunk, by using SLS. For more information, see Query and analysis or Ship logs from Simple Log Service to Splunk by using a Splunk add-on.
After you archive the audit logs in SLS, the archiving operation does not affect the audit logs that are stored in Bastionhost. You can still view the audit logs on the Session Audit page of the console of a bastion host. For more information, see Search for sessions and view session details.
Procedure
Log on to the Simple Log Service console.
Follow the on-screen instructions to activate Simple Log Service.
Visit the Log Audit Service page.
In the left-side navigation pane, choose Access to Cloud Products > Global Configurations. Then, perform the following steps to complete the settings for collecting audit logs.
In the Region of the Central Project drop-down list, select a region for centralized storage of logs.
Find Bastion Host in the Cloud Products column, turn on Operations Log, and then specify a retention period for audit logs in the Storage Type column.
View audit logs.
In the left-side navigation pane, click the icon.
Choose Central > Bastionhost to view audit logs.
The following table describes the log fields of Bastionhost audit logs that are stored in Simple Log Service (SLS).
Field
Description
__topic__
The topic of the log. The value is fixed as bastionhost.
owner_id
The Alibaba Cloud account ID.
region
The region in which the bastion host resides.
content
The operation that is recorded in the log, such as a command-related operation and file transmission.
event_type
The event type. For more information, see the "Valid values of the event_type field" section of this topic.
instance_id
The ID of the bastion host.
resource_address
The IP address of the asset on which the O&M operation is performed.
resource_name
The name of the asset on which the O&M operation is performed.
result
The result of the operation, such as a command-related operation and file transmission.
session_id
The session ID.
user_client_ip
The IP address of the Bastionhost user who access the bastion host.
user_id
The ID of the Bastionhost user.
user_name
The username of the Bastionhost user.
Valid values of the event_type field
Valid value | Description |
db.oracle.req | A request sent to an Oracle database. |
db.mysql.req | A request sent to a MySQL database. |
db.pgsql.req | A request sent to a PostgreSQL database. |
cmd.Command | A command-related operation. |
cmd.Command.policy | A command processed based on control policies. |
graph.Text | A graphic text-related event. |
graph.Keyboard | A graphic keyboard event. |
file.Upload | Upload of a file. |
file.Download | Download of a file. |
file.Rename | Renaming of a file. |
file.Delete | Deletion of a file. |
file.DeleteDir | Deletion of a directory. |
file.CreateDir | Creation of a directory. |
login.CSLogin | A client software (CS)-based logon by a user. |
Session.session | A session. |
The following values are supported only in Bastionhost V3.2.43 and later. | |
login.CSPasswordLogin | Password-based authentication upon CS-based logon. |
login.CSResetPassword | A password change by using CS. |
login.PortalPasswordLogin | Password-based authentication upon logon from the portal. |
user.PortalResetPassword | A password change by using the portal. |
user.PortalClearOTP | Unbinding the one-time password (OTP) app by using the portal. |
user.PortalBindOTP | Binding the OTP app by using the portal. |
user.PortalLogout | Logoff from the portal. |
login.CSTwoFactorLogin | Two-factor authentication upon CS-based logon. |
login.PortalTwoFactorLogin | Two-factor authentication upon logon from the portal. |
user.CreateUser | Creation of a user. |
user.DeleteUser | Deletion of a user. |
user.ModifyUser | User modification. |
user.LockUser | Locking of an account. |
user.UnlockUser | Unlocking of an account. |
user.CreateUserPublicKey | Addition of an SSH public key. |
user.ModifyUserPublicKey | Update of an SSH public key. |
user.DeleteUserPublicKey | Deletion of an SSH public key. |
user.ExportUsers | Export of users. |
user.SyncRemoteUserDN | Synchronization of the distinguished name (DN) of a remote user. |
user.NotifyUserOperationAddress | Modification of user logon restrictions. |
user.SetUserUSBKey | Association of a USB key certificate. |
user.ResetUserUSBKey | Disassociation of a USB key certificate. |
user.CreateUserGroup | Creation of a user group. |
user.ModifyUserGroup | Modification of a user group. |
user.DeleteUserGroup | Deletion of a user group. |
user.AddUsersToGroup | Addition of users to a user group. |
user.RemoveUsersFromGroup | Removal of users from a user group. |
asset.CreateHost | Import of a host. |
asset.ModifyHost | Modification of a host. |
asset.DeleteHost | Deletion a host. |
asset.EnableHost | Enabling of a host. |
asset.DisableHost | Disabling of a host. |
asset.ResetHostsFingerPrint | Update of a host fingerprint. |
asset.RefreshECSHostStatus | Status check for an Elastic Compute Service (ECS) instance. |
asset.RefreshKMSSecretsForECS | Update status check for Key Management Service (KMS) secrets on an ECS instance. |
asset.RefreshAssetNetworkStatus | Network status check for an asset. |
asset.ExportHosts | Export of hosts. |
asset.CreateDatabase | Creation of a database. |
asset.ModifyDatabase | Modification of a database. |
asset.DeleteDatabase | Deletion of a database. |
asset.EnableDatabase | Enabling of a database. |
asset.DisableDatabase | Disabling of a database. |
asset.RefreshRDSDatabaseStatus | Status check for an ApsaraDB RDS database. |
asset.ExportDatabases | Export of databases. |
asset.CreateAssetGroup | Creation of an asset group. |
asset.ModifyAssetGroup | Modification of an asset group. |
asset.DeleteAssetGroup | Deletion of an asset group. |
asset.AddHostsToGroup | Addition of hosts to an asset group. |
asset.RemoveHostsFromGroup | Removal of hosts from an asset group. |
asset.AddDatabasesToGroup | Addition of databases to an asset group. |
asset.RemoveDatabasesFromGroup | Removal of databases from an asset group. |
asset.AddAppsToGroup | Addition of applications to an asset group. |
asset.RemoveAppsFromGroup | Removal of applications from an asset group. |
asset.CreateHostAccount | Creation of a host account. |
asset.ModifyHostAccount | Modification of a host account. |
asset.DeleteHostAccount | Deletion of a host account. |
asset.ResetHostAccountCredential | Deletion of the logon credential for a host account. |
asset.CreateDatabaseAccount | Creation of a database account. |
asset.ModifyDatabaseAccount | Modification of a database account. |
asset.DeleteDatabaseAccount | Deletion of a database account. |
asset.CreateAssetSource | Import of a third-party host. |
asset.ModifyAssetSource | Modification of a third-party host. |
asset.DeleteAssetSource | Deletion of a third-party host. |
authorization.AttachHostAccountsToUser | Authorization for a user to use host accounts. |
authorization.DetachHostAccountsFromUser | Removal of host accounts from the list of host accounts that a user is authorized to use. |
authorization.AttachHostAccountsToUserGroup | Authorization for a user group to use host accounts. |
authorization.DetachHostAccountsFromUserGroup | Removal of host accounts from the list of host accounts that a user group is authorized to use. |
authorization.AttachAssetGroupAccountsToUser | Authorization for a user to use host account names. |
authorization.DetachAssetGroupAccountsFromUser | Removal of host account names from the list of host account names that a user is authorized to use. |
authorization.AttachAssetGroupAccountsToUserGroup | Authorization for a user group to use host account names. |
authorization.DetachAssetGroupAccountsFromUserGroup | Removal of host account names from the list of host account names that a user group is authorized to use. |
asset.AttachDatabaseAccountsToUser | Authorization for a user to use database accounts. |
asset.DetachDatabaseAccountsFromUser | Removal of database accounts from the list of database accounts that a user is authorized to use. |
asset.AttachDatabaseAccountsToUserGroup | Authorization for a user group to use database accounts. |
asset.DetachDatabaseAccountsFromUserGroup | Removal of database accounts from the list of database accounts that a user group is authorized to use. |
policy.CreatePolicy | Creation of a control policy. |
policy.DeletePolicy | Deletion of a control policy. |
policy.ModifyPolicy | Update of a control policy. |
policy.AttachUsersToPolicy | Association of users with a control policy. |
policy.DetachUsersFromPolicy | Disassociation of users from a control policy. |
policy.AttachUserGroupsToPolicy | Association of user groups with a control policy. |
policy.DetachUserGroupsFromPolicy | Disassociation of user groups from a control policy. |
policy.AttachHostsToPolicy | Association of hosts with a control policy. |
policy.DetachHostsFromPolicy | Disassociation of hosts from a control policy. |
policy.AttachAssetGroupsToPolicy | Association of host groups with a control policy. |
policy.DetachAssetGroupsFromPolicy | Disassociation of host groups from a control policy. |
policy.CreateDatabaseMaskPolicy | Creation of a data masking policy. |
policy.ModifyDatabaseMaskPolicy | Modification of a data masking policy. |
policy.DeleteDatabaseMaskPolicy | Deletion of a data masking policy. |
policy.AttachDatabasesToPolicy | Association of databases with a control policy. |
policy.DetachDatabasesFromPolicy | Disassociation of databases from a control policy. |
policy.AttachAppsToPolicy | Association of applications with a control policy. |
policy.DetachAppsFromPolicy | Disassociation of applications from a control policy. |
policy.SetPolicyUserScope | Determination of the users to whom a control policy applies. |
policy.SetPolicyAssetScope | Determination of the assets to which a control policy applies. |
policy.SetHostAccountToPolicy | Determination of the account used to log on to a host associated with a control policy. |
policy.SetDatabaseAccountToPolicy | Determination of the account used to log on to a database associated with a control policy. |
policy.SetAppAccountToPolicy | Determination of the account used to log on to a database associated with a control policy. |
policy.SetAssetGroupAccountNamesToPolicy | Determination of the account used to access an asset group associated with a control policy. |
policy.GenerateApproveCommand | Generation of a command review record. |
policy.CancelApproveCommand | Cancellation of command review. |
policy.AcceptApproveCommand | Adoption of command review. |
policy.RejectApproveCommand | Rejection of command review. |
policy.GenerateApproveCommand | Creation of a command review task. |
task.CreatePasswordTask | Creation of a password change task. |
task.ModifyPasswordTask | Update of a password change task. |
task.DeletePasswordTask | Deletion of a password change task. |
task.AttachHostAccountsToPasswordTask | Association of host accounts with a password change task. |
task.DetachHostAccountsFromPasswordTask | Disassociation of host accounts from a password change task. |
task.ExecutePasswordTask | Execution of a password change task. |
task.CancelPasswordTask | Cancellation of a password change task. |
task.EnablePasswordTask | Start of a password change task. |
task.ExportPasswordTaskHistory | Export of password change records. |
system.DeleteAuditSessionVideo | Deletion of a session video file. |
system.ModifyInstanceTwoFactor | Modification of two-factor authentication settings. |
system.InterruptAuditSession | Blocking of a session. |
system.ImportBastionHostConfig | Import of configuration backups. |
system.ExportBastionHostConfig | Export of configuration backups. |
system.ModifyInstanceLDAPAuthServer | Configuration modification for a Lightweight Directory Access Protocol (LDAP) authentication server. |
system.ModifyInstanceADAuthServer | Configuration modification for an Active Directory (AD) authentication server. |
system.AddInstanceMember | Addition of a Resource Directory member. |
system.RemoveInstanceMember | Removal of a Resource Directory member. |
system.ModifyInstanceTLSConfig | Modification of Transport Layer Security (TLS) settings. |
system.ModifyDataEncryptionConfig | Change of the data encryption method. |
system.VerifyUserInfoSignature | Signature verification for key information protection. |
system.BindIDaaSInstance | Association of an Identity as a Service (IDaaS) Instance. |
system.UnbindIDaaSInstance | Disassociation of an IDaaS instance. |
system.ModifyInstanceLoginPolicy | Modification of user logon and lockout settings. |
system.ModifyInstanceUserPolicy | Modification of user password security and status settings. |
system.CreateInstanceADAuthServer | Creation of an AD authentication server. |
system.DeleteInstanceADAuthServer | Deletion of an AD authentication server. |
system.ModifyInstanceIDaaSConfig | Configuration modification for an associated IDaaS instance. |
system.ModifyInstanceOperationConfig | Modification of O&M settings for a bastion host. |
system.ModifyInstanceAssetPolicy | Modification of the connectivity check cycle. |
system.AddInstanceNotificationReceiveUser | Addition of an alert administrator on the Notifications tab. |
system.RemoveInstanceNotificationReceiveUser | Removal of an alert administrator on the Notifications tab. |
system.ModifyInstanceNotificationConfig | Modification of notification settings. |
system.ModifyInstanceStorePolicy | Modification of the settings for automatic session video deletion. |
system.ModifyInstanceSessionPolicy | Modification of the settings for automatic session deletion. |
audit.DownloadOperationEventsBackup | Download of O&M event log backups. |
audit.ExportOperationAuditReport | Export of an O&M report. |
audit.DownloadAutoOperationTaskOutput | Download of the automatic O&M task result. |
asset.CreateHostShareKey | Creation of a shared key. |
asset.ModifyHostShareKey | Modification of a shared key. |
asset.DeleteHostShareKey | Deletion of a shared key. |
asset.AttachHostAccountsToHostShareKey | Association of a shared key with host accounts. |
asset.DetachHostAccountsFromHostShareKey | Disassociates of a shared key from host accounts. |
asset.CreateNetworkDomain | Creation of a network domain. |
asset.ModifyNetworkDomain | Modification of a network domain. |
asset.DeleteNetworkDomain | Deletion of a network domain. |
asset.MoveHostsToNetworkDomain | Change of the network domain to which a host belongs. |
asset.MoveDatabasesToNetworkDomain | Change of the network domain to which a database belongs. |
authorization.CreateRule | Creation of an authorization rule. |
authorization.ModifyRule | Modification of an authorization rule. |
authorization.DeleteRule | Deletion of an authorization rule. |
authorization.EnableRule | Enabling of an authorization rule. |
authorization.DisableRule | Disabling of an authorization rule. |
authorization.ExportAuthorizationRelation | Export of authorization data. |
operation.CreateOperationTicket | Creation of a ticket for O&M application review. |
operation.AcceptOperationTicket | Approval of an O&M application. |
operation.RejectOperationTicket | Rejection of an O&M application. |
operation.CancelOperationTicket | Cancellation of an O&M application. |
task.CreateAutoOperationTask | Creation of an O&M task. |
task.ModifyAutoOperationTask | Modification of an O&M task. |
task.DeleteAutoOperationTask | Deletion of an O&M task. |
task.StartAutoOperationTask | Start of an O&M task. |
task.StopAutoOperationTask | Stop of an O&M task. |
task.CreateAutoOperationScript | Creation of an O&M script. |
task.ModifyAutoOperationScript | Modification of an O&M script. |
task.DeleteAutoOperationScript | Deletion of an O&M script. |
task.AcceptOperationTaskApproval | Approval of a ticket for automatic O&M. |
task.RejectOperationTaskApproval | Rejection of a ticket for automatic O&M. |
task.CancelAutoOperationTask | Cancellation of an application for an O&M task. |
asset.ImportKMSSecretsForHost | Import of ECS secrets from KMS. |
operation.ConnectAsset | Connection to an asset. |
operation.LoginAsset | Logon to an asset. |
operation.LogoutAsset | Logoff from an asset. |
operation.SetOperationSSOConfig | Configuration modification for the single sign-on (SSO) client. |
operation.ModifyOperationUserProfile | Modification of the personal information of an O&M engineer. |
asset.CreateAppServer | Creation of an application server. |
asset.ModifyAppServer | Modification of an application server. |
asset.DeleteAppServers | Deletion of application servers. |
asset.SyncAppServerAccount | Synchronization of application server accounts. |
asset.CreateAppTool | Creation of a remote client tool. |
asset.ModifyAppTool | Modification of a remote client tool. |
asset.DeleteAppTools | Deletion of a remote client tool. |
asset.CreateApp | Creation of an application. |
asset.ModifyApp | Modification of an application. |
asset.DeleteApps | Deletion of applications. |
asset.DeleteApp | Deletion of an application. |
asset.CreateAppAccount | Creation of an application account. |
asset.ModifyAppAccount | Modification of an application account. |
asset.DeleteAppAccounts | Deletion of application accounts. |
asset.AttachAppAccountsToUser | Authorization for a user to use application accounts. |
asset.DetachAppAccountsFromUser | Removal of application accounts from the list of application accounts that a user is authorized to use. |
asset.AttachAppAccountsToUserGroup | Authorization for a user group to use application accounts. |
asset.DetachAppAccountsFromUserGroup | Removal of application accounts from the list of application accounts that a user group is authorized to use. |