All Products
Search
Document Center

Bastionhost:Archive audit logs in Simple Log Service

Last Updated:Dec 17, 2024

Bastionhost allows you to archive audit logs in Simple Log Service (SLS). After you configure the archiving settings for audit logs, Bastionhost automatically delivers the audit logs to Simple Log Service in real time. This topic describes how to archive audit logs in Simple Log Service.

Note

Only audit logs that are generated after the archiving settings are configured can be archived in Simple Log Service.

Background information

Audit logs record the O&M activities that Bastionhost users perform by using Bastionhost. The audit logs contain command audit records and operation logs. Bastionhost stores audit logs only for 180 days. If you want to store audit logs longer than 180 days, you can archive the audit logs in SLS. After you archive the audit logs in SLS, you can query and analyze the audit logs, specify a custom log retention period, and forward the audit logs to a third-party platform, such as Splunk, by using SLS. For more information, see Query and analysis or Ship logs from Simple Log Service to Splunk by using a Splunk add-on.

Note

After you archive the audit logs in SLS, the archiving operation does not affect the audit logs that are stored in Bastionhost. You can still view the audit logs on the Session Audit page of the console of a bastion host. For more information, see Search for sessions and view session details.

Procedure

  1. Log on to the Simple Log Service console.

  2. Follow the on-screen instructions to activate Simple Log Service.

  3. Visit the Log Audit Service page.

  4. In the left-side navigation pane, choose Access to Cloud Products > Global Configurations. Then, perform the following steps to complete the settings for collecting audit logs.

    1. In the Region of the Central Project drop-down list, select a region for centralized storage of logs.

    2. Find Bastion Host in the Cloud Products column, turn on Operations Log, and then specify a retention period for audit logs in the Storage Type column. 全局配置

  5. View audit logs.

    1. In the left-side navigation pane, click the 审计查询 icon.

    2. Choose Central > Bastionhost to view audit logs.

      The following table describes the log fields of Bastionhost audit logs that are stored in Simple Log Service (SLS).

    3. Field

      Description

      __topic__

      The topic of the log. The value is fixed as bastionhost.

      owner_id

      The Alibaba Cloud account ID.

      region

      The region in which the bastion host resides.

      content

      The operation that is recorded in the log, such as a command-related operation and file transmission.

      event_type

      The event type. For more information, see the "Valid values of the event_type field" section of this topic.

      instance_id

      The ID of the bastion host.

      resource_address

      The IP address of the asset on which the O&M operation is performed.

      resource_name

      The name of the asset on which the O&M operation is performed.

      result

      The result of the operation, such as a command-related operation and file transmission.

      session_id

      The session ID.

      user_client_ip

      The IP address of the Bastionhost user who access the bastion host.

      user_id

      The ID of the Bastionhost user.

      user_name

      The username of the Bastionhost user.

Valid values of the event_type field

Valid value

Description

db.oracle.req

A request sent to an Oracle database.

db.mysql.req

A request sent to a MySQL database.

db.pgsql.req

A request sent to a PostgreSQL database.

cmd.Command

A command-related operation.

cmd.Command.policy

A command processed based on control policies.

graph.Text

A graphic text-related event.

graph.Keyboard

A graphic keyboard event.

file.Upload

Upload of a file.

file.Download

Download of a file.

file.Rename

Renaming of a file.

file.Delete

Deletion of a file.

file.DeleteDir

Deletion of a directory.

file.CreateDir

Creation of a directory.

login.CSLogin

A client software (CS)-based logon by a user.

Session.session

A session.

The following values are supported only in Bastionhost V3.2.43 and later.

login.CSPasswordLogin

Password-based authentication upon CS-based logon.

login.CSResetPassword

A password change by using CS.

login.PortalPasswordLogin

Password-based authentication upon logon from the portal.

user.PortalResetPassword

A password change by using the portal.

user.PortalClearOTP

Unbinding the one-time password (OTP) app by using the portal.

user.PortalBindOTP

Binding the OTP app by using the portal.

user.PortalLogout

Logoff from the portal.

login.CSTwoFactorLogin

Two-factor authentication upon CS-based logon.

login.PortalTwoFactorLogin

Two-factor authentication upon logon from the portal.

user.CreateUser

Creation of a user.

user.DeleteUser

Deletion of a user.

user.ModifyUser

User modification.

user.LockUser

Locking of an account.

user.UnlockUser

Unlocking of an account.

user.CreateUserPublicKey

Addition of an SSH public key.

user.ModifyUserPublicKey

Update of an SSH public key.

user.DeleteUserPublicKey

Deletion of an SSH public key.

user.ExportUsers

Export of users.

user.SyncRemoteUserDN

Synchronization of the distinguished name (DN) of a remote user.

user.NotifyUserOperationAddress

Modification of user logon restrictions.

user.SetUserUSBKey

Association of a USB key certificate.

user.ResetUserUSBKey

Disassociation of a USB key certificate.

user.CreateUserGroup

Creation of a user group.

user.ModifyUserGroup

Modification of a user group.

user.DeleteUserGroup

Deletion of a user group.

user.AddUsersToGroup

Addition of users to a user group.

user.RemoveUsersFromGroup

Removal of users from a user group.

asset.CreateHost

Import of a host.

asset.ModifyHost

Modification of a host.

asset.DeleteHost

Deletion a host.

asset.EnableHost

Enabling of a host.

asset.DisableHost

Disabling of a host.

asset.ResetHostsFingerPrint

Update of a host fingerprint.

asset.RefreshECSHostStatus

Status check for an Elastic Compute Service (ECS) instance.

asset.RefreshKMSSecretsForECS

Update status check for Key Management Service (KMS) secrets on an ECS instance.

asset.RefreshAssetNetworkStatus

Network status check for an asset.

asset.ExportHosts

Export of hosts.

asset.CreateDatabase

Creation of a database.

asset.ModifyDatabase

Modification of a database.

asset.DeleteDatabase

Deletion of a database.

asset.EnableDatabase

Enabling of a database.

asset.DisableDatabase

Disabling of a database.

asset.RefreshRDSDatabaseStatus

Status check for an ApsaraDB RDS database.

asset.ExportDatabases

Export of databases.

asset.CreateAssetGroup

Creation of an asset group.

asset.ModifyAssetGroup

Modification of an asset group.

asset.DeleteAssetGroup

Deletion of an asset group.

asset.AddHostsToGroup

Addition of hosts to an asset group.

asset.RemoveHostsFromGroup

Removal of hosts from an asset group.

asset.AddDatabasesToGroup

Addition of databases to an asset group.

asset.RemoveDatabasesFromGroup

Removal of databases from an asset group.

asset.AddAppsToGroup

Addition of applications to an asset group.

asset.RemoveAppsFromGroup

Removal of applications from an asset group.

asset.CreateHostAccount

Creation of a host account.

asset.ModifyHostAccount

Modification of a host account.

asset.DeleteHostAccount

Deletion of a host account.

asset.ResetHostAccountCredential

Deletion of the logon credential for a host account.

asset.CreateDatabaseAccount

Creation of a database account.

asset.ModifyDatabaseAccount

Modification of a database account.

asset.DeleteDatabaseAccount

Deletion of a database account.

asset.CreateAssetSource

Import of a third-party host.

asset.ModifyAssetSource

Modification of a third-party host.

asset.DeleteAssetSource

Deletion of a third-party host.

authorization.AttachHostAccountsToUser

Authorization for a user to use host accounts.

authorization.DetachHostAccountsFromUser

Removal of host accounts from the list of host accounts that a user is authorized to use.

authorization.AttachHostAccountsToUserGroup

Authorization for a user group to use host accounts.

authorization.DetachHostAccountsFromUserGroup

Removal of host accounts from the list of host accounts that a user group is authorized to use.

authorization.AttachAssetGroupAccountsToUser

Authorization for a user to use host account names.

authorization.DetachAssetGroupAccountsFromUser

Removal of host account names from the list of host account names that a user is authorized to use.

authorization.AttachAssetGroupAccountsToUserGroup

Authorization for a user group to use host account names.

authorization.DetachAssetGroupAccountsFromUserGroup

Removal of host account names from the list of host account names that a user group is authorized to use.

asset.AttachDatabaseAccountsToUser

Authorization for a user to use database accounts.

asset.DetachDatabaseAccountsFromUser

Removal of database accounts from the list of database accounts that a user is authorized to use.

asset.AttachDatabaseAccountsToUserGroup

Authorization for a user group to use database accounts.

asset.DetachDatabaseAccountsFromUserGroup

Removal of database accounts from the list of database accounts that a user group is authorized to use.

policy.CreatePolicy

Creation of a control policy.

policy.DeletePolicy

Deletion of a control policy.

policy.ModifyPolicy

Update of a control policy.

policy.AttachUsersToPolicy

Association of users with a control policy.

policy.DetachUsersFromPolicy

Disassociation of users from a control policy.

policy.AttachUserGroupsToPolicy

Association of user groups with a control policy.

policy.DetachUserGroupsFromPolicy

Disassociation of user groups from a control policy.

policy.AttachHostsToPolicy

Association of hosts with a control policy.

policy.DetachHostsFromPolicy

Disassociation of hosts from a control policy.

policy.AttachAssetGroupsToPolicy

Association of host groups with a control policy.

policy.DetachAssetGroupsFromPolicy

Disassociation of host groups from a control policy.

policy.CreateDatabaseMaskPolicy

Creation of a data masking policy.

policy.ModifyDatabaseMaskPolicy

Modification of a data masking policy.

policy.DeleteDatabaseMaskPolicy

Deletion of a data masking policy.

policy.AttachDatabasesToPolicy

Association of databases with a control policy.

policy.DetachDatabasesFromPolicy

Disassociation of databases from a control policy.

policy.AttachAppsToPolicy

Association of applications with a control policy.

policy.DetachAppsFromPolicy

Disassociation of applications from a control policy.

policy.SetPolicyUserScope

Determination of the users to whom a control policy applies.

policy.SetPolicyAssetScope

Determination of the assets to which a control policy applies.

policy.SetHostAccountToPolicy

Determination of the account used to log on to a host associated with a control policy.

policy.SetDatabaseAccountToPolicy

Determination of the account used to log on to a database associated with a control policy.

policy.SetAppAccountToPolicy

Determination of the account used to log on to a database associated with a control policy.

policy.SetAssetGroupAccountNamesToPolicy

Determination of the account used to access an asset group associated with a control policy.

policy.GenerateApproveCommand

Generation of a command review record.

policy.CancelApproveCommand

Cancellation of command review.

policy.AcceptApproveCommand

Adoption of command review.

policy.RejectApproveCommand

Rejection of command review.

policy.GenerateApproveCommand

Creation of a command review task.

task.CreatePasswordTask

Creation of a password change task.

task.ModifyPasswordTask

Update of a password change task.

task.DeletePasswordTask

Deletion of a password change task.

task.AttachHostAccountsToPasswordTask

Association of host accounts with a password change task.

task.DetachHostAccountsFromPasswordTask

Disassociation of host accounts from a password change task.

task.ExecutePasswordTask

Execution of a password change task.

task.CancelPasswordTask

Cancellation of a password change task.

task.EnablePasswordTask

Start of a password change task.

task.ExportPasswordTaskHistory

Export of password change records.

system.DeleteAuditSessionVideo

Deletion of a session video file.

system.ModifyInstanceTwoFactor

Modification of two-factor authentication settings.

system.InterruptAuditSession

Blocking of a session.

system.ImportBastionHostConfig

Import of configuration backups.

system.ExportBastionHostConfig

Export of configuration backups.

system.ModifyInstanceLDAPAuthServer

Configuration modification for a Lightweight Directory Access Protocol (LDAP) authentication server.

system.ModifyInstanceADAuthServer

Configuration modification for an Active Directory (AD) authentication server.

system.AddInstanceMember

Addition of a Resource Directory member.

system.RemoveInstanceMember

Removal of a Resource Directory member.

system.ModifyInstanceTLSConfig

Modification of Transport Layer Security (TLS) settings.

system.ModifyDataEncryptionConfig

Change of the data encryption method.

system.VerifyUserInfoSignature

Signature verification for key information protection.

system.BindIDaaSInstance

Association of an Identity as a Service (IDaaS) Instance.

system.UnbindIDaaSInstance

Disassociation of an IDaaS instance.

system.ModifyInstanceLoginPolicy

Modification of user logon and lockout settings.

system.ModifyInstanceUserPolicy

Modification of user password security and status settings.

system.CreateInstanceADAuthServer

Creation of an AD authentication server.

system.DeleteInstanceADAuthServer

Deletion of an AD authentication server.

system.ModifyInstanceIDaaSConfig

Configuration modification for an associated IDaaS instance.

system.ModifyInstanceOperationConfig

Modification of O&M settings for a bastion host.

system.ModifyInstanceAssetPolicy

Modification of the connectivity check cycle.

system.AddInstanceNotificationReceiveUser

Addition of an alert administrator on the Notifications tab.

system.RemoveInstanceNotificationReceiveUser

Removal of an alert administrator on the Notifications tab.

system.ModifyInstanceNotificationConfig

Modification of notification settings.

system.ModifyInstanceStorePolicy

Modification of the settings for automatic session video deletion.

system.ModifyInstanceSessionPolicy

Modification of the settings for automatic session deletion.

audit.DownloadOperationEventsBackup

Download of O&M event log backups.

audit.ExportOperationAuditReport

Export of an O&M report.

audit.DownloadAutoOperationTaskOutput

Download of the automatic O&M task result.

asset.CreateHostShareKey

Creation of a shared key.

asset.ModifyHostShareKey

Modification of a shared key.

asset.DeleteHostShareKey

Deletion of a shared key.

asset.AttachHostAccountsToHostShareKey

Association of a shared key with host accounts.

asset.DetachHostAccountsFromHostShareKey

Disassociates of a shared key from host accounts.

asset.CreateNetworkDomain

Creation of a network domain.

asset.ModifyNetworkDomain

Modification of a network domain.

asset.DeleteNetworkDomain

Deletion of a network domain.

asset.MoveHostsToNetworkDomain

Change of the network domain to which a host belongs.

asset.MoveDatabasesToNetworkDomain

Change of the network domain to which a database belongs.

authorization.CreateRule

Creation of an authorization rule.

authorization.ModifyRule

Modification of an authorization rule.

authorization.DeleteRule

Deletion of an authorization rule.

authorization.EnableRule

Enabling of an authorization rule.

authorization.DisableRule

Disabling of an authorization rule.

authorization.ExportAuthorizationRelation

Export of authorization data.

operation.CreateOperationTicket

Creation of a ticket for O&M application review.

operation.AcceptOperationTicket

Approval of an O&M application.

operation.RejectOperationTicket

Rejection of an O&M application.

operation.CancelOperationTicket

Cancellation of an O&M application.

task.CreateAutoOperationTask

Creation of an O&M task.

task.ModifyAutoOperationTask

Modification of an O&M task.

task.DeleteAutoOperationTask

Deletion of an O&M task.

task.StartAutoOperationTask

Start of an O&M task.

task.StopAutoOperationTask

Stop of an O&M task.

task.CreateAutoOperationScript

Creation of an O&M script.

task.ModifyAutoOperationScript

Modification of an O&M script.

task.DeleteAutoOperationScript

Deletion of an O&M script.

task.AcceptOperationTaskApproval

Approval of a ticket for automatic O&M.

task.RejectOperationTaskApproval

Rejection of a ticket for automatic O&M.

task.CancelAutoOperationTask

Cancellation of an application for an O&M task.

asset.ImportKMSSecretsForHost

Import of ECS secrets from KMS.

operation.ConnectAsset

Connection to an asset.

operation.LoginAsset

Logon to an asset.

operation.LogoutAsset

Logoff from an asset.

operation.SetOperationSSOConfig

Configuration modification for the single sign-on (SSO) client.

operation.ModifyOperationUserProfile

Modification of the personal information of an O&M engineer.

asset.CreateAppServer

Creation of an application server.

asset.ModifyAppServer

Modification of an application server.

asset.DeleteAppServers

Deletion of application servers.

asset.SyncAppServerAccount

Synchronization of application server accounts.

asset.CreateAppTool

Creation of a remote client tool.

asset.ModifyAppTool

Modification of a remote client tool.

asset.DeleteAppTools

Deletion of a remote client tool.

asset.CreateApp

Creation of an application.

asset.ModifyApp

Modification of an application.

asset.DeleteApps

Deletion of applications.

asset.DeleteApp

Deletion of an application.

asset.CreateAppAccount

Creation of an application account.

asset.ModifyAppAccount

Modification of an application account.

asset.DeleteAppAccounts

Deletion of application accounts.

asset.AttachAppAccountsToUser

Authorization for a user to use application accounts.

asset.DetachAppAccountsFromUser

Removal of application accounts from the list of application accounts that a user is authorized to use.

asset.AttachAppAccountsToUserGroup

Authorization for a user group to use application accounts.

asset.DetachAppAccountsFromUserGroup

Removal of application accounts from the list of application accounts that a user group is authorized to use.