All Products
Search

This Product

    Bastionhost:Archive audit logs in Simple Log Service

    Document Center

    Bastionhost:Archive audit logs in Simple Log Service

    Last Updated:Oct 31, 2024

    Bastionhost allows you to archive audit logs in Simple Log Service (SLS). After you configure the archiving settings for audit logs, Bastionhost automatically delivers the audit logs to Simple Log Service. This topic describes how to archive audit logs in Simple Log Service.

    Background information

    Audit logs record the O&M activities that Bastionhost users perform by using Bastionhost. The audit logs contain command audit records and operation logs. Bastionhost stores audit logs only for 180 days. If you want to store audit logs longer than 180 days, you can archive the audit logs in SLS. After you archive the audit logs in SLS, you can query and analyze the audit logs, specify a custom log retention period, and forward the audit logs to a third-party platform, such as Splunk, by using SLS. For more information, see Query and analysis or Ship logs from Simple Log Service to Splunk by using a Splunk add-on.

    Note

    After you archive the audit logs in SLS, the archiving operation does not affect the audit logs that are stored in Bastionhost. You can still view the audit logs on the Session Audit page of the console of a bastion host. For more information, see Search for sessions and view session details.

    Procedure

    1. Log on to the Simple Log Service console.

    2. Follow the on-screen instructions to activate Simple Log Service.

    3. Visit the Log Audit Service page.

    4. In the left-side navigation pane, choose Access to Cloud Products > Global Configurations. Then, perform the following steps to complete the settings for collecting audit logs.

      1. In the Region of the Central Project drop-down list, select a region for centralized storage of logs.

      2. Find Bastion Host in the Cloud Products column, turn on Operations Log, and then specify a retention period for audit logs in the Storage Type column. 全局配置

    5. View audit logs.

      1. In the left-side navigation pane, click the 审计查询 icon.

      2. Choose Central > Bastionhost to view audit logs.

        The following table describes the log fields of Bastionhost audit logs that are stored in Simple Log Service (SLS).

        3. Field

        Description

        __topic__

        The topic of the log. The value is fixed as bastionhost.

        owner_id

        The Alibaba Cloud account ID.

        region

        The region in which the bastion host resides.

        content

        The operation that is recorded in the log, such as a command-related operation and file transmission.

        event_type

        The event type. For more information, see the Valid values of the event_type field section of this topic.

        instance_id

        The ID of the bastion host.

        resource_address

        The IP address of the asset on which the O&M operation is performed.

        resource_name

        The name of the asset on which the O&M operation is performed.

        result

        The result of the operation, such as a command-related operation and file transmission.

        session_id

        The session ID.

        user_client_ip

        The IP address of the Bastionhost user who access the bastion host.

        user_id

        The ID of the Bastionhost user.

        user_name

        The username of the Bastionhost user.

    Valid values of the event_type field

    Valid value

    Description

    db.oracle.req

    A request sent to an Oracle database.

    db.mysql.req

    A request sent to a MySQL database.

    db.pgsql.req

    A request sent to a PostgreSQL database.

    cmd.Command

    A command-related operation.

    cmd.Command.policy

    A command processed based on control policies.

    graph.Text

    A graphic text-related event.

    graph.Keyboard

    A graphic keyboard event.

    file.Upload

    Upload of a file.

    file.Download

    Download of a file.

    file.Rename

    Renaming of a file.

    file.Delete

    Deletion of a file.

    file.DeleteDir

    Deletion of a directory.

    file.CreateDir

    Creation of a directory.

    login.CSLogin

    A client software (CS)-based logon by a user.

    Session.session

    A session.

    The following values are supported only in Bastionhost V3.2.43 and later.

    login.CSPasswordLogin

    Password-based authentication upon CS-based logon.

    login.CSResetPassword

    A password change by using CS.

    login.PortalPasswordLogin

    Password-based authentication upon logon from the portal.

    user.PortalResetPassword

    A password change by using the portal.

    user.PortalClearOTP

    Unbinding the one-time password (OTP) app by using the portal.

    user.PortalBindOTP

    Binding the OTP app by using the portal.

    user.PortalLogout

    Logoff from the portal.

    login.CSTwoFactorLogin

    Two-factor authentication upon CS-based logon.

    login.PortalTwoFactorLogin

    Two-factor authentication upon logon from the portal.

    user.CreateUser

    Creation of a user.

    user.DeleteUser

    Deletion of a user.

    user.ModifyUser

    User modification.

    user.LockUser

    Locking of an account.

    user.UnlockUser

    Unlocking of an account.

    user.CreateUserPublicKey

    Addition of an SSH public key.

    user.ModifyUserPublicKey

    Update of an SSH public key.

    user.DeleteUserPublicKey

    Deletion of an SSH public key.

    user.ExportUsers

    Export of users.

    user.SyncRemoteUserDN

    Synchronization of the distinguished name (DN) of a remote user.

    user.NotifyUserOperationAddress

    Modification of user logon restrictions.

    user.SetUserUSBKey

    Association of a USB key certificate.

    user.ResetUserUSBKey

    Disassociation of a USB key certificate.

    user.CreateUserGroup

    Creation of a user group.

    user.ModifyUserGroup

    Modification of a user group.

    user.DeleteUserGroup

    Deletion of a user group.

    user.AddUsersToGroup

    Addition of users to a user group.

    user.RemoveUsersFromGroup

    Removal of users from a user group.

    asset.CreateHost

    Import of a host.

    asset.ModifyHost

    Modification of a host.

    asset.DeleteHost

    Deletion a host.

    asset.EnableHost

    Enabling of a host.

    asset.DisableHost

    Disabling of a host.

    asset.ResetHostsFingerPrint

    Update of a host fingerprint.

    asset.RefreshECSHostStatus

    Status check for an Elastic Compute Service (ECS) instance.

    asset.RefreshKMSSecretsForECS

    Update status check for Key Management Service (KMS) secrets on an ECS instance.

    asset.RefreshAssetNetworkStatus

    Network status check for an asset.

    asset.ExportHosts

    Export of hosts.

    asset.CreateDatabase

    Creation of a database.

    asset.ModifyDatabase

    Modification of a database.

    asset.DeleteDatabase

    Deletion of a database.

    asset.EnableDatabase

    Enabling of a database.

    asset.DisableDatabase

    Disabling of a database.

    asset.RefreshRDSDatabaseStatus

    Status check for an ApsaraDB RDS database.

    asset.ExportDatabases

    Export of databases.

    asset.CreateAssetGroup

    Creation of an asset group.

    asset.ModifyAssetGroup

    Modification of an asset group.

    asset.DeleteAssetGroup

    Deletion of an asset group.

    asset.AddHostsToGroup

    Addition of hosts to an asset group.

    asset.RemoveHostsFromGroup

    Removal of hosts from an asset group.

    asset.AddDatabasesToGroup

    Addition of databases to an asset group.

    asset.RemoveDatabasesFromGroup

    Removal of databases from an asset group.

    asset.AddAppsToGroup

    Addition of applications to an asset group.

    asset.RemoveAppsFromGroup

    Removal of applications from an asset group.

    asset.CreateHostAccount

    Creation of a host account.

    asset.ModifyHostAccount

    Modification of a host account.

    asset.DeleteHostAccount

    Deletion of a host account.

    asset.ResetHostAccountCredential

    Deletion of the logon credential for a host account.

    asset.CreateDatabaseAccount

    Creation of a database account.

    asset.ModifyDatabaseAccount

    Modification of a database account.

    asset.DeleteDatabaseAccount

    Deletion of a database account.

    asset.CreateAssetSource

    Import of a third-party host.

    asset.ModifyAssetSource

    Modification of a third-party host.

    asset.DeleteAssetSource

    Deletion of a third-party host.

    authorization.AttachHostAccountsToUser

    Authorization for a user to use host accounts.

    authorization.DetachHostAccountsFromUser

    Removal of host accounts from the list of host accounts that a user is authorized to use.

    authorization.AttachHostAccountsToUserGroup

    Authorization for a user group to use host accounts.

    authorization.DetachHostAccountsFromUserGroup

    Removal of host accounts from the list of host accounts that a user group is authorized to use.

    authorization.AttachAssetGroupAccountsToUser

    Authorization for a user to use host account names.

    authorization.DetachAssetGroupAccountsFromUser

    Removal of host account names from the list of host account names that a user is authorized to use.

    authorization.AttachAssetGroupAccountsToUserGroup

    Authorization for a user group to use host account names.

    authorization.DetachAssetGroupAccountsFromUserGroup

    Removal of host account names from the list of host account names that a user group is authorized to use.

    asset.AttachDatabaseAccountsToUser

    Authorization for a user to use database accounts.

    asset.DetachDatabaseAccountsFromUser

    Removal of database accounts from the list of database accounts that a user is authorized to use.

    asset.AttachDatabaseAccountsToUserGroup

    Authorization for a user group to use database accounts.

    asset.DetachDatabaseAccountsFromUserGroup

    Removal of database accounts from the list of database accounts that a user group is authorized to use.

    policy.CreatePolicy

    Creation of a control policy.

    policy.DeletePolicy

    Deletion of a control policy.

    policy.ModifyPolicy

    Update of a control policy.

    policy.AttachUsersToPolicy

    Association of users with a control policy.

    policy.DetachUsersFromPolicy

    Disassociation of users from a control policy.

    policy.AttachUserGroupsToPolicy

    Association of user groups with a control policy.

    policy.DetachUserGroupsFromPolicy

    Disassociation of user groups from a control policy.

    policy.AttachHostsToPolicy

    Association of hosts with a control policy.

    policy.DetachHostsFromPolicy

    Disassociation of hosts from a control policy.

    policy.AttachAssetGroupsToPolicy

    Association of host groups with a control policy.

    policy.DetachAssetGroupsFromPolicy

    Disassociation of host groups from a control policy.

    policy.CreateDatabaseMaskPolicy

    Creation of a data masking policy.

    policy.ModifyDatabaseMaskPolicy

    Modification of a data masking policy.

    policy.DeleteDatabaseMaskPolicy

    Deletion of a data masking policy.

    policy.AttachDatabasesToPolicy

    Association of databases with a control policy.

    policy.DetachDatabasesFromPolicy

    Disassociation of databases from a control policy.

    policy.AttachAppsToPolicy

    Association of applications with a control policy.

    policy.DetachAppsFromPolicy

    Disassociation of applications from a control policy.

    policy.SetPolicyUserScope

    Determination of the users to whom a control policy applies.

    policy.SetPolicyAssetScope

    Determination of the assets to which a control policy applies.

    policy.SetHostAccountToPolicy

    Determination of the account used to log on to a host associated with a control policy.

    policy.SetDatabaseAccountToPolicy

    Determination of the account used to log on to a database associated with a control policy.

    policy.SetAppAccountToPolicy

    Determination of the account used to log on to a database associated with a control policy.

    policy.SetAssetGroupAccountNamesToPolicy

    Determination of the account used to access an asset group associated with a control policy.

    policy.GenerateApproveCommand

    Generation of a command review record.

    policy.CancelApproveCommand

    Cancellation of command review.

    policy.AcceptApproveCommand

    Adoption of command review.

    policy.RejectApproveCommand

    Rejection of command review.

    policy.GenerateApproveCommand

    Creation of a command review task.

    task.CreatePasswordTask

    Creation of a password change task.

    task.ModifyPasswordTask

    Update of a password change task.

    task.DeletePasswordTask

    Deletion of a password change task.

    task.AttachHostAccountsToPasswordTask

    Association of host accounts with a password change task.

    task.DetachHostAccountsFromPasswordTask

    Disassociation of host accounts from a password change task.

    task.ExecutePasswordTask

    Execution of a password change task.

    task.CancelPasswordTask

    Cancellation of a password change task.

    task.EnablePasswordTask

    Start of a password change task.

    task.ExportPasswordTaskHistory

    Export of password change records.

    system.DeleteAuditSessionVideo

    Deletion of a session video file.

    system.ModifyInstanceTwoFactor

    Modification of two-factor authentication settings.

    system.InterruptAuditSession

    Blocking of a session.

    system.ImportBastionHostConfig

    Import of configuration backups.

    system.ExportBastionHostConfig

    Export of configuration backups.

    system.ModifyInstanceLDAPAuthServer

    Configuration modification for a Lightweight Directory Access Protocol (LDAP) authentication server.

    system.ModifyInstanceADAuthServer

    Configuration modification for an Active Directory (AD) authentication server.

    system.AddInstanceMember

    Addition of a Resource Directory member.

    system.RemoveInstanceMember

    Removal of a Resource Directory member.

    system.ModifyInstanceTLSConfig

    Modification of Transport Layer Security (TLS) settings.

    system.ModifyDataEncryptionConfig

    Change of the data encryption method.

    system.VerifyUserInfoSignature

    Signature verification for key information protection.

    system.BindIDaaSInstance

    Association of an Identity as a Service (IDaaS) Instance.

    system.UnbindIDaaSInstance

    Disassociation of an IDaaS instance.

    system.ModifyInstanceLoginPolicy

    Modification of user logon and lockout settings.

    system.ModifyInstanceUserPolicy

    Modification of user password security and status settings.

    system.CreateInstanceADAuthServer

    Creation of an AD authentication server.

    system.DeleteInstanceADAuthServer

    Deletion of an AD authentication server.

    system.ModifyInstanceIDaaSConfig

    Configuration modification for an associated IDaaS instance.

    system.ModifyInstanceOperationConfig

    Modification of O&M settings for a bastion host.

    system.ModifyInstanceAssetPolicy

    Modification of the connectivity check cycle.

    system.AddInstanceNotificationReceiveUser

    Addition of an alert administrator on the Notifications tab.

    system.RemoveInstanceNotificationReceiveUser

    Removal of an alert administrator on the Notifications tab.

    system.ModifyInstanceNotificationConfig

    Modification of notification settings.

    system.ModifyInstanceStorePolicy

    Modification of the settings for automatic session video deletion.

    system.ModifyInstanceSessionPolicy

    Modification of the settings for automatic session deletion.

    audit.DownloadOperationEventsBackup

    Download of O&M event log backups.

    audit.ExportOperationAuditReport

    Export of an O&M report.

    audit.DownloadAutoOperationTaskOutput

    Download of the automatic O&M task result.

    asset.CreateHostShareKey

    Creation of a shared key.

    asset.ModifyHostShareKey

    Modification of a shared key.

    asset.DeleteHostShareKey

    Deletion of a shared key.

    asset.AttachHostAccountsToHostShareKey

    Association of a shared key with host accounts.

    asset.DetachHostAccountsFromHostShareKey

    Disassociates of a shared key from host accounts.

    asset.CreateNetworkDomain

    Creation of a network domain.

    asset.ModifyNetworkDomain

    Modification of a network domain.

    asset.DeleteNetworkDomain

    Deletion of a network domain.

    asset.MoveHostsToNetworkDomain

    Change of the network domain to which a host belongs.

    asset.MoveDatabasesToNetworkDomain

    Change of the network domain to which a database belongs.

    authorization.CreateRule

    Creation of an authorization rule.

    authorization.ModifyRule

    Modification of an authorization rule.

    authorization.DeleteRule

    Deletion of an authorization rule.

    authorization.EnableRule

    Enabling of an authorization rule.

    authorization.DisableRule

    Disabling of an authorization rule.

    authorization.ExportAuthorizationRelation

    Export of authorization data.

    operation.CreateOperationTicket

    Creation of a ticket for O&M application review.

    operation.AcceptOperationTicket

    Approval of an O&M application.

    operation.RejectOperationTicket

    Rejection of an O&M application.

    operation.CancelOperationTicket

    Cancellation of an O&M application.

    task.CreateAutoOperationTask

    Creation of an O&M task.

    task.ModifyAutoOperationTask

    Modification of an O&M task.

    task.DeleteAutoOperationTask

    Deletion of an O&M task.

    task.StartAutoOperationTask

    Start of an O&M task.

    task.StopAutoOperationTask

    Stop of an O&M task.

    task.CreateAutoOperationScript

    Creation of an O&M script.

    task.ModifyAutoOperationScript

    Modification of an O&M script.

    task.DeleteAutoOperationScript

    Deletion of an O&M script.

    task.AcceptOperationTaskApproval

    Approval of a ticket for automatic O&M.

    task.RejectOperationTaskApproval

    Rejection of a ticket for automatic O&M.

    task.CancelAutoOperationTask

    Cancellation of an application for an O&M task.

    asset.ImportKMSSecretsForHost

    Import of ECS secrets from KMS.

    operation.ConnectAsset

    Connection to an asset.

    operation.LoginAsset

    Logon to an asset.

    operation.LogoutAsset

    Logoff from an asset.

    operation.SetOperationSSOConfig

    Configuration modification for the single sign-on (SSO) client.

    operation.ModifyOperationUserProfile

    Modification of the personal information of an O&M engineer.

    asset.CreateAppServer

    Creation of an application server.

    asset.ModifyAppServer

    Modification of an application server.

    asset.DeleteAppServers

    Deletion of application servers.

    asset.SyncAppServerAccount

    Synchronization of application server accounts.

    asset.CreateAppTool

    Creation of a remote client tool.

    asset.ModifyAppTool

    Modification of a remote client tool.

    asset.DeleteAppTools

    Deletion of a remote client tool.

    asset.CreateApp

    Creation of an application.

    asset.ModifyApp

    Modification of an application.

    asset.DeleteApps

    Deletion of applications.

    asset.DeleteApp

    Deletion of an application.

    asset.CreateAppAccount

    Creation of an application account.

    asset.ModifyAppAccount

    Modification of an application account.

    asset.DeleteAppAccounts

    Deletion of application accounts.

    asset.AttachAppAccountsToUser

    Authorization for a user to use application accounts.

    asset.DetachAppAccountsFromUser

    Removal of application accounts from the list of application accounts that a user is authorized to use.

    asset.AttachAppAccountsToUserGroup

    Authorization for a user group to use application accounts.

    asset.DetachAppAccountsFromUserGroup

    Removal of application accounts from the list of application accounts that a user group is authorized to use.