All Products
Search

This Product

    Cloud Governance Center:Centrally deliver audit logs

    Document Center

    Cloud Governance Center:Centrally deliver audit logs

    Last Updated:Feb 02, 2026

    You can deliver ActionTrail logs and Cloud Config logs for all members in your resource directory to a specified log archive account. You can deliver logs to Object Storage Service (OSS) for long-term storage or to Simple Log Service (SLS) for real-time log analysis. Centralized log delivery allows dedicated auditors to easily query and analyze audit logs.

    Background information

    Delivering logs to Object Storage Service (OSS) or Simple Log Service (SLS) incurs storage fees. For more information about billing, see OSS Billing overview or SLS Billing overview.

    Initialize centralized delivery for ActionTrail logs

    You can deliver management events for all members in your resource directory to Object Storage Service (OSS) or Simple Log Service (SLS).

    1. Log on to the Cloud Governance Center console.

    2. In the navigation pane on the left, choose Landing Zone > Set Up Landing Zone.

    3. Select a blueprint and click Set Up.

      This topic uses the standard blueprint as an example.

    4. On the Configure Blueprint page, in the Added Items section, click Centralized ActionTrail Log Delivery.

      Note

      If the target item is not in the Added Items list, click Add Item to add it.

    5. From the Account Selection drop-down list, select a destination account for log delivery.

      By default, audit logs are delivered to the log archive account created in Step 3: Create core accounts.

    6. Turn on the switch for the target delivery method and configure the parameters.

      Delivery method

      Manual configuration

      Automatic configuration

      Deliver to Simple Log Service (SLS)

      • Region: The region where the SLS Logstore resides.

      • Logstore Name: The name must be globally unique. We recommend that you use your company name as a prefix, such as landingzone-actiontrail-xxxx.

      Cloud Governance Center automatically creates a multi-account trail named landingzone-enterprise to track all types of events in all regions.

      Note

      If a multi-account trail already exists in ActionTrail, it is used. A new one is not created.

      Deliver to Object Storage Service (OSS)

      • Region: The region where the OSS bucket resides.

      • Bucket Name: The name must be globally unique. We recommend that you use your company name as a prefix, such as landingzone-actiontrail-xxxx.

    Initialize centralized delivery for Cloud Config logs

    You can continuously deliver resource change data for all members in your resource directory to Object Storage Service (OSS) or Simple Log Service (SLS).

    1. Log on to the Cloud Governance Center console.

    2. In the navigation pane on the left, choose Landing Zone > Set Up Landing Zone.

    3. Select a blueprint and click Set Up.

      This topic uses the standard blueprint as an example.

    4. On the Configure Blueprint page, in the Added Items section, click Centralized Cloud Config Log Delivery.

      Note

      If the target item is not in the Added Items list, click Add Item to add it.

    5. From the Account Selection drop-down list, select a destination account for log delivery.

      By default, audit logs are delivered to the log archive account created in Step 3: Create core accounts.

    6. Turn on the switch for the target delivery method and configure the parameters.

      Delivery method

      Manual configuration

      Automatic configuration

      Deliver to Simple Log Service (SLS)

      • Region: The region where the SLS Logstore resides.

      • Logstore Name: The name must be globally unique. We recommend that you use your company name as a prefix, such as landingzone-config-xxxx.

      • Data Retention Period: The period to store audit logs in SLS. Logs are automatically deleted after this period expires.

      Cloud Governance Center automatically creates a global account group named enterprise to centrally manage the resources, compliance packages, and rules for all members in the resource directory.

      Note

      If a global account group already exists in Cloud Config, it is used. A new one is not created.

      Deliver to Object Storage Service (OSS)

      • Region: The region where the OSS bucket resides.

      • Bucket Name: The name must be globally unique. We recommend that you use your company name as a prefix, such as landingzone-config-xxxx.

    Manage log delivery configurations

    After you initialize log delivery, you can modify the delivery method and configuration parameters. For example, you can enable or disable a delivery method, or change the OSS bucket or SLS Logstore.

    1. Log on to the Cloud Governance Center console.

    2. In the navigation pane on the left, choose Multi-account Management > Audit Log Delivery.

    3. Click Edit to the right of the target delivery method.

    4. Modify the delivery method and parameters, and then click OK.