Secure Access Service Edge (SASE) provides the log analysis feature. The feature allows you to collect and store logs that are supported by SASE. SASE is integrated with Alibaba Cloud Simple Log Service to support log query and analysis, provide statistical charts, and allow you to configure alerts. The feature allows you to focus on data analysis and frees you from mundane query and aggregation tasks. This topic describes how to enable the log analysis feature and analyze logs.
Supported log types
Private access log
Internet access log
Client logon log
Log of outbound sensitive file transfers
Log of client online status log
Prerequisites
Log Service is enabled when you purchase SASE.
Procedure
Log on to the SASE console.
In the left-side navigation pane, choose .
Enable Log Service and purchase the log storage capacity.
On the Log Analysis page, click Activate Now.
Configure the log service and specify the log storage capacity based on your business requirements. Click Buy Now and complete the payment.
After you enable the log analysis feature, the log service automatically creates a dedicated project for SASE to manage SASE log data. In the Simple Log Service console, you can view the dedicated log project for SASE in the project list.
Enable log collection
On the Log Analysis page, turn on Log Status in the upper-right corner. By default, SASE does not collect log data from websites that are added to SASE. SASE collects the log data of a website only after you enable log collection for the domain name of the website. SASE stores the collected log data in a dedicated Simple Log Service Logstore. You can use the Logstore for log query and analysis.
Select a query time range.
Click Last 15 Minutes in the upper-right corner to specify the query time range. You can select a relative time or a time frame. You can also specify a custom time range.
Enter a query statement in the search box.
A query statement consists of a search statement and an analytic statement in the
Search statement|Analytic statement
format.Statement
Required
Description
Search statement
Yes
A search statement specifies search conditions, such as a keyword, a numeric value, a numeric value range, an asterisk (*), or a combination of search conditions.
If you specify a space or an asterisk (*) as the search statement, no conditions are used for searching, and all logs are returned. For more information, see Search syntax.
Analytic statement
Optional
An analytic statement is used to aggregate and compute the data in search results or all logs.
If you leave the statement empty, it indicates that no analysis is required and all query results are returned. For more information, see Log analysis overview.
NoteIn an analytic statement, the
from log
part is similar to thefrom <table name>
part in a standard SQL statement and can be omitted.By default, the first 100 log entries are returned. If you want to adjust this number, you can use the LIMIT clause. For more information, see LIMIT clause.
Click Search & Analyze to view the query and analysis results.
You can view the query and analysis results in a log distribution histogram, on the Raw Logs tab, on the LogReduce tab, or on the Graph tab. You can also configure alerts and quickly search, refresh, and share results. For more information, see Step 2: View query and analysis results.
Log fields
Field | Description | Example |
__time__ | The time when the operation was performed. | 2018-02-27 11:58:15 |
aliuid | The ID of the Alibaba Cloud account. | 141681795035**** |
username | The name of the user. | Bob |
department | The name of the department to which the user belongs. | Test department |
action | The value varies based on the type of logs that you query. The following types of logs are supported: private access logs and client logon logs. In private access logs, the following values are supported:
In client logon logs, the following values are supported:
| block |
device_type | The type of the terminal. Valid values:
| Windows |
device_tag | The unique identifier of the terminal. | ccabaebc-77b3-a877-23f1-31b89b59**** |
domain | The domain name of the website for private access. | www.aliyundoc.com |
dst_addr | The destination IP address for private access. | 10.2.XX.XX |
dst_port | The destination port for private access. | 80 |
scr_addr | The source IP address for private access. | 10.4.XX.XX |
src_port | The source port for private access. | 30001 |
in_bytes | The inbound traffic. Unit: bytes. | 234 |
out_bytes | The outbound traffic. Unit: bytes. | 567 |
log_type | The log type. Valid values:
| ia_access_log |
policy_name | The policy name. | test |
protocol | The protocol. Valid values:
| tcp |
request_uri | The request URI. | /test.php |
app_status | The terminal status. Valid values:
| Online |
event_time | The time when the event was generated. This value is a UNIX timestamp. Unit: seconds. | 1675278754 |
unixtime | The time when the event was recorded. This value is a UNIX timestamp. Unit: seconds. | 1675278754 |
Common query statement
Status of SASE terminals
Before you execute the following statement, you must manually create indexes for the app_stastus
field. For more information, see Create indexes.
Query the number of online terminals.
* AND log_type : client_status_log | select username,app_status,COUNT(*) AS cn GROUP BY username,app_status order by cn desc limit 10000
Query the number of offline terminals.
* AND log_type : client_status_log AND app_status:offline | select username,app_status,COUNT(*) AS cn GROUP BY username,app_status order by cn desc limit 10000
Logon status of SASE terminals
Query terminal logon actions.
* AND log_type : client_logon_log | select username,action,COUNT(*) AS cn GROUP BY username,action order by cn desc limit 10000
Internal network access
Query the terminals and users that access the SASE client over the internal network.
* AND log_type : pa_access_log | select username,device_type,COUNT(*) AS cn GROUP BY username,device_type order by cn desc limit 10000
Query the reason why the access attempt is blocked.
* AND log_type : pa_access_log AND action:block | select username,block_info,COUNT(*) AS cn GROUP BY username,block_info order by cn desc limit 10000
Sensitive file detection
Query the number of times that the policy for sensitive file detection is matched.
* AND log_type : dlp_log | select username,matched_policy,COUNT(*) AS cn GROUP BY username,matched_policy order by cn desc limit 10000