All Products
Search
Document Center

Secure Access Service Edge:Use the log analysis feature

Last Updated:Nov 30, 2024

Secure Access Service Edge (SASE) provides the log analysis feature. The feature allows you to collect and store logs that are supported by SASE. SASE is integrated with Alibaba Cloud Simple Log Service to support log query and analysis, provide statistical charts, and allow you to configure alerts. The feature allows you to focus on data analysis and frees you from mundane query and aggregation tasks. This topic describes how to enable the log analysis feature and analyze logs.

Supported log types

  • Private access log

  • Internet access log

  • Client logon log

  • Log of outbound sensitive file transfers

  • Log of client online status log

Prerequisites

Log Service is enabled when you purchase SASE.

Procedure

  1. Log on to the SASE console.

  2. In the left-side navigation pane, choose Log Analysis > Log Analysis.

  3. Enable Log Service and purchase the log storage capacity.

    1. On the Log Analysis page, click Activate Now.

    2. Configure the log service and specify the log storage capacity based on your business requirements. Click Buy Now and complete the payment.

      After you enable the log analysis feature, the log service automatically creates a dedicated project for SASE to manage SASE log data. In the Simple Log Service console, you can view the dedicated log project for SASE in the project list.

  4. Enable log collection

    On the Log Analysis page, turn on Log Status in the upper-right corner. By default, SASE does not collect log data from websites that are added to SASE. SASE collects the log data of a website only after you enable log collection for the domain name of the website. SASE stores the collected log data in a dedicated Simple Log Service Logstore. You can use the Logstore for log query and analysis.

  5. Select a query time range.

    Click Last 15 Minutes in the upper-right corner to specify the query time range. You can select a relative time or a time frame. You can also specify a custom time range.

  6. Enter a query statement in the search box.

    A query statement consists of a search statement and an analytic statement in the Search statement|Analytic statement format.

    Statement

    Required

    Description

    Search statement

    Yes

    A search statement specifies search conditions, such as a keyword, a numeric value, a numeric value range, an asterisk (*), or a combination of search conditions.

    If you specify a space or an asterisk (*) as the search statement, no conditions are used for searching, and all logs are returned. For more information, see Search syntax.

    Analytic statement

    Optional

    An analytic statement is used to aggregate and compute the data in search results or all logs.

    If you leave the statement empty, it indicates that no analysis is required and all query results are returned. For more information, see Log analysis overview.

    Note
    • In an analytic statement, the from log part is similar to the from <table name> part in a standard SQL statement and can be omitted.

    • By default, the first 100 log entries are returned. If you want to adjust this number, you can use the LIMIT clause. For more information, see LIMIT clause.

  7. Click Search & Analyze to view the query and analysis results.

    You can view the query and analysis results in a log distribution histogram, on the Raw Logs tab, on the LogReduce tab, or on the Graph tab. You can also configure alerts and quickly search, refresh, and share results. For more information, see Step 2: View query and analysis results.

Log fields

Field

Description

Example

__time__

The time when the operation was performed.

2018-02-27 11:58:15

aliuid

The ID of the Alibaba Cloud account.

141681795035****

username

The name of the user.

Bob

department

The name of the department to which the user belongs.

Test department

action

The value varies based on the type of logs that you query. The following types of logs are supported: private access logs and client logon logs.

In private access logs, the following values are supported:

  • allow: The current policy allows access to the specified application from users or terminals.

  • block: The current policy denies access to the specified application from users or terminals.

In client logon logs, the following values are supported:

  • logon: logon to the SASE client on the current terminal.

  • logout: logout of the SASE client on the current terminal.

  • exit: exit of the SASE client on the current terminal.

block

device_type

The type of the terminal. Valid values:

  • Windows

  • macOS

  • Linux

  • Android

  • iOS

Windows

device_tag

The unique identifier of the terminal.

ccabaebc-77b3-a877-23f1-31b89b59****

domain

The domain name of the website for private access.

www.aliyundoc.com

dst_addr

The destination IP address for private access.

10.2.XX.XX

dst_port

The destination port for private access.

80

scr_addr

The source IP address for private access.

10.4.XX.XX

src_port

The source port for private access.

30001

in_bytes

The inbound traffic. Unit: bytes.

234

out_bytes

The outbound traffic. Unit: bytes.

567

log_type

The log type. Valid values:

  • pa_access_log: private access log

  • client_logon_log: client logon log

  • dlp_log: outbound sensitive file transfer log

  • client_status_log: client online status log

ia_access_log

policy_name

The policy name.

test

protocol

The protocol. Valid values:

  • All

  • tcp

  • udp

tcp

request_uri

The request URI.

/test.php

app_status

The terminal status. Valid values:

  • Online

  • Offline

Online

event_time

The time when the event was generated. This value is a UNIX timestamp. Unit: seconds.

1675278754

unixtime

The time when the event was recorded. This value is a UNIX timestamp. Unit: seconds.

1675278754

Common query statement

Status of SASE terminals

Before you execute the following statement, you must manually create indexes for the app_stastus field. For more information, see Create indexes.

  • Query the number of online terminals.

    * AND log_type : client_status_log | select username,app_status,COUNT(*) AS cn GROUP BY username,app_status order by cn desc limit 10000
  • Query the number of offline terminals.

    * AND log_type : client_status_log AND app_status:offline | select username,app_status,COUNT(*) AS cn GROUP BY username,app_status order by cn desc limit 10000

Logon status of SASE terminals

Query terminal logon actions.

* AND log_type : client_logon_log | select username,action,COUNT(*) AS cn GROUP BY username,action order by cn desc limit 10000

Internal network access

  • Query the terminals and users that access the SASE client over the internal network.

    * AND log_type : pa_access_log | select username,device_type,COUNT(*) AS cn GROUP BY username,device_type order by cn desc limit 10000
  • Query the reason why the access attempt is blocked.

    * AND log_type : pa_access_log AND action:block | select username,block_info,COUNT(*) AS cn GROUP BY username,block_info order by cn desc limit 10000

Sensitive file detection

Query the number of times that the policy for sensitive file detection is matched.

* AND log_type : dlp_log | select username,matched_policy,COUNT(*) AS cn GROUP BY username,matched_policy order by cn desc limit 10000