All Products
Search

This Product

    Secure Access Service Edge:Use the log analysis feature

    Document Center

    Secure Access Service Edge:Use the log analysis feature

    Last Updated:Jul 31, 2024

    Secure Access Service Edge (SASE) provides the log analysis feature. The feature allows you to collect and store logs that are supported by SASE. SASE is integrated with Alibaba Cloud Simple Log Service to support log query and analysis, provide statistical charts, and allow you to configure alerts. The feature allows you to focus on data analysis and frees you from mundane query and aggregation tasks. This topic describes how to enable the log analysis feature and analyze logs.

    Supported log types

    • Private access log

    • Internet access log

    • Client logon log

    • Log of outbound sensitive file transfers

    • Log of client online status log

    Prerequisites

    Log Service is enabled when you purchase SASE.

    Procedure

    1. Log on to the SASE console.

    2. In the left-side navigation pane, choose Log Analysis > Log Analysis.

    3. Enable Log Service and purchase the log storage capacity.

      1. On the Log Analysis page, click Activate Now.

      2. Configure the log service and specify the log storage capacity based on your business requirements. Click Buy Now and complete the payment.

        After you enable the log analysis feature, the log service automatically creates a dedicated project for SASE to manage SASE log data. In the Simple Log Service console, you can view the dedicated log project for SASE in the project list.

    4. Enable log collection

      On the Log Analysis page, turn on Log Status in the upper-right corner. By default, SASE does not collect log data from websites that are added to SASE. SASE collects the log data of a website only after you enable log collection for the domain name of the website. SASE stores the collected log data in a dedicated Simple Log Service Logstore. You can use the Logstore for log query and analysis.

    5. Select a query time range.

      Click Last 15 Minutes in the upper-right corner to specify the query time range. You can select a relative time or a time frame. You can also specify a custom time range.

    6. Enter a query statement in the search box.

      A query statement consists of a search statement and an analytic statement in the Search statement|Analytic statement format.

      Statement

      Required

      Description

      Search statement

      Yes

      A search statement specifies search conditions, such as a keyword, a numeric value, a numeric value range, an asterisk (*), or a combination of search conditions.

      If you specify a space or an asterisk (*) as the search statement, no conditions are used for searching, and all logs are returned. For more information, see Search syntax.

      Analytic statement

      Optional

      An analytic statement is used to aggregate and compute the data in search results or all logs.

      If you leave the statement empty, it indicates that no analysis is required and all query results are returned. For more information, see Log analysis overview.

      Note

      • In an analytics statement, the from log part is similar to the from <table name> part in a standard SQL statement and can be omitted.

      • By default, the first 100 log entries are returned. If you want to adjust this number, you can use the LIMIT clause. For more information, see LIMIT clause.

    7. Click Search & Analyze to view the query and analysis results.

      You can view the query and analysis results in a log distribution histogram, on the Raw Logs tab, on the LogReduce tab, or on the Graph tab. You can also configure alerts and quickly search, refresh, and share results. For more information, see Step 2: View query and analysis results.

    Log fields

    Field

    Description

    Example

    __time__

    The time when the operation was performed.

    2018-02-27 11:58:15

    aliuid

    The ID of the Alibaba Cloud account.

    141681795035****

    username

    The name of the user.

    Bob

    department

    The name of the department to which the user belongs.

    Test department

    action

    The value varies based on the type of logs that you query. The following types of logs are supported: private access logs and client logon logs.

    In private access logs, the following values are supported:

    • allow: The current policy allows access to the specified application from users or terminals.

    • block: The current policy denies access to the specified application from users or terminals.

    In client logon logs, the following values are supported:

    • logon: logon to the SASE client on the current terminal.

    • logout: logout of the SASE client on the current terminal.

    • exit: exit of the SASE client on the current terminal.

    block

    device_type

    The type of the terminal. Valid values:

    • Windows

    • macOS

    • Linux

    • Android

    • iOS

    Windows

    device_tag

    The unique identifier of the terminal.

    ccabaebc-77b3-a877-23f1-31b89b59****

    domain

    The domain name of the website for private access.

    www.aliyundoc.com

    dst_addr

    The destination IP address for private access.

    10.2.XX.XX

    dst_port

    The destination port for private access.

    80

    scr_addr

    The source IP address for private access.

    10.4.XX.XX

    src_port

    The source port for private access.

    30001

    in_bytes

    The inbound traffic. Unit: bytes.

    234

    out_bytes

    The outbound traffic. Unit: bytes.

    567

    log_type

    The log type. Valid values:

    • pa_access_log: private access log

    • client_logon_log: client logon log

    • dlp_log: outbound sensitive file transfer log

    • client_status_log: client online status log

    ia_access_log

    policy_name

    The policy name.

    test

    protocol

    The protocol. Valid values:

    • All

    • tcp

    • udp

    tcp

    request_uri

    The request URI.

    /test.php

    app_status

    The terminal status. Valid values:

    • Online

    • Offline

    Online

    event_time

    The time when the event was generated. This value is a UNIX timestamp. Unit: seconds.

    1675278754

    unixtime

    The time when the event was recorded. This value is a UNIX timestamp. Unit: seconds.

    1675278754

    Common query statement

    Status of SASE terminals

    Before you execute the following statement, you must manually create indexes for the app_stastus field. For more information, see Create indexes.

    • Query the number of online terminals.

      * AND log_type : client_status_log | select username,app_status,COUNT(*) AS cn GROUP BY username,app_status order by cn desc limit 10000

    • Query the number of offline terminals.

      * AND log_type : client_status_log AND app_status:offline | select username,app_status,COUNT(*) AS cn GROUP BY username,app_status order by cn desc limit 10000

    Logon status of SASE terminals

    Query terminal logon actions.

    * AND log_type : client_logon_log | select username,action,COUNT(*) AS cn GROUP BY username,action order by cn desc limit 10000

    Internal network access

    • Query the terminals and users that access the SASE client over the internal network.

      * AND log_type : pa_access_log | select username,device_type,COUNT(*) AS cn GROUP BY username,device_type order by cn desc limit 10000

    • Query the reason why the access attempt is blocked.

      * AND log_type : pa_access_log AND action:block | select username,block_info,COUNT(*) AS cn GROUP BY username,block_info order by cn desc limit 10000

    Sensitive file detection

    Query the number of times that the policy for sensitive file detection is matched.

    * AND log_type : dlp_log | select username,matched_policy,COUNT(*) AS cn GROUP BY username,matched_policy order by cn desc limit 10000