This topic describes the features, background information, scenarios, and benefits of Log Audit Service. This topic also describes the Alibaba Cloud services that are supported by Log Audit Service.
Features
Log Audit Service supports all features of Simple Log Service. Log Audit Service also supports automated and centralized log collection from cloud services across Alibaba Cloud accounts in real time. This allows you to audit the collected logs. Log Audit Service also stores data that is required for auditing and allows you to query and aggregate the data. You can use Log Audit Service to audit the logs that are collected from the following Alibaba Cloud services: ActionTrail, Container Service for Kubernetes (ACK), Object Storage Service (OSS), Apsara File Storage NAS (NAS), Server Load Balancer (SLB), Application Load Balancer (ALB), API Gateway, Virtual Private Cloud (VPC), ApsaraDB RDS, PolarDB-X 1.0, PolarDB, Web Application Firewall (WAF), Anti-DDoS, Cloud Firewall, and Security Center. You can also use Log Audit Service to audit the logs that are collected from third-party cloud services and self-managed security operations centers (SOCs).
Background information
Log audit is required by law.
Log audit is required by enterprises around the world to meet regulatory requirements. The Cybersecurity Law of the People's Republic of China came into effect in the Chinese mainland in 2017. In addition, the Multi-Level Protection Scheme (MLPS) 2.0 came into effect in December 2019.
Log audit is the foundation for the data security compliance of enterprises.
A large number of enterprises have compliance and audit teams that are capable of auditing device operations, network behavior, and logs. You can use Log Audit Service to consume raw logs, audit logs, and generate compliance audit reports. You can use your self-managed SOC or Alibaba Cloud Security Center to consume logs in Log Audit Service.
Log audit is crucial for data security and protection.
The M-Trends 2018 report published by FireEye stated that most enterprises, especially enterprises in Asia Pacific, are vulnerable to cybersecurity attacks. The global median dwell time was 101 days. In Asia Pacific, the median dwell time was 498 days. The dwell time indicates a period from when an attack occurs to when the attack is detected. To shorten the dwell time, enterprises require reliable log data, durable storage, and audit services.
Scenarios
Simple Log Service-based audit
Simple Log Service allows you to collect, cleanse, analyze, and visualize logs from end to end. You can also configure alerts for logs. You can use Simple Log Service in DevOps, operations, security, and audit scenarios.
Typical log audit
The following requirements for log audit are classified into four levels.
Basic requirements: Most small and medium enterprises require automatic log collection and storage. These enterprises need to meet the basic requirements that are specified in MLPS 2.0 and implement automatic maintenance.
Intermediate requirements: Multinational enterprises, large enterprises, and some medium enterprises have multiple departments that use different Alibaba Cloud accounts and pay separate bills. However, logs required for audit must be automatically collected in a centralized manner. In addition to basic requirements, these enterprises need to collect logs and manage accounts in a centralized manner. In most cases, these enterprises have audit systems and need to synchronize their audit systems with Log Audit Service in real time.
Advanced requirements: Large enterprises that have dedicated compliance and audit teams need to monitor logs, analyze logs, and configure alerts for logs. Specific enterprises collect logs and send the logs to their audit systems for further processing. Other enterprises that want to build an audit system on the cloud can use the audit-related features provided by Simple Log Service. The features include query, analysis, alerting, and visualization.
Top requirements: Most large enterprises that have professional compliance and audit teams have self-managed SOCs or audit systems. These enterprises need to synchronize their SOCs or audit systems with Log Audit Service and manage data in a centralized manner.
Log Audit Service of Simple Log Service meets all the four levels of requirements.
Benefits
Centralized log collection
Log collection across accounts: You can collect logs from multiple Alibaba Cloud accounts to a project within one Alibaba Cloud account. You can configure multi-account collection in custom authentication mode or resource directory mode. We recommend that you use the resource directory mode. For more information, see Configure multi-account collection.
Ease of use: You need to only configure collection policies once. Then, Log Audit Service collects logs in real time from Alibaba Cloud resources that belong to different accounts when new resources are detected. The new resources include newly created ApsaraDB RDS instances, SLB instances, and OSS buckets.
Centralized storage: Logs are collected and stored in the central project of a region. This way, you can query, analyze, and visualize the collected logs in a more efficient manner. You can also configure alerts for the logs and perform secondary development.
Comprehensive audit
Log Audit Service supports all features of Simple Log Service. For example, you can query, analyze, transform, visualize, and export logs, and configure alerts for logs. Log Audit Service also allows you to audit logs in a centralized manner.
You can use Log Audit Service together with Alibaba Cloud services, open source software, and third-party SOCs to create more value from data.
Supported Alibaba Cloud services
You can use Log Audit Service to audit the logs that are collected from the following Alibaba Cloud services: ActionTrail, ACK, OSS, NAS, SLB, ALB, API Gateway, VPC, ApsaraDB RDS, PolarDB-X 1.0, PolarDB, WAF, Cloud Firewall, Security Center, and Anti-DDoS. Logs that are collected from Alibaba Cloud services are automatically stored in Logstores and Metricstores. Dashboards are automatically generated for the Logstores and Metricstores. The following table describes the details.
Cloud service | Audited log | Supported region for collection | Prerequisite | Simple Log Service resource |
ActionTrail |
| China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Hong Kong), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Japan (Tokyo), US (Silicon Valley), US (Virginia), Germany (Frankfurt), UK (London), and UAE (Dubai) | None |
|
Cloud Config |
| All regions supported by Cloud Config | If you want to collect, store, or query logs of Cloud Config in Log Audit Service, you must authorize Simple Log Service to extract the logs that are recorded in Cloud Config. After you complete the authorization, the logs of Cloud Config are automatically pushed to Simple Log Service. |
|
SLB | Layer 7 network logs of HTTP or HTTPS listeners | China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), Singapore, Japan (Tokyo), Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), UK (London), UAE (Dubai), US (Silicon Valley), US (Virginia), and Germany (Frankfurt) | None |
|
ALB | Layer 7 network logs of HTTP or HTTPS listeners | China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Ulanqab), China (Shenzhen), China (Guangzhou), China (Chengdu), China (Hong Kong), Japan (Tokyo), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Germany (Frankfurt), US (Silicon Valley), and US (Virginia) | None |
|
API Gateway | Access logs | All supported regions | None |
|
VPC | Flow logs | China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Japan (Tokyo), US (Silicon Valley), US (Virginia), UAE (Dubai), Germany (Frankfurt), and UK (London) |
ecs.c1, ecs.c2, ecs.c4, ecs.ce4, ecs.cm4, ecs.d1, ecs.e3, ecs.e4, ecs.ga1, ecs.gn4, ecs.gn5, ecs.i1, ecs.m1, ecs.m2, ecs.mn4, ecs.n1, ecs.n2, ecs.n4, ecs.s1, ecs.s2, ecs.s3, ecs.se1, ecs.sn1, ecs.sn2, ecs.t1, and ecs.xn4 |
|
DNS | Intranet DNS logs | China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Shenzhen), China (Guangzhou), China (Hong Kong), and Singapore | Go to the Alibaba Cloud DNS console of the new version to activate Alibaba Cloud DNS PrivateZone. |
|
Public DNS resolution logs | N/A |
|
| |
Global Traffic Manager logs | N/A |
|
| |
WAF |
| All supported regions |
|
|
Security Center |
| China (Hangzhou) and Singapore |
|
|
Cloud Firewall | Traffic logs of the Internet firewall and VPC firewalls | N/A |
|
|
Bastionhost | Operation logs | All supported regions | Your Bastionhost must be of V3.2 or later. |
|
OSS |
| China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), Japan (Tokyo), South Korea (Seoul), Thailand (Bangkok), Germany (Frankfurt), UAE (Dubai), UK (London), US (Virginia), and US (Silicon Valley) | None |
|
ApsaraDB RDS |
|
|
|
|
PolarDB for MySQL |
| All supported regions |
|
|
PolarDB-X 1.0 | PolarDB-X 1.0 audit logs | China (Qingdao), China (Shenzhen), China (Shanghai), China (Beijing), China (Hangzhou), China (Zhangjiakou), China (Chengdu), and China (Hong Kong) | None |
|
NAS | Access logs | All supported regions | None |
|
ACK |
| China (Shanghai), China (Beijing), China (Hangzhou), China (Shenzhen), China (Hohhot), China (Zhangjiakou), China (Chengdu), and China (Hong Kong) | You must manually enable the log collection feature for Kubernetes logs. Note
|
|
Anti-DDoS |
| N/A |
|
|
Cloud Service Bus (CSB) App Connect | Operation log | N/A | None |
|
If an ApsaraDB RDS instance or a PolarDB for MySQL cluster is restarted, Log Audit Service may fail to collect some logs that are generated within 5 minutes after the restart.