If you enable the log collection feature for specific cloud services in Log Audit Service, you are charged additional fees for the cloud services. This topic describes the additional fees.
VPC
Billing
The public preview of the flow log feature ends on September 1, 2022. You are charged if you continue to use the flow log feature after this date. For more information, see Announcement on commercialization of the flow log feature.
When you collect flow logs, you are charged Simple Log Service usage fees and log generation fees. For more information, see Billing of flow logs.
Enable the collection of flow logs
After you enable the collection of Virtual Private Cloud (VPC) flow logs in Log Audit Service, Log Audit Service automatically completes the following operations:
Enable the flow log feature for the central account and the members that are configured for multi-account collection.
Enable the flow log feature for the VPCs that match the specified collection policy and store the collected flow logs in the dedicated project of Log Audit Service. By default, the flow log feature is enabled for all VPCs. For more information, see Configure log collection policies.
Disable the collection of flow logs
For more information about how to disable the collection of flow logs, see Disable log collection.
After you disable the collection of VPC flow logs in Log Audit Service, Log Audit Service automatically completes the following operations:
VPC stops generating flow log traffic for the related VPCs.
Log Audit Service stops collecting VPC flow logs and no longer stores the logs in the dedicated project.
If you delete the dedicated project and you do not disable the collection of VPC flow logs for the project, Log Audit Service cannot ensure that traffic stops being generated across VPCs at the same time. In this case, submit a ticket.
You can enable the collection of VPC flow logs by using Log Audit Service or the VPC console. The operations that you perform in Log Audit Service are independent of the operations that you perform in the VPC console. You can enable or disable the collection of VPC flow logs based on your business requirements. If you enable the flow log feature in Log Audit Service, you can disable the collection of flow logs only in Log Audit Service.
If you enable the flow log feature by using both Log Audit Service and the VPC console, you are charged twice. We recommend that you enable or disable the feature based on your business requirements.
ApsaraDB RDS
After you enable log collection for ApsaraDB RDS, the SQL Explorer or SQL Audit feature is automatically enabled on the ApsaraDB RDS instances that meet the requirements. ApsaraDB RDS for MySQL instances that do not run Basic Edition and ApsaraDB RDS for PostgreSQL instances that run High-availability Edition are supported. You are charged for the SQL Explorer or SQL Audit feature. For more information about the feature fees, see Billable items.
If you have enabled SQL Explorer Trial Edition for your ApsaraDB RDS instance, Log Audit Service automatically disables SQL Explorer Trial Edition and enables the official edition of the SQL Explorer feature after log collection is enabled.
By default, the logs that are generated by the SQL Explorer feature are stored for 30 days. If you want to change the storage duration, you must perform the operation in the ApsaraDB RDS console. For more information, see Modify the retention period of SQL audit logs. The storage duration is independent of the data retention period in Log Audit Service that is specified for the audit logs of your ApsaraDB RDS instance. The storage duration and data retention period do not affect each other.
If the storage duration that you specify in the ApsaraDB RDS console is less than 30 days, the logs cannot be delivered to Simple Log Service. Log Audit Service automatically changes the duration to 30 days.
If you have stopped collecting the audit logs of your ApsaraDB RDS instance and want to disable the SQL Explorer feature, you must disable the feature in the ApsaraDB RDS console. For more information, see Disable the SQL Explorer feature.
PolarDB
After you enable log collection for PolarDB, the SQL Explorer or SQL Audit feature is automatically enabled on the PolarDB clusters that meet the requirements. Only PolarDB for MySQL clusters are supported. You are charged for the SQL Explorer or SQL Audit feature. For more information about the feature fees, see Billable items.
If you have enabled SQL Explorer Trial Edition for your PolarDB for MySQL cluster, Log Audit Service automatically disables SQL Explorer Trial Edition and enables the official edition of the SQL Explorer feature after log collection is enabled.
By default, the logs that are generated by the SQL Explorer feature are stored for 30 days. If you want to change the storage duration, you must perform the operation in the PolarDB console. For more information, see Change the retention period of SQL logs. The storage duration is independent of the data retention period in Log Audit Service that is specified for the audit logs of your PolarDB for MySQL cluster. The storage duration and data retention period do not affect each other.
If the storage duration that you specify in the PolarDB console is less than 30 days, the logs cannot be delivered to Simple Log Service. Log Audit Service automatically changes the duration to 30 days.
If you have stopped collecting the audit logs of your PolarDB for MySQL cluster and want to disable the SQL Explorer feature, you must disable the feature in the PolarDB console. For more information, see Disable the SQL Explorer and Audit feature.
DNS
Collection of Private DNS logs
Prerequisites
Alibaba Cloud DNS PrivateZone is activated. You can log on to the Alibaba Cloud DNS console of the new version to activate Alibaba Cloud DNS PrivateZone.
Billing
Starting December 21, 2023, the traffic analysis feature of Alibaba Cloud DNS PrivateZone is automatically enabled when you enable the collection of Private DNS logs in Log Audit Service. You are charged for the traffic analysis feature. For more information, see Upgrade announcement. If you do not want to pay for the traffic analysis feature, disable the collection of Private DNS logs.
When you collect Private DNS logs, you are charged Simple Log Service usage fees and traffic analysis fees. For more information, see Traffic analysis.
Enable the collection of Private DNS logs
After you enable the collection of Private DNS logs in Log Audit Service, Log Audit Service automatically performs the following operations:
Enables the traffic analysis feature for the VPCs that match the specified collection policy and stores the collected Private DNS logs in the dedicated project of Log Audit Service. By default, the traffic analysis feature is enabled for all VPCs. For more information, see Configure log collection policies.
Detects and enables the traffic analysis feature of Private DNS for the VPC instance. If you manually disable the traffic analysis feature in the DNS console, Log Audit Service reactivates this feature to meet the collection requirements.
Disable the collection of Private DNS logs
For more information about how to disable the collection of Private DNS logs, see Disable log collection.
After you disable the collection of Private DNS logs in Log Audit Service, Log Audit Service stops collecting Private DNS logs and no longer stores the logs in the dedicated project.
To disable the traffic analysis feature, log on to the Alibaba Cloud DNS console and click Private DNS (PrivateZone) in the left-side navigation pane. Then, turn off Disable Traffic Analysis.
Collection of Public Authoritative DNS logs
Enable the collection of Public Authoritative DNS logs
Log on to the Alibaba Cloud DNS console of the new version. On the DNS Traffic Analysis tab, enable the traffic analysis feature, and then add the domain name for which you want to enable DNS traffic analysis.
The collection of Public Authoritative DNS logs does not support the storage of logs for Chinese domain names.
Billing
Total fees of Public Authoritative DNS logs = DNS traffic analysis fee + Simple Log Service fees. For more information, see Pricing. You can disable the collection of Public Authoritative DNS logs if you do not agree with this billing feature.
Disable the collection of Public Authoritative DNS logs
For more information, see Enable and manage log collection.
Collection of Global Traffic Manager logs
Enable the collection of Global Traffic Manager logs
Log on to the Alibaba Cloud DNS console of the new version, enable Global Traffic Manager, and purchase Global Traffic Manager instances.
Global Traffic Manager does not support the storage of logs for Chinese domain names.
This feature is restricted to whitelisted users only. Submit a ticket to apply.
Billing
Total fees of Global Traffic Manager logs = Global Traffic Manager fee + Simple Log Service fees. For more information, see Billing rules. You can disable the collection of Global Traffic Manager logs if you do not agree with this billing feature.
Disable the collection of Global Traffic Manager logs
For more information, see Enable and manage log collection.