This topic describes some common errors of Log Audit Service and the troubleshooting methods for the errors. This topic also provides answers to some frequently asked questions about Log Audit Service.
Common errors and troubleshooting
Error type | Error message | Cause | Solution |
Account configuration | LogException{httpCode=-1 errorCode='IllegalResourceDirectoryAccounts' errorMessage='IllegalResourceDirectoryAccounts: account not ResourceDirectory master or admin user' requestId='' | The current account is a standard central account. You cannot use the current account to configure multi-account collection in resource directory mode. You can configure multi-account collection in resource directory mode only when the central account is the management account or a delegated administrator account of your resource directory. For more information, see Collect cloud service logs from multiple accounts. | Configure multi-account collection in custom authentication mode. For more information, see Custom authentication mode. |
LogException{httpCode=-1 errorCode='IllegalAction.MultiAccountsIllegal' errorMessage='IllegalAction: the multi_account: 1234567*** may be already configured by other central account or contain central account' requestId=''} | Conflicts occur in the multi-account collection configuration.
| If you need to add 1234567*** to the resource directory of the current central account as a member, use one of the following methods:
| |
When an account is added to the resource directory of a central account as a member, the EtlMetaAlreadyExist error occurs. | The account has been added to the resource directory of the central account or a different central account as a member. In addition, the projects of Log Audit Service were deleted when log collection is enabled for cloud services. This does not comply with the rule. Before you can delete the projects of Log Audit Service, you must disable log collection for all cloud services. For more information, see Delete Log Audit Service resources. As a result, the system cannot apply a new collection configuration. | Submit a ticket to contact the Log Service team. | |
Error message: The current account has configured multi-account log collection. Delete the multi-account settings in Log Audit Service. Error code: DeregisterDA.Deny.TrustedService. | If an error occurs when you change the existing delegated administrator account in the Resource Management console, the configurations of multi-account collection for the delegated administrator account are not removed. | Remove the configurations of multi-account collection for the existing delegated administrator account before you change the delegated administrator account. If Configure Mode is set to All Members, change the value to Custom and clear all selected accounts. | |
Permission configuration | The role not exists: acs:ram::123456******:role/sls-audit-service-monitor. | The permissions of the sls-audit-service-monitor role within the member 123456****** are deleted or tampered with. | Reconfigure the permissions for the sls-audit-service-monitor role. For more information, see Use a custom policy to authorize Simple Log Service to collect and synchronize logs. |
Permission denied, action: log:CreateApp,resource: app/audit or Permission denied, action: log:GetApp,resource: app/audit | The RAM user that is used does not have the required operation permissions on Log Audit Service. | Grant the required permissions to the RAM user. For more information, see Grant a RAM user the permissions to perform operations on Log Audit Service. | |
Quota limit | init_sls_assets failed because of ServerException [HTTP Status: 400 Error:DashboardError LogException{httpCode=403 errorCode='ExceedQuota' requestId='622854*********'} | A quota is exceeded. Each type of basic resource provided by Log Service has a quota. The basic resources include shards. For more information, see Basic resources. | If the ExceedQuota error occurs in a project of Log Audit Service, submit a ticket to scale out basic resources. |
init_sls_assets failed because of ServerException [HTTP Status: 400 Error:CreateProjectFailed Account 123456***** most has 50 project | The total number of projects within a single account exceeds the quota. Each type of basic resource provided by Log Service has a quota. The basic resources include projects and shards. For more information, see Basic resources. | If the total number of Log Audit Service projects within a single account exceeds the quota, submit a ticket to scale out basic resources. | |
Resource audit | When you change the log retention period, the following message appears: This Logstore is dedicated to the Log Audit Service application. To modify the Logstore settings such as the data retention period, go to the Global Configurations page of Log Audit Service. | None | On the Global Configurations page of Log Audit Service, change the log retention period of a Logstore and the log retention period for the hot storage of a Logstore. |
When you delete a Logstore, the following message appears: Operation failed: Insufficient permissions . | Log Audit Service Logstores may be associated with built-in dashboards and alerts. Therefore, you cannot separately delete Log Audit Service Logstores. |
| |
LogException{httpCode=-1 errorCode='DeleteFailed' message='delete auditJob error' requestId=''} | The central project of Log Audit Service is supported only in some regions. If you use other methods to specify an unsupported region such as the China (Chengdu) region for the central project of Log Audit Service, the system creates a project named slsaudit-center-${uid}-${Region} in this region. However, you cannot use Log Audit Service in the region or switch the region over to a supported region. Note The following regions are supported:
| Delete the (slsaudit-center-${uid}-${Region} ) project by using a CLI or API operation. Then, select a supported region. For more information about how to delete a project, see What to do next. | |
In Log Audit Service, | is not displayed in the left-side navigation pane.Log collection provided by Log Audit Service is not enabled for the central account. | Enable log collection for the central account. For more information, see Enable and manage log collection. |
FAQ
- Before I disable log collection, I changed the log retention period. However, the change does not take effect. For example, before I disable log collection for the Layer 7 access logs of Server Load Balancer (SLB), I changed the log retention period to one day to delete existing logs. However, the change does not take effect, and the log retention period remains 180 days. Why?
If you change the log retention period before you disable log collection, you must save the change before you disable log collection. Otherwise, the change does not take effect. To change the log retention period, perform the following operations:
- On the Global Configurations page of Log Audit Service, click Modify.
- Change the log retention period for your log type and click Save. Note Make sure that log collection is enabled when you save the change. After you save the change, wait 1 minute and click Modify again.
- Click Modify again.
- Disable log collection for your log type and click Save.
- How do I view the collection status of logs?
Choose
of Log Audit Service to view the collection status of logs. - The system prompts that my account does not have the required permissions or the AccessKey pair of my account is invalid. What do I do?
Check whether permissions are correctly configured for your account. If Log Service and the cloud service from which logs are collected belong to the same account, follow the instructions provided in Initially configure Log Audit Service. If Log Service and the cloud service belong to different accounts, follow the instructions provided in Use a custom policy to authorize Simple Log Service to collect and synchronize logs. For example, if the ReadOnlyAccess policy under System Policy is not attached to the sls-audit-service-monitor role, this issue occurs.
- The system prompts that a required feature is not enabled for my account. What do I do?
Enable the feature for a cloud service within your account. For more information, see Supported Alibaba Cloud services. For example, if Security Center is activated but the Log Analysis feature is not enabled in the Security Center console, this issue occurs.
- The number of built-in alert monitoring rules on the Alert Center page of the
slsaudit-center-${uid}-${region}
project is different from that on the Audit Alert page of Log Audit Service. Why?- In addition to the built-in alert monitoring rules for Log Audit Service, the
slsaudit-center-${uid}-${region}
project contains the built-in alert monitoring rules for other features, such as data transformation. - The Audit Alert page of Log Audit Service displays only the alert monitoring rules for cloud services for which log collection was enabled. This limit does not apply to the Alert Center page of the
slsaudit-center-${uid}-${region}
project. - The selected region and display language of the Log Service console may also lead to an inconsistency in the number of built-in alert monitoring rules between the Audit Alert page of Log Audit Service and the Alert Center page of the
slsaudit-center-${uid}-${region}
project.
- In addition to the built-in alert monitoring rules for Log Audit Service, the
- The numbers of alert policies, action policies, and alert templates on the Alert Center page of the
slsaudit-center-${uid}-${region}
project are different from those on the Audit Alert page of Log Audit Service. Why?The Audit Alert page of Log Audit Service displays only the alert policies, action policies, and alert templates that are related to Log Audit Service. The
slsaudit-center-${uid}-${region}
project may contain the alert policies, action policies, and alert templates that are associated with other applications. Therefore, the inconsistencies arise. - I cannot find the performance logs of ApsaraDB RDS for MySQL and PolarDB for MySQL instances on the Audit Query page. Why? The Audit Query page displays only the query links for log-type data. Performance logs are of the metric type. You can go to the Global Configurations page and click the
slsaudit-center-${uid}-${region}
region. Then, on the Time Series Storage page, you can view the performance logs of the ApsaraDB RDS for MySQL and PolarDB for MySQL instances. - Log Audit Service does not work as expected after I delete the sls-audit-service-monitor role or modify the policy attached to the sls-audit-service-monitor role by mistake in the RAM console. What do I do?
- If your account is a central account and the sls-audit-service-monitor role created based on your AccessKey pair is used when Log Audit Service is enabled within your account, you can go to the Global Configurations page of Log Audit Service and follow the on-screen instructions to complete the authorization. For more information, see Initially configure Log Audit Service. Note Log Audit Service is updated, and the authorization is automatically completed when the AliyunServiceRoleForSLSAudit service-linked role is created. The sls-audit-service-monitor role is still applicable. Make sure that the role exists and its policy is correctly configured. To avoid accidental deletion or illegal modifications, we recommend that you complete the authorization by creating the AliyunServiceRoleForSLSAudit service-linked role.
- If your account is a member, you can modify the policy of the sls-audit-service-monitor role in the RAM console. If the role is not displayed in the RAM console, create the role. For more information, see Use a custom policy to authorize Simple Log Service to collect and synchronize logs.
- If your account is a central account and the sls-audit-service-monitor role created based on your AccessKey pair is used when Log Audit Service is enabled within your account, you can go to the Global Configurations page of Log Audit Service and follow the on-screen instructions to complete the authorization. For more information, see Initially configure Log Audit Service.