Create, modify, disable, or delete collection rules in the new version of Log Audit Service - Simple Log Service

After you enable log collection for a cloud service in the new version of Log Audit Service, you can manage the collection rules of the cloud service in the project that you associate. For example, you can create, modify, disable, and delete a collection rule. This topic describes how to manage collection rules.

Procedure

Use the Simple Log Service console

Go to the collection rule page.
1. Log on to the Simple Log Service console. In the Log Application section, click the Audit & Security tab. Then, click Log Audit Service (New Version).
2. Click the name of the project that you want to manage. Click a cloud service on the Cloud Services tab or click the Policies tab, and then click Create Collection Rule to create a collection rule.
Manage the collection rules of your cloud service. You can create, modify, disable, or delete a collection rule.
Important
- When you modify a collection rule, you cannot modify the Cloud Service Name or Log Type parameter. The Cloud Service Name parameter specifies the cloud service code.
- You can create multiple collection rules of different log types for a cloud service. The collection rules are merged and applied when the system collects logs from an instance of the cloud service. Log collection is disabled for the cloud service instance only when all collection rules of the cloud service are disabled or deleted.
- If you disable or delete all collection rules of a cloud service, log collection is disabled only for the cloud service instances whose logs have been collected based on the collection rules. For other instances of the cloud service, log collection remains enabled if you have enabled log collection in the console of the cloud service or in the Simple Log Service console by using a CloudLens application.

Collection rule parameters

Basic parameters

Parameter	Description
Policy Name	The name of the collection rule. The name must be globally unique within an Alibaba Cloud account. The name must be 3 to 63 characters in length and must start with a letter.
Cloud Service Name	The name of the cloud service. For more information, see Usage notes of cloud service log collection.
Log Type	The type of logs. For more information, see Usage notes of cloud service log collection.
Resource Matching Mode	All Resources: If you select this mode, the system collects logs from all instances of the specified cloud service. Attribute Mode: If you select this mode, the system collects logs from specific instances of the specified cloud service. The instances must meet the requirements specified by the Region and Resource Tags parameters. Instance Mode: If you select this mode, the system collects logs from specific instances of the specified cloud service. The instances must meet the requirements specified by the Instances parameter.
Instances	The instances from which logs are collected. This parameter takes effect only when you set the Resource Matching Mode parameter to Instance Mode. The system collects logs only from the instances that you select for this parameter. Note If there are no options in the Instance drop-down list, manual input is allowed. When you create at least one collection rule for the cloud service, the drop-down list automatically displays the names of existing instances.
Region, Resource Tags	The regions and resource tags of the required instances. This parameter takes effect only when you set the Resource Matching Mode parameter to Attribute Mode. The system collects logs only from the instances that reside in the specified regions and have the specified resource tags. If you leave the Region or Resource Tags parameter empty, the system collects logs from all instances of the specified cloud service.
Global Log Storage Region	The region to which you want to collect global logs. This parameter is available only when you set the Log Type parameter to a global log type. You can configure this parameter only if no region is specified for your project. We recommend that you specify the same region when you collect different types of logs from the same cloud service. For example, we recommend that you store the global audit logs, global error logs, and performance metrics of Simple Log Service to the projects in the same region. The Global Log Storage Region parameter immediately takes effect. Important We recommend that you do not modify the Global Log Storage Region parameter. If you want to modify the Global Log Storage Region parameter, you must delete the collection rules that are created to collect global logs to the specified region. The collection rules include the rules that are automatically created in Cloud Lens applications and the rules that are automatically created when you create a project. For more information about Simple Log Service global logs, see Enable the log collection feature. Object Storage Service (OSS) metering logs are global logs. For more information, see Log fields.

Centralized storage configuration

Parameter	Description
Destination Project for Centralized Storage	The destination project for centralized storage. The value is fixed as the associated project of the collection rule that you create. You cannot modify this parameter.
Destination Store for Centralized Storage	Select Existing Resource: If you select this option, select an existing Logstore from the destination project for centralized storage. Create: If you select this option, create a Logstore in the destination project for centralized storage. By default, the data retention period is 30 days. You can change the period to a value in the range from 1 to 3650. A longer retention period increases log storage fees. For more information about how to change the data retention period of a Logstore, see Manage a Logstore. For more information about how to reduce log storage costs, see How do I reduce log storage costs?
Data Retention Period	This parameter takes effect only when you create a Logstore. This parameter specifies the period during which logs are stored in the Logstore. If you configure this parameter, the data retention periods that are configured for existing Logstores are not changed.

Multi-account configuration

Create a resource directory. Only the management account of a resource directory or a delegated administrator account can enable the multi-account mode. For more information, see Resource Directory overview.
1. Use a management account to log on to the Resource Management console and enable a resource directory. For more information, see Enable a resource directory.
2. Create folders.
3. Create members in the resource directory or invite existing Alibaba Cloud accounts to join the resource directory. Then, move all members to the folders that you created based on your business requirements.
  For more information, see Create a member, Invite an Alibaba Cloud account to join a resource directory, and Move a member.
4. Add a delegated administrator account.

Configure the Multi-account Mode parameter.

Multi-account Mode	Description
All	Collect the specified cloud service logs from all members in the resource directory. If you use a management account or delegated administrator account to create the collection rule, all members in the resource directory are affected. If a member is added to the resource directory, the collection rule is automatically applied to the member. If a member is deleted from the resource directory, the application scope of the rule is adjusted.
Custom	Collect the specified cloud service logs from some members in the resource directory. If you use a management account or delegated administrator account to create the collection rule, only the selected members in the resource directory are affected. Other members are not affected.

Common error codes, error messages, and descriptions

Error code	Error message	Description
NotMatch	productCode or dataCode are not match to current productCode or dataCode	When you modify a collection rule, you are not allowed to modify the Cloud Service Name or Log Type parameter in the rule. Otherwise, a mismatch error occurs.
PolicyNotExist	the collection policy does not exist	The collection rule that is requested for a query or delete operation does not exist.
InvalidSLR	SLR not exist or created failed	The service-linked role does not exist or fails to be created. When you create a collection rule in the new version of Log Audit Service, the system automatically creates a service-linked role named AliyunServiceRoleForSLSAudit in the current Alibaba Cloud account and the members of the resource directory that is created. For more information, see Manage the AliyunServiceRoleForSLSAudit service-linked role.
InvalidRAM	RAM is not enough for execute this action, please check current account ram policy of this operation	The Resource Access Management (RAM) user does not have the permissions to manage the new version of Log Audit Service. For more information, see Grant a RAM user the permissions to use the new version of Log Audit Service.
InvalidProductData	Invalid Product Code or Data Code	The Cloud Service Name or Log Type parameter is invalid.
InvalidProductData	Invalid Policy Name	The Policy Name parameter is invalid.
InvalidPolicyConfig	Policy Config : resourceMode should be all/instanceMode/attributeMode	You must set the Resource Matching Mode parameter to All Resources, Instance Mode, or Attribute Mode.
InvalidPolicyConfig	Policy Config : resourceMode should be all for lens global log type	For global logs, you must set the Resource Matching Mode parameter to All Resources.
InvalidPolicyConfig	Policy Config : resourceMode should be attribute mode for security log type	For security logs, you must set the Resource Matching Mode parameter to Attribute Mode.
InvalidPolicyConfig	Policy Config : you should set at least one center region for security log type	For security logs, you must specify at least one region as the region attribute.
InvalidPolicyConfig	Policy Config : this productCode and dataCode not allowed to config instance ids	For security logs, you cannot configure the Instances parameter.
InvalidConfig	Please check if the project/logstore belongs to you or the project/logstore in right region	The destination project or Logstore for centralized storage does not belong to the current account or the specified region is not the region where the current Logstore resides.
InvalidConfig	policyCode and dataCode is required when you need to list policy by instanceId that meet the filter conditions	If you want to query collection rules by instance ID, you must configure the Cloud Service Name and Log Type parameters.
InvalidCentralizeConfig	when centralizeEnabled, you should set at least one centralize config	You must configure the Destination Store for Centralized Storage parameter after you enable centralized storage configuration.
InvalidCentralizeConfig	centralize config is necessary for security product log collection	For security logs, you must enable centralized storage configuration.
InvalidCentralizeConfig	dest project, dest logstore, dest region, dest ttl should not be empty when centralize enabled	You must configure the Destination Project for Centralized Storage, Destination Store for Centralized Storage, and Data Retention Period parameters after you enable centralized storage configuration.
InvalidCentralizeConfig	dest project invalid for centralize config	The Destination Project for Centralized Storage parameter is invalid.
InvalidCentralizeConfig	dest logstore invalid for centralize config	The Destination Store for Centralized Storage parameter is invalid.
InvalidCentralizeConfig	dest region invalid for centralize config	The region where the destination project for centralized storage resides is invalid.
InvalidResourceDirectoryConfig	Policy ResourceDirectory Config : when you set resource directory, you should set account group type first	When you configure a resource directory, you must configure the Multi-account Mode parameter.
InvalidResourceDirectoryConfig	Policy ResourceDirectory Config: instance mode not allowed to set resource directory	If the multi-account mode is enabled, the Resource Matching Mode parameter cannot be set to Instance Mode.
InvalidResourceDirectoryConfig	Policy ResourceDirectory Config : members should not be empty	If you set the Multi-account Mode parameter to Custom, you must specify members.
InvalidResourceDirectoryConfig	Policy ResourceDirectory Config : centralize config enabled is required for resource directory	You must enable centralized storage when you create a resource directory because resource directories are specific to the new version of Log Audit Service.
InvalidResourceDirectoryConfig	Policy ResourceDirectory Config : the account resource directory not in use	No resource directory is enabled in the current account.
InvalidResourceDirectoryConfig	Policy ResourceDirectory Config : the account is neither a delegated admin nor a master, just a member account	The current account is not a management account or a delegated administrator account, but a member of the resource directory. A member cannot configure the multi-account mode in a collection rule.
InvalidResourceDirectoryConfig	Policy ResourceDirectory Config : custom members include invalid account	After you set the Multi-account Mode parameter to Custom, invalid members are specified.
InvalidDataConfig	Policy DataConfig: the data region is not valid	For global logs, the Global Log Storage Region parameter is invalid.
InvalidDataConfig	Policy DataConfig: this kind of product is not allowed to set data config	You cannot configure the settings for non-global logs.
InvalidDataConfig	Policy DataConfig: the data region already exist in other policy, you cannot change	For global logs, if you configure the Global Log Storage Region parameter, you cannot modify the parameter.

References

If you use a RAM user to manage the new version of Log Audit Service, you must use an Alibaba Cloud account to grant the required permissions to the RAM user. For more information, see Grant a RAM user the permissions to use the new version of Log Audit Service.
For more information about the log types, default project and Logstore names, and billing details of supported cloud services, see Usage notes of cloud service log collection.
If you want to collect cloud service logs from multiple Alibaba Cloud accounts, you must enable a resource directory. For more information, see Enable a resource directory. Then, use the management account of the resource directory or a delegated administrator account to configure collection rules for the required cloud services. After you configure the collection rules, the cloud service logs are collected from the members of the resource directory to a specified project. For more information, see Usage notes of cloud service log collection.