All Products
Search
Document Center

Simple Log Service:Log Audit Service (new version)

Last Updated:Dec 18, 2024

This topic describes the working principles, usage limits, billing, and ingestion types of the new version of Log Audit Service.

Background information

In recent years, with the widespread application of cloud computing and the deep popularization of enterprises migrating to the cloud, many enterprises or individual users host various logs on the cloud for querying, auditing, and other operations.

  • Log Audit is a mandatory requirement of laws and regulations in many countries. Enterprises or organizations need to continuously implement and comply with various laws and regulations to ensure the security of network data, protect user information rights, and maintain the security of enterprise infrastructure.

  • Data compliance management is also a professional and complex issue that many enterprises or organizations need to face. In today's globalized world, enterprise data may be stored in various regions or organizations worldwide. On the one hand, data management needs to be based on legal and regulatory requirements to ensure data security, protect personal information rights, and maintain national security and social public interests. On the other hand, for production practice needs, data needs to flow freely in an orderly manner to maximize its value.

  • In this context, we have launched the new version of Log Audit Service, which enhances data access capabilities for both cloud product logs and runtime logs. With the multi-log project center, users can centralize, query, count, and analyze logs while ensuring compliance with regional data regulations. This improves the management of lawful and orderly data flow.

Basic features

Simple Log Service platform supports automated log management and has capabilities such as log query, analysis, storage, transformation, delivery, consumption, alerting, and visualization. Based on the Simple Log Service platform, Log Audit Service also supports the following features.

Collect cloud product logs

  • Cloud product coverage: Log Audit Service supports a variety of mainstream Alibaba Cloud products and their log types, including Storage (Simple Log Service, Object Storage Service), Networking (Classic Load Balancer, Application Load Balancer, Virtual Private Cloud, Alibaba Cloud DNS), Databases (ApsaraDB RDS, PolarDB), Security (Security Center, Cloud Firewall, Web Application Firewall, Anti-DDoS), Audit (ActionTrail, Cloud Config), and related log types.

  • Automated log collection: Log Audit Service supports automated collection of user logs. On the one hand, once a cloud product is connected to the new version of Log Audit Service, new logs are automatically written to the target Logstore; on the other hand, if there are new instances or attribute changes under the cloud account, the logs of the cloud product are automatically collected and written according to the user's configured collection rules.

  • Configurable collection rules: Log Audit Service supports three resource matching modes to filter cloud product resources: all resources, filtering resources by instance mode, and filtering resources by attribute mode. Users can choose according to their actual needs.

  • Cross-region data aggregation: Log Audit Service achieves cross-region aggregation of log data through the data transformation feature. Simple Log Service automatically creates data transformation tasks, which are created based on the delivery relationship between the default destination Logstore and the centralized destination Logstore configured by the collection rules.

  • Support for multiple log centers: Logs only need to be ingested once and can be aggregated into various log projects or Logstores according to the configured rules through data transformation. For example, users can aggregate logs from the China (Beijing) and China (Hangzhou) regions to the China (Shanghai) region and logs from Malaysia (Kuala Lumpur) and Indonesia (Jakarta) regions to the Singapore region.

  • Support for multi-account feature of Resource Directory: Administrators or delegated administrators can aggregate all logs of member accounts through multi-account collection configuration.

Collect runtime logs

  • Runtime log collection: Log Audit Service supports collecting runtime logs captured by open-source agents (Tetragon, Falco) into the Logstore by using Logtail.

  • Collection of systemd journal logs: Log Audit Service supports the use of Logtail to collect systemd journal logs, and can gather journal logs from the hosts in a containerized manner. This approach is suitable for Docker and Kubernetes environments.

Working principles

Collect cloud product logs

image
  1. The logs of cloud products are first stored in their respective default Logstores. These logs include the operation information and running status of the cloud products.

    • For the log types and corresponding Logstore names of cloud products, see Usage notes of cloud service log collection.

    • For each cloud product instance, if multiple collection rules are hit, as long as one collection rule matches, the instance logs will be collected into the default Logstore.

  2. Log Audit Service automatically creates data transformation tasks to aggregate the logs of the default Logstore into the user's associated project.

    • The log types of cloud products are determined by Log Audit collection rules configured by the user.

    • Log Audit Service automatically detects new or changed cloud product instances in each region under the user's cloud account and synchronizes them to Log Audit collection rules.

  3. If the administrator account or delegated administrator account of the Resource Directory configures multi-account collection rules, the cloud product logs are first collected into the default delivery destination Logstore of the member account's cloud product, and then aggregated into the central Logstore of the administrator account or delegated administrator account through automatically created data transformation tasks.

    • Collection rule 1: Collect logs based on region attribute, delivering the cloud product logs of China (Hangzhou) and China (Shenzhen) regions to the centralized Logstore xxx_log_center, which belongs to the centralized project center-A-cn-shanghai.

    • Collection rule 2: Collect logs based on region attribute, delivering the cloud product logs of the Singapore region to the centralized Logstore xxx_log_center, which belongs to the centralized project center-A-ap-southeast-1.

Collect runtime logs

In a Docker and Kubernetes environment, use Tetragon and Falco to collect container runtime logs to a directory file and standard output. Then, use Logtail to deliver these runtime logs to the Logstore.

Usage limits

  • The new version of Log Audit Service is in the public preview stage. If you encounter any issues during use, submit a ticket.

Billing

image

While Log Audit Service itself is free, activating it incurs charges for log storage and log traffic, including the following fee types:

Cost type

Description

Cost of the default Logstore for cloud product logs

Cost of data transformation

  • The data volume for data transformation is free.

  • When transforming data across regions, read traffic over Internet (calculated based on the compressed data volume) is generated. For more information, see Billable items of pay-by-feature.

Cost of the Logstore associated with Log Audit

  • Pay-by-feature billing mode. Other billable items are the same as ordinary Logstores, but the write traffic and write times generated by the data transformation tasks automatically created by Log Audit rules are not charged.

  • For information about reducing Logstore storage costs and stopping Logstore billing, see FAQ about Logstores.

Cost of cloud product features

For certain cloud products, you must enable specific features before log collection. For example, you need to enable the flow log feature for Virtual Private Cloud and the SQL Explorer and Audit feature for ApsaraDB RDS. These features incur additional costs.

For more information, see Usage notes of cloud service log collection.

Cost of runtime logs

Same as the billing for ordinary Logstores. For more information about billable items, see Billable items of pay-by-feature and Billable items of pay-by-ingested-data. For information about reducing Logstore storage costs and stopping Logstore billing, see FAQ about Logstores.

Ingestion types of cloud products

The current cloud product ingestion for Log Audit is mainly divided into the following types. For specific restrictions, see Usage notes of cloud service log collection.

Ingestion type

Classification basis

Restrictions and description

Corresponding cloud products and log types

Instance

Supports rule configuration and collection based on instance granularity (such as instance ID, instance region, and instance tag).

Cloud product instance logs are delivered to the Logstore in the current instance's region by default.

  • Simple Log Service: operation logs and running logs

  • Object Storage Service: access logs

  • ApsaraDB RDS: audit logs, slow query logs, error logs, and performance monitoring

  • PolarDB: audit logs, slow query logs, error logs, performance monitoring

  • Virtual Private Cloud: flow logs

  • Alibaba Cloud DNS: Private DNS logs

  • Application Load Balancer and Classic Load Balancer: access logs

  • ApsaraDB for MongoDB: audit logs

Global log

Only supports rule configuration and collection based on global granularity.

Cloud product global logs are delivered to a Logstore in a fixed region by default.

  • Simple Log Service: global audit logs, global error logs, performance monitoring metrics

  • Object Storage Service: metering logs

Security

Rule configuration depends on the resource attribute mode to obtain the default delivery region list of cloud products.

Users need to manually enable collection in the cloud product console. Log Audit only performs centralized transformation and aggregation.

  • Web Application Firewall 2.0, Web Application Firewall 3.0, and Application Firewall 3.0 (pay-as-you-go): access logs

  • Security Center and Security Center (pay-as-you-go) logs

  • Anti-DDoS Origin Basic, Anti-DDoS Proxy (Chinese Mainland), and Anti-DDoS Proxy (Outside Chinese Mainland)

  • Cloud Firewall logs, Cloud Firewall (pay-as-you-go) logs, and Key Management Service (KMS) logs

ActionTrail and Cloud Config

Does not rely on collection rules, associated with Log Audit through the Logstore name.

Users need to manually configure tracking or delivery in the cloud product console and configure it to the current audit-associated log project.

  • ActionTrail logs

  • Cloud Config logs