Log Audit Service (new version) - Simple Log Service - Alibaba Cloud Documentation Center

This topic describes the working principles, usage limits, billing, and ingestion types of the new version of Log Audit Service.

Background information

In recent years, with the widespread application of cloud computing and the deep popularization of enterprises migrating to the cloud, many enterprises or individual users host various logs on the cloud for querying, auditing, and other operations.

Log Audit is a mandatory requirement of laws and regulations in many countries. Enterprises or organizations need to continuously implement and comply with various laws and regulations to ensure the security of network data, protect user information rights, and maintain the security of enterprise infrastructure.
Data compliance management is also a professional and complex issue that many enterprises or organizations need to face. In today's globalized world, enterprise data may be stored in various regions or organizations worldwide. On the one hand, data management needs to be based on legal and regulatory requirements to ensure data security, protect personal information rights, and maintain national security and social public interests. On the other hand, for production practice needs, data needs to flow freely in an orderly manner to maximize its value.
In this context, we have launched the new version of Log Audit Service, which enhances data access capabilities for both cloud product logs and runtime logs. With the multi-log project center, users can centralize, query, count, and analyze logs while ensuring compliance with regional data regulations. This improves the management of lawful and orderly data flow.

Basic features

Simple Log Service platform supports automated log management and has capabilities such as log query, analysis, storage, transformation, delivery, consumption, alerting, and visualization. Based on the Simple Log Service platform, Log Audit Service also supports the following features.

Collect cloud product logs

Cloud product coverage: Log Audit Service supports a variety of mainstream Alibaba Cloud products and their log types, including Storage (Simple Log Service, Object Storage Service), Networking (Classic Load Balancer, Application Load Balancer, Virtual Private Cloud, Alibaba Cloud DNS), Databases (ApsaraDB RDS, PolarDB), Security (Security Center, Cloud Firewall, Web Application Firewall, Anti-DDoS), Audit (ActionTrail, Cloud Config), and related log types.
Automated log collection: Log Audit Service supports automated collection of user logs. On the one hand, once a cloud product is connected to the new version of Log Audit Service, new logs are automatically written to the target Logstore; on the other hand, if there are new instances or attribute changes under the cloud account, the logs of the cloud product are automatically collected and written according to the user's configured collection rules.
Configurable collection rules: Log Audit Service supports three resource matching modes to filter cloud product resources: all resources, filtering resources by instance mode, and filtering resources by attribute mode. Users can choose according to their actual needs.
Cross-region data aggregation: Log Audit Service achieves cross-region aggregation of log data through the data transformation feature. Simple Log Service automatically creates data transformation tasks, which are created based on the delivery relationship between the default destination Logstore and the centralized destination Logstore configured by the collection rules.
Support for multiple log centers: Logs only need to be ingested once and can be aggregated into various log projects or Logstores according to the configured rules through data transformation. For example, users can aggregate logs from the China (Beijing) and China (Hangzhou) regions to the China (Shanghai) region and logs from Malaysia (Kuala Lumpur) and Indonesia (Jakarta) regions to the Singapore region.
Support for multi-account feature of Resource Directory: Administrators or delegated administrators can aggregate all logs of member accounts through multi-account collection configuration.

Collect runtime logs

Runtime log collection: Log Audit Service supports collecting runtime logs captured by open-source agents (Tetragon, Falco) into the Logstore by using Logtail.
Collection of systemd journal logs: Log Audit Service supports the use of Logtail to collect systemd journal logs, and can gather journal logs from the hosts in a containerized manner. This approach is suitable for Docker and Kubernetes environments.

Working principles

Collect cloud product logs

The logs of cloud products are first stored in their respective default Logstores. These logs include the operation information and running status of the cloud products.
- For the log types and corresponding Logstore names of cloud products, see Usage notes of cloud service log collection.
- For each cloud product instance, if multiple collection rules are hit, as long as one collection rule matches, the instance logs will be collected into the default Logstore.
Log Audit Service automatically creates data transformation tasks to aggregate the logs of the default Logstore into the user's associated project.
- The log types of cloud products are determined by Log Audit collection rules configured by the user.
- Log Audit Service automatically detects new or changed cloud product instances in each region under the user's cloud account and synchronizes them to Log Audit collection rules.
If the administrator account or delegated administrator account of the Resource Directory configures multi-account collection rules, the cloud product logs are first collected into the default delivery destination Logstore of the member account's cloud product, and then aggregated into the central Logstore of the administrator account or delegated administrator account through automatically created data transformation tasks.
- Collection rule 1: Collect logs based on region attribute, delivering the cloud product logs of China (Hangzhou) and China (Shenzhen) regions to the centralized Logstore xxx_log_center, which belongs to the centralized project center-A-cn-shanghai.
- Collection rule 2: Collect logs based on region attribute, delivering the cloud product logs of the Singapore region to the centralized Logstore xxx_log_center, which belongs to the centralized project center-A-ap-southeast-1.

Collect runtime logs

In a Docker and Kubernetes environment, use Tetragon and Falco to collect container runtime logs to a directory file and standard output. Then, use Logtail to deliver these runtime logs to the Logstore.

Usage limits

The new version of Log Audit Service is in the public preview stage. If you encounter any issues during use, submit a ticket.

Billing

While Log Audit Service itself is free, activating it incurs charges for log storage and log traffic, including the following fee types:

Cost type	Description

Cost type	Description
Cost of the default Logstore for cloud product logs	Same as the billing for ordinary Logstores. Other billable items are the same as ordinary Logstores, but the read traffic and read times generated by the data transformation tasks automatically created by Log Audit rules are not charged. For more information about billable items, see Overview of cloud product logs, Billable items of pay-by-feature, and Billable items of pay-by-ingested-data. For information about reducing Logstore storage costs and stopping Logstore billing, see FAQ about Logstores.
Cost of data transformation	The data volume for data transformation is free. When transforming data across regions, read traffic over Internet (calculated based on the compressed data volume) is generated. For more information, see Billable items of pay-by-feature.
Cost of the Logstore associated with Log Audit	Pay-by-feature billing mode. Other billable items are the same as ordinary Logstores, but the write traffic and write times generated by the data transformation tasks automatically created by Log Audit rules are not charged. For information about reducing Logstore storage costs and stopping Logstore billing, see FAQ about Logstores.
Cost of cloud product features	For certain cloud products, you must enable specific features before log collection. For example, you need to enable the flow log feature for Virtual Private Cloud and the SQL Explorer and Audit feature for ApsaraDB RDS. These features incur additional costs. For more information, see Usage notes of cloud service log collection.
Cost of runtime logs	Same as the billing for ordinary Logstores. For more information about billable items, see Billable items of pay-by-feature and Billable items of pay-by-ingested-data. For information about reducing Logstore storage costs and stopping Logstore billing, see FAQ about Logstores.

Ingestion types of cloud products

The current cloud product ingestion for Log Audit is mainly divided into the following types. For specific restrictions, see Usage notes of cloud service log collection.

Ingestion type	Classification basis	Restrictions and description	Corresponding cloud products and log types

Ingestion type	Classification basis	Restrictions and description	Corresponding cloud products and log types
Instance	Supports rule configuration and collection based on instance granularity (such as instance ID, instance region, and instance tag).	Cloud product instance logs are delivered to the Logstore in the current instance's region by default.	Simple Log Service: operation logs and running logs Object Storage Service: access logs ApsaraDB RDS: audit logs, slow query logs, error logs, and performance monitoring PolarDB: audit logs, slow query logs, error logs, performance monitoring Virtual Private Cloud: flow logs Alibaba Cloud DNS: Private DNS logs Application Load Balancer and Classic Load Balancer: access logs ApsaraDB for MongoDB: audit logs
Global log	Only supports rule configuration and collection based on global granularity.	Cloud product global logs are delivered to a Logstore in a fixed region by default.	Simple Log Service: global audit logs, global error logs, performance monitoring metrics Object Storage Service: metering logs
Security	Rule configuration depends on the resource attribute mode to obtain the default delivery region list of cloud products.	Users need to manually enable collection in the cloud product console. Log Audit only performs centralized transformation and aggregation.	Web Application Firewall 2.0, Web Application Firewall 3.0, and Application Firewall 3.0 (pay-as-you-go): access logs Security Center and Security Center (pay-as-you-go) logs Anti-DDoS Origin Basic, Anti-DDoS Proxy (Chinese Mainland), and Anti-DDoS Proxy (Outside Chinese Mainland) Cloud Firewall logs, Cloud Firewall (pay-as-you-go) logs, and Key Management Service (KMS) logs
ActionTrail and Cloud Config	Does not rely on collection rules, associated with Log Audit through the Logstore name.	Users need to manually configure tracking or delivery in the cloud product console and configure it to the current audit-associated log project.	ActionTrail logs Cloud Config logs

About Alibaba Cloud

Our Global Network

Quick Start

Global Offices

Olympic Games Paris 2024 New

Stade Roland Garros – Glitz from the Past New

Place de la Concorde – “Breaking” the Barriers New

Vaires-sur-Marne Nautical Stadium – Sports with Sustainability New

International Broadcast Center – Images, Sounds, and Data that Captivate Billions New

Customer Success Stories New

Trust Center

Security & Compliance Center

Cloud Compliance Resources

Security Compliance FAQs

Product & Feature Update New

Cloud Forward

Press Room

Alibaba Cloud e-Magazine New

Alibaba Cloud in Analyst Research

Notice

Go Global Service New

Go Global Alliance with Alibaba Cloud

Asia Accelerator Hot

Information Compliance

China Gateway - MLPS 2.0 Compliance New

China Gateway - Networking

China Gateway - Global Application Acceleration New

China Gateway - Security

China Gateway - Data Security New

ICP Support Hot

China Gateway - Omnichannel Data Mid-End New

China Gateway - Organizational Data Mid-End New

China Gateway - Business Mid-End New

China Gateway - AI Service for Conversational Chatbots New

China Gateway - Online Education

China Gateway - Domain Registration

Work at Alibaba Cloud

Experienced Professionals

Students and Graduates

Free Trial

Pricing

Promo Center

Price Reduction

Pay Less and Deploy More

FinOps

Elastic Compute Service (ECS)

Simple Application Server (SAS)

Elastic GPU Service

Elastic Desktop Service (EDS)

Object Storage Service (OSS)

Cloud Enterprise Network (CEN)

Web Application Firewall (WAF)

Domain Names

Container Compute Service (ACS)

Secure Access Service Edge (SASE)

Intelligent Media Services(IMS)

Edge Security Acceleration (ESA)(Original DCDN)

Intelligent Media Management

DingTalk Enterprise

YiDA

Alibaba Cloud Model Studio

Apsara Prime - For Easy Cloud Product Selection

Alibaba Cloud ECS - Cater All Your Cloud Hosting Needs

1TB CDN—Get Free 1 TB Outbound Traffic Plan Now

Security—Under Attack? Get Free Security Support

Short Message Service - Free Testing is Available

Elastic Compute Service (ECS) Hot

CloudBox

Compute Nest

Dedicated Host Hot

ECS Bare Metal Instance

Elastic GPU Service Featured

Simple Application Server (SAS) Hot

Auto Scaling

Cloud Phone Beta

Elastic Desktop Service (EDS) Featured

Batch Compute

Elastic High Performance Computing (E-HPC)

Super Computing Cluster (SCC)

Function Compute (FC)