Elastic Desktop Service (Enterprise Edition) can deliver user operation logs to Logstores in Simple Log Service. Administrators can use the logs to audit and monitor user operations and send alerts if suspicious operations are detected at the earliest opportunity. This prevents data leaks and ensures the security of business data. This topic describes the permissions on the delivery of user operation logs and the how to deliver logs.
Background
Before you deliver user operation logs, you must understand the following information related to Simple Log Service:
Simple Log Service is a cloud-native monitoring and analysis platform that provides large-scale, low-cost, and real-time services to process multiple types of data such as logs, metrics, and traces. Simple Log Service offers one-stop solutions to collect, process, query, analyze, visualize, consume, and deliver data. The solutions can also send alerts. You can use Simple Log Service to improve digital capabilities in R&D, O&M, operations, and data security. For more information, see What is Simple Log Service?
You can use Logstores in Simple Log Service to collect, store, and query logs. For more information, see Logstore.
You are not charged when you deliver user operation logs from Elastic Desktop Service (Enterprise Edition) to Logstores in Simple Log Service. However, when logs are delivered to Logstores in Simple Log Service, you are charged for log storage. For more information, see Billing overview.
Service-linked roles are associated with Alibaba Cloud services. You can configure the permissions on cloud services by using service-linked roles to perform operations. This helps prevent risks caused by misoperations. For more information, see Service-linked roles.
The first time you deliver user operation logs in Elastic Desktop Service (Enterprise Edition) to Simple Log Service, the Elastic Desktop Service system creates a service-linked role and attach a policy to the role to grant permissions on Simple Log Service. The following items describe the details:
Role: AliyunServiceRoleForGwsLogDelivery
Policy: AliyunServiceRolePolicyForGwsLogDelivery
Description: Elastic Desktop Service (Enterprise Edition) uses AliyunServiceRoleForGwsLogDelivery to access Logstores for log delivery.
If you no longer require the service-linked role, you can delete the role. However, you must delete cloud computer resources that depend on the role in the Elastic Desktop Service (Enterprise Edition) console or by calling related API operations before you delete the role. For more information, see Delete a RAM role.
Prerequisites
Simple Log Service is activated and the service-linked role is granted the permissions on Simple Log Service. For more information, see Getting Started.
Procedure
Log on to the Elastic Desktop Service console.
In the left-side navigation pane, choose .
Click the User Operation Logs tab and click Deliver to Logstore in the upper-right corner.
(Conditional) If this is the first time you use this feature, click OK in the Elastic Desktop Service Service-linked Role dialog box.
In the Deliver to Logstore panel, specify a Logstore. You can create a Logstore or select an existing Logstore. Click OK.
Troubleshooting
Why does the Elastic Desktop Service system fail to create AliyunServiceRoleForGwsLogDelivery when I use a RAM user to deliver logs?
The system can create or delete AliyunServiceRoleForGwsLogDelivery for a Resource Access Management (RAM) user only if the CreateServiceLinkedRole policy is attached to the RAM user. If the system cannot create AliyunServiceRoleForGwsLogDelivery for a RAM user, you must attach the CreateServiceLinkedRole policy to the RAM user.
In the following statement, replace ID of your Alibaba Cloud account with your actual account ID.
{
"Statement": [
{
"Action": [
"ram:CreateServiceLinkedRole"
],
"Resource": "acs:ram:*:ID of your Alibaba Cloud account:role/*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"log-delivery.gws.aliyuncs.com"
]
}
}
}
],
"Version": "1"
}