All Products
Search
Document Center

Security Center:Manage logs

Last Updated:Oct 29, 2024

The Cloud Threat Detection and Response (CTDR) feature provides log management feature. The feature allows you to store and query logs of cloud services that are added to the feature. The feature helps you precisely identify alerts and trace attack sources to improve the efficiency of response to potential threats, simplify log management across environments, and strengthen the overall defense system. The feature is compliant with the Cybersecurity Law and Multi-Level Protection Scheme (MLPS) 2.0 standards. This topic describes how to use the log management feature.

How the feature work

The CTDR feature and Simple Log Service jointly launched the log management feature to provide centralized log storage and analysis capabilities for logs of different cloud platforms, accounts, and cloud services.

After you purchase the log storage capacity for the CTDR feature, the feature automatically creates a project named aliyun-cloudsiem-data-Alibaba Cloud account ID-Region ID and a dedicated Logstore named cloud_siem in the Simple Log Service console to store all logs collected by the feature. The log storage region of the CTDR feature varies based on the data management center that you select in the top navigation bar of the Security Center console.

  • If you select China, logs are stored in the China (Shanghai) region.

  • If you select Outside China, logs are stored in the Singapore region.

Important

You can log on to the Simple Log Service console to view the project and Logstore that are dedicated to the CTDR feature. Do not delete the project or Logstore.

If you accidentally delete the Logstore, the system prompts that the cloud_siem Logstore does not exist. All log data in the Logstore is lost. In this case, submit a ticket to undo the operation. After you undo the operation, you must re-enable the CTDR feature to continue using the feature. You cannot restore deleted log data.

After you enable data delivery for logs of specific types, the CTDR feature automatically delivers the logs to the cloud_siem Logstore. The system retains the logs until the specified storage duration ends. When the duration ends, the system automatically deletes the logs. If the log storage capacity is exhausted, new logs are no longer delivered for storage. When the size of logs exceeds 80% of the log storage capacity that you purchased for the feature, Security Center sends a notification. For more information about how to configure notification settings, see Configure notification settings.

Billing

The subscription billing method is supported. You are charged based on the log storage capacity and storage duration that you purchased. When you query and export logs in the Security Center console, no fees are generated.

After logs are delivered to the dedicated Logstore, you may be charged for the operations that you perform in the Simple Log Service console, such as transforming and shipping logs.

  • If the Logstore uses the pay-by-feature billing mode, you are charged when you transform or ship logs. You are also charged for read traffic over the Internet when you read logs in stream mode over the Internet. The fees are included in the bills of Simple Log Service. For more information, see Billable items of pay-by-feature.

  • If the Logstore uses the pay-by-ingested-data billing mode, you are not charged when you transform or ship data. You are charged only for read traffic over the Internet. The fees are included in the bills of Simple Log Service. For more information, see Billable items of pay-by-ingested-data.

Multi-account management

If you configure the multi-account management feature and use the global administrator account to log on to the Security Center console, you must select the appropriate view before you can manage logs on the Log Management page. The following list describes the supported views:

  • Current Account View: You can view and manage logs within the current account.

  • Global Account View: You can view and manage data within the Alibaba Cloud accounts that are managed by the CTDR feature.

Important
  • If you enable log delivery in Current Account View and Global Account View, the log storage capacity that is purchased by using the global administrator account is used, and delivered log data is stored within the global administrator account.

  • If your Alibaba Cloud account is managed by the global administrator account and you want to manage logs by using your account, you must separately purchase the log storage capacity of the CTDR feature and enable log delivery by using your account. To enable log delivery, go to the CTDR > Log Management page in the Security Center console.

Prerequisites

Step 1: Enable log delivery

  1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.

  2. In the left-side navigation pane, choose CTDR > Service Integration.

  3. In the upper-right corner of the Service Integration page, click Log Settings.

  4. In the Log Delivery Management section of the panel that appears, find a type of log that you want to deliver for storage, and turn on the switch in the Deliver Log to Hot Data/Enabled and Disabled At column.

    You can select multiple log types, click Batch Deliver Log To.

    You can also go to the Log Management page, find the type of log that you want to deliver for storage from the All Data Sources drop-down list, and then turn on the switch next to the log type.

    image

  5. Optional. In the left-side navigation pane, choose CTDR > Log Management. On the Log Management page, turn on the switch next to Deliver All Data to enable log delivery for all types of logs that belong to added data sources.

Note

If you do not want to store a specific type of log for a cloud service, you can turn off the switch for the log type. New logs of the log type are no longer delivered for log management.

Step 2: Query logs

  1. In the left-side navigation pane, choose CTDR > Log Management.

  2. On the Log Management page, click All Data Sources in the upper-left corner. In the All Data Sources drop-down list, specify cloud services and log types as log data sources.

  3. Specify a query time range and use query statements to query and analyze logs.

    You can use the log management feature of CTDR in the same manner as you use the log analysis feature of Security Center. For more information, see Use custom log query and analysis.

More operations

Change the log storage duration

By default, logs of cloud services that you deliver for storage are stored for 180 days. You can change the storage duration based on your business requirements.

  1. In the left-side navigation pane, choose CTDR > Service Integration.

  2. In the upper-right corner of the Service Integration page, click Log Settings.

  3. In the Log Management panel, click Modify in the Retention Days column to change the storage duration.

Manage the log storage capacity

You can view the log storage that is used and the total capacity that you purchased on the CTDR > Log Management page. You can increase the current log storage capacity or clear the log storage based on your business requirements.

  • Click Scale Out to purchase additional log storage capacity.

    Make sure that you have sufficient log storage capacity. If you do not have sufficient log storage capacity, new logs cannot be stored.

  • Click Clear to clear the log storage.

    Warning

    You cannot restore logs after you clear the log storage. Proceed with caution. We recommend that you export logs and store the logs on your on-premises computer before you clear the log storage.

image

References