Security Center provides the log analysis feature that allows you to query and analyze logs in real time. This topic describes how to enable log analysis.
Background information
You must enable log analysis in the Security Center console before you can use log analysis.
Before you use the feature, make sure that you use the Anti-virus, Advanced, Enterprise, or Ultimate edition of Security Center and have purchased log storage capacity. If you use the Basic edition, you must upgrade Security Center to the Anti-virus, Advanced, Enterprise, or Ultimate edition and purchase log storage capacity before you can use the feature. For more information about how to purchase and upgrade Security Center, see Purchase Security Center and Upgrade and downgrade Security Center. For more information about the features that are supported by each edition, see Functions and features.
By default, the following types of logs are collected in Security Center: security logs, network logs, and host logs. Security Center Enterprise and Security Center Ultimate support 16 subtypes of logs. Security Center Anti-virus and Security Center Advanced support only 12 subtypes of host logs and security logs. Security Center Anti-virus and Security Center Advanced do not support network logs.
After you enable log analysis in the Security Center console, Simple Log Service automatically creates a dedicated Logstore to store Security Center logs. You can view the information about the Logstore in the Simple Log Service console. For more information about Logstore limits, see Limits.
The log analysis feature is a value-added feature that requires additional service fees. The log storage fee is USD 72.9 per TB-month. As required by the Cyber Security Law, logs must be retained for at least 180 days. We recommend that you allocate 50 GB of log storage capacity to each server to store logs.
Procedure
Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.
In the left-side navigation pane, choose .
If you have not authorized Security Center to access your cloud resources, click Authorize Immediately.
This operation authorizes Security Center to access your cloud resources. After the authorization is successful, Resource Access Management (RAM) automatically creates a RAM role named AliyunServiceRoleForSas. Security Center can use this RAM role to access the cloud resources of your services and protect the resources. For more information, see Service-linked roles for Security Center.
In the Activate Log Analysis wizard, click Activate now.
In the Purchase step, click Activate now.
On the buy page of Security Center, configure the Edition and Log Analysis parameters.
You must select the Advanced, Enterprise, or Ultimate edition. As required by the Cyber Security Law, logs must be retained for at least 180 days. We recommend that you allocate 50 GB of log storage capacity to each server to store logs.
On the page that appears, click Immediate purchase.
Read and select Security Center Agreement of Service and click Pay.
Return to the Log Analysis page and click Log Analysis has been activated.
After you enable log analysis, you can query and analyze logs.