This topic describes the features, background information, scenarios, and benefits of Log Audit Service. This topic also describes the Alibaba Cloud services that are supported by Log Audit Service.

Features

Log Audit Service supports all features of Log Service. Log Audit Service also supports automated and centralized log collection from cloud services across Alibaba Cloud accounts in real time. Then, you can audit the collected logs. In addition, Log Audit Service stores data required for audit and allows you to query and aggregate the data. You can use Log Audit Service to audit the logs that are collected from the following Alibaba Cloud services: ActionTrail, Container Service for Kubernetes (ACK), Object Storage Service (OSS), Apsara File Storage NAS, Server Load Balancer (SLB), API Gateway, ApsaraDB RDS, Distributed Relational Database Service (DRDS), PolarDB, Web Application Firewall (WAF), Anti-DDoS, Cloud Firewall, and Security Center. You can also use Log Audit Service to audit the logs that are collected from third-party cloud services and self-managed security operations centers (SOCs). Log audit - 005

Background information

  • Log audit is required by law.
    Log audit is required by enterprises around the world to meet regulatory requirements. The Cybersecurity Law of the People's Republic of China came into effect in mainland China in 2017. In addition, the Multi-Level Protection Scheme (MLPS) 2.0 came into effect in December 2019. Log audit - 001
  • Log audit is the foundation for the data security compliance of enterprises.
    A large number of enterprises have compliance and audit teams that are capable of auditing device operations, network behavior, and logs. You can use Log Audit Service to consume raw logs, audit logs, and generate compliance audit reports. You can use your self-managed SOC or Alibaba Cloud Security Center to consume logs in Log Audit Service. Log audit - 002
  • Log audit is crucial for data security and protection.

    The M-Trends 2018 report published by FireEye stated that most enterprises, especially enterprises in Asia Pacific, are vulnerable to cybersecurity attacks. The global median dwell time was 101 days. In Asia Pacific, the median dwell time was 498 days. The dwell time indicates a period from when an attack occurs to when the attack is detected. To shorten the time, enterprises need reliable log data, durable storage, and audit services.

Scenarios

  • Log Service-based audit
    Log Service is an industry-leading big data solution that allows you to collect, cleanse, analyze, and visualize logs from end to end. You can also configure alerts for logs. You can use Log Service in DevOps, operations, security, and audit scenarios. Log audit - 003
  • Typical log audit
    The following requirements for log audit are classified into four levels. Log audit - 004
    • Basic requirements: Most small and medium enterprises require automatic log collection and storage. These enterprises need only to meet the basic requirements that are specified in MLPS 2.0 and implement automatic maintenance.
    • Intermediate requirements: Multinational enterprises, large enterprises, and some medium enterprises have multiple departments that use different Alibaba Cloud accounts and pay separate bills. However, logs required for audit must be automatically collected in a centralized manner. In addition to basic requirements, these enterprises need to collect logs and manage accounts in a centralized manner. In most cases, these enterprises have audit systems and need to synchronize their audit systems with Log Audit Service in real time.
    • Advanced requirements: Large enterprises that have dedicated compliance and audit teams need to monitor logs, analyze logs, and configure alerts for logs. Some of the enterprises collect logs and send the logs to their audit systems for further processing. Other enterprises that want to build an audit system in the cloud can use the audit-related features provided by Log Service. The features include query, analysis, alerting, and visualization features.
    • Top requirements: Most large enterprises that have professional compliance and audit teams have self-managed SOCs or audit systems. These enterprises need to synchronize their SOCs or audit systems with Log Audit Service and manage data in a centralized manner.

    Log Audit Service of Log Service meets all the four levels of requirements.

Benefits

  • Centralized log collection
    • Log collection across accounts: You can collect logs from multiple Alibaba Cloud accounts to a project within one Alibaba Cloud account. You can configure multi-account collection in custom authentication mode or resource directory mode. The resource directory mode is recommended. For more information, see Configure multi-account collection.
    • Ease of use: You need only to configure collection policies once. Then, Log Audit Service collects logs in real time from Alibaba Cloud resources that belong to different accounts when new resources are detected. The new resources include newly created RDS instances, SLB instances, and OSS buckets.
    • Centralized storage: Logs are collected and stored in the central project of a region. This way, you can query, analyze, and visualize the collected logs in a more efficient manner. You can also configure alerts for the logs and perform secondary development.
  • Comprehensive audit
    • Log Audit Service supports all features of Log Service. For example, you can query, analyze, transform, visualize, and export logs, and configure alerts for logs. Log Audit Service also allows you to audit logs in a centralized manner.
    • You can use Log Audit Service together with Alibaba Cloud services, open source software, and third-party SOCs to create more value from data.

Supported Alibaba Cloud services

You can use Log Audit Service to audit the logs that are collected from the following Alibaba Cloud services: ActionTrail, ACK, OSS, Apsara File Storage NAS, SLB, API Gateway, ApsaraDB RDS, DRDS, PolarDB, WAF, Cloud Firewall, Security Center, and Anti-DDoS. Logs that are collected from an Alibaba Cloud service are automatically stored in Logstores and Metricstores. Dashboards are automatically generated for the Logstores and Metricstores. The following table describes the details.
Alibaba Cloud service Audited log Supported region for the service Prerequisite Log Service resource
ActionTrail
  • RAM logon logs
  • Resource operation logs of Alibaba Cloud services
  • Logs of operations in OpenAPI Explorer
All supported regions None
  • Logstore

    actiontrail_log

  • Dashboard
    • ActionTrail Audit Center
    • ActionTrail Core Configuration Center
    • ActionTrail Login Center
SLB Layer 7 access logs of HTTP or HTTPS listeners All supported regions None
  • Logstore

    slb_log

  • Dashboard
    • SLB Audit Log
    • SLB Access Log
    • SLB Overall View
API Gateway Access logs All supported regions None
  • Logstore

    apigateway_log

  • Dashboard

    API Gateway Audit Center

WAF
  • Access logs
  • Attack logs
All supported regions
  • Your WAF instance must be of the Business or Enterprise edition.
  • The Log Service for WAF feature must be enabled in the WAF console. For more information, see Enable the log analysis feature.
  • Logstore

    waf_log

  • Dashboard
    • WAF Audit Center
    • WAF Security Center
    • WAF Access Center
Security Center
  • Seven types of host logs
  • Four types of network logs
  • Three types of security logs
All supported regions
  • Your Security Center must be of the Enterprise edition.
  • The log analysis feature must be enabled in the Security Center console. For more information, see Enable the log analysis feature.
  • Logstore

    sas_log

  • Dashboard
    • Host logs
      • SAS Login Center
      • SAS Process Center
      • SAS Connection Center
    • Network logs
      • SAS Session Center
      • SAS DNS Center
    • Security logs
      • SAS Web Access Center
      • SAS Baseline Center
      • SAS Alarm Center
Cloud Firewall Traffic logs of the Internet firewall and virtual private cloud (VPC) firewalls N/A
  • Your Cloud Firewall must be of the Premium Edition or higher.
  • The log analysis feature must be enabled in the Cloud Firewall console. For more information, see Enable the log analysis feature.
  • Logstore

    cloudfirewall_log

  • Dashboard

    Cloud Firewall Audit Center

Bastionhost Operation logs All supported regions Your bastion host must be of V3.2 or later.
  • Logstore

    bastion_log

  • Dashboard

    None

OSS
  • Resource operation logs
  • Data operation logs
  • Data access logs and metering logs
  • Deletion logs of expired files
  • CDN back-to-origin traffic logs
All supported regions None
  • Logstore

    oss_log

  • Dashboard
    • OSS Audit Center
    • OSS Access Center
    • OSS Operation Center
    • OSS Performance Center
    • OSS Overall View
ApsaraDB RDS
  • ApsaraDB RDS audit logs
  • Slow query logs of ApsaraDB RDS for MySQL
  • Performance logs of ApsaraDB RDS for MySQL
All supported regions, except Local Regions
  • Audit logs
    • ApsaraDB RDS for MySQL instances are supported, except those running the RDS Basic Edition.
    • All ApsaraDB RDS for PostgreSQL and ApsaraDB RDS for SQL Server instances are supported.
    • The SQL Explorer or SQL audit feature must be enabled. The features are automatically enabled by Log Audit Service.
  • Slow query logs and performance logs

    ApsaraDB RDS for MySQL instances are supported, except those running the RDS Basic Edition.

  • Audit logs
    • Logstore

      rds_log

    • Dashboard
      • RDS Audit Center
      • RDS Security Center
      • RDS Performance Center
      • RDS Overall View
  • Slow query logs
    • Logstore

      rds_log

    • Dashboard

      None

  • Performance logs
    • Metricstore

      rds_metrics

    • Dashboard

      RDS Performance Monitoring

PolarDB
  • PolarDB audit logs
  • Slow query logs of PolarDB for MySQL clusters
  • Performance logs of PolarDB for MySQL clusters
All supported regions
  • Audit logs
    • PolarDB for MySQL clusters and PolarDB for PostgreSQL clusters are supported.
    • The SQL Explorer or SQL audit feature must be enabled. The features are automatically enabled by Log Audit Service.
  • Slow query logs and performance logs

    Only PolarDB for MySQL clusters are supported.

  • Slow query logs and audit logs
    • Logstore

      polardb_log

    • Dashboard

      None

  • Performance logs
    • Metricstore

      polardb_metrics

    • Dashboard

      PolarDB Performance Monitoring

DRDS DRDS audit logs China (Qingdao), China (Shenzhen), China (Shanghai), China (Beijing), China (Hangzhou), China (Zhangjiakou), China (Chengdu), and China (Hong Kong) None
  • Logstore

    drds_log

  • Dashboard
    • DRDS Operation Center
    • DRDS Security Center
    • DRDS Performance Center
Apsara File Storage NAS Access logs All supported regions None
  • Logstore

    nas_log

  • Dashboard
    • NAS Summary
    • NAS Audit Center
    • NAS Detail
ACK
  • Kubernetes audit logs
  • Kubernetes event centers
  • Ingress access logs
China (Shanghai), China (Beijing), China (Hangzhou), China (Shenzhen), China (Hohhot), China (Zhangjiakou), China (Chengdu), and China (Hong Kong) You must manually enable the log collection feature for Kubernetes logs.
Note
  • You must use projects that are automatically created and are named in the k8s-log-{ClusterID} format. Projects that are manually created are not supported.
  • The collection of Kubernetes logs is based on the data transformation feature. When you collect Kubernetes logs, you are charged for the data transformation feature. For more information, see Billable items.
  • You cannot collect Kubernetes logs across accounts.
  • Logstore
    • k8s_log
    • k8s_ingress_log
  • Dashboard
    • Kubernetes Audit Center Overview
    • Kubernetes event centers
    • Kubernetes Resource Operations Overview
    • Ingress Overview
    • Ingress Access Center
Anti-DDoS
  • Anti-DDoS Pro access logs
  • Anti-DDoS Premium access logs
  • Anti-DDoS Origin access logs
N/A
  • Logstore

    ddos_log

  • Dashboard
    • Anti-DDoS Premium Access Center
    • Anti-DDoS Premium Operation Center
    • Anti-DDoS Pro Access Center
    • Anti-DDoS Pro Operation Center
    • Anti-DDoS Origin Events Report
    • Anti-DDoS Origin Mitigation Report
Cloud Service Bus (CSB) App Connect Operation logs N/A None
  • Logstore

    appconnect_log

  • Dashboard

    None