Manage log storage

Prerequisites

Data auditing must be enabled for the data assets whose audit logs you want to view and manage. For more information, see Enable data auditing.

View and manage storage capacity

1. Log on to the Data Security Center console.

2. In the navigation pane on the left, select Log Analysis.

3. On the Log Analysis page, view and manage your audit log storage usage.

View storage usage

On the Log Analysis page, click the area in the upper-right corner that displays the capacity to view the used capacity for log archiving, the used capacity for online log storage, and the remaining capacity.

• Online Log Storage: The storage capacity consumed by audit logs in Simple Log Service (SLS) based on the configured online log retention period. For more information, see View audit logs.

• Archived Log Storage: After you enable log archiving, Data Security Center compresses logs that are stored for an extended period and archives them to OSS. Archived logs consume less storage space. You can view the archived logs on the Storage Management tab. For more information, see Query archived logs.

• Remaining Capacity: The total Log Storage Capacity capacity purchased with your DSC Enterprise Edition, minus the capacity consumed by Online Log Storage and Archived Logs.

Upgrade storage capacity

If your remaining capacity is insufficient, click Extend Storage Capacity to purchase more Log Storage Capacity capacity. For information about billing, see Billing.

Clear logs

If you no longer need to retain existing audit logs, click Delete All. In the Delete Logs dialog box, select the log types that you want to clear, such as online query logs and archived logs, and then click OK.

Configure capacity alerts

To receive notifications when your log storage capacity is low, click Alert. You will be redirected to the Alert Notification tab on the System Configuration > Alert Notification page, where you can add a new alert configuration. For more information, see Configure email, SMS, and phone alert notifications and Configure custom DingTalk chatbot alert notifications.

Configure storage rules

DSC allows you to adjust the online log retention period and log archiving settings. Follow these steps to configure storage rules.

1. Log on to the Data Security Center console.

2. In the navigation pane on the left, select Log Analysis.

3. In the upper-right corner of the Log Analysis page, click Log Storage Management.

4. In the Log Storage Management area on the right panel, configure the management mode (Manual or Automatic) and the log lifecycle based on your needs, and then click OK.

   • Manual (Default): In this mode, you must specify the retention period for online logs in days and decide whether to enable automatic archiving.

     After the retention period is set, online logs that exceed this period are deleted. If automatic archiving is enabled and you set the online log retention period to N days (90 days by default), DSC automatically archives logs that are older than (N-3) days.

   • Automatic: This mode prioritizes storing logs for online queries. DSC adjusts the online log retention period daily based on your actual log volume and total storage capacity, maintaining a minimum duration of 30 days. If the online query duration becomes insufficient, logs are automatically archived.

     In the Management Mode section, you can select Manual or Automatic. After you select Automatic, the Storage Duration Details section displays the number of days that logs are stored online and the number of days they are archived.

   • Log Lifecycle: To automatically delete old logs, enable this option by selecting the checkbox and then set a retention period (180 days by default). DSC deletes all audit logs that exceed this period.

Query archived logs

Archived logs are not directly viewable online. You must first use the archived log query feature in DSC to parse them.

1. Log on to the Data Security Center console.

2. In the navigation pane on the left, select Log Analysis.

3. In the upper-right corner of the Log Analysis page, click Log Storage Management.

4. At the bottom of the right-side panel, click Query Archived Logs.

5. In the Query Archived Logs dialog box, select a date range for your query and click OK.

   The dialog box displays the Estimated log volume and Estimated time (minutes). Note the following limitations: A time range that has already been parsed cannot be parsed again until the logs expire. You can select a maximum of 500 GB of log files for a single query. A maximum of three parsing tasks can run concurrently.

6. In the Log Parsing Records dialog box, check the parsing status for the specified date. When the status changes to Finished, click View in the Actions column to view the archived logs. For a description of the log fields, see View audit logs.

   You can also click Query Archiving Records to open the Log Parsing Records dialog box and check the history and status of your parsing tasks.

Related documents

• After you configure the data auditing mode for a data asset, you can view its audit logs on the Log Analysis page. For more information, see View audit logs.

• DSC provides built-in auditing rules for data assets, including database auditing rules, OSS auditing rules, and MaxCompute auditing rules. You can also create custom auditing rules. After you enable audit alert rules, DSC can use audit logs to detect risks such as abnormal operations, data leaks, vulnerability attacks, and SQL injection. For more information, see Configure and enable audit alert rules.

• After you enable an audit alert rule, DSC reports behaviors that meet the rule conditions as audit alerts in DSC. You can analyze and handle the associated risks based on the alert information and audit logs. For more information, see View and handle audit alerts.