How to use SASE SLS Logs for log analysis-Secure Access Service Edge(SASE)-阿里云帮助中心

Prerequisites

The log storage service for SASE is enabled.

Enable the log storage service

Log on to the SASE console.
In the left-side navigation pane, choose Log Analysis > Log Analysis.
On the Log Analysis page, click Activate Now.
Configure the log storage service and log storage capacity to meet your business needs. Click Buy Now and complete the payment.

After you purchase the log analysis service, Simple Log Service automatically creates a dedicated project for SASE to manage SASE's log data. You can view the dedicated project for SASE in the Project list on the Simple Log Service console homepage.

Enable log collection and storage

Log on to the SASE console.
In the left-side navigation pane, choose Log Analysis > Log Analysis.
In the upper-right corner of the Log Analysis page, click Log Status to enable log collection and storage.
SASE log types
- Private access log
- PA sensitive file download detection log
- Enterprise acceleration log
- Client logon log
- Client status log
- DLP log
- OneData log
- Internet access log
- Dynamic decision log
- Endpoint reinforcement log
- Proactive defense log
- Virus scanning log
- Vulnerability patching log

View logs and enable log delivery

Click the drop-down list in the upper-left corner of the page.
Select the log type you want to view. You can filter the query results by specifying conditions.
Click the switch next to a log type to enable or disable log delivery for that log type.

The supported log types include private access log, PA sensitive file download detection log, enterprise acceleration log, client logon log, client status log, DLP log, OneData log, and Internet access log.

In the search box at the top of the page, enter a search statement. In the time picker to the right of the search box, set a time range for your query.

A query consists of a search statement and an optional analytic statement, separated by a vertical bar (|). The format is: Search statement|Analytic statement.

Statement type

Optional

Description

Search statement

Required

Specifies the search conditions. It can be a keyword, a fuzzy query, a numeric value, a numeric range, or a combination of conditions.

If you leave this empty or enter an asterisk (*), all data within the specified time range is returned. For more information, see Query syntax and features.

Analytic statement

Optional

Processes the data returned by the search statement for computation and aggregation.

If you leave this empty, only the query results are returned and no statistical analysis is performed. For more information, see Query and analysis overview.

Note

In an analytic statement, you can omit the standard SQL clause from table_name, which is from log.
By default, the first 100 log entries are returned. You can use the LIMIT clause to change the number of entries returned.

Log analysis queries

SASE client online status

Before you use the following search statements, you must manually create an index for the app_status field. For more information, see Create an index.

Query the number of online terminal devices

* AND log_type : client_status_log | select username,app_status,COUNT(*) AS cn GROUP BY username,app_status order by cn desc limit 10000

Query the number of offline terminal devices

* AND log_type : client_status_log AND app_status:offline | select username,app_status,COUNT(*) AS cn GROUP BY username,app_status order by cn desc limit 10000

SASE client logon

Query terminal device logon actions

* AND log_type : client_logon_log | select username,action,COUNT(*) AS cn GROUP BY username,action order by cn desc limit 10000

Private access

Query for the devices and users that access the internal network

* AND log_type : pa_access_log | select username,device_type,COUNT(*) AS cn GROUP BY username,device_type order by cn desc limit 10000

Query the reasons for blocked access

* AND log_type : pa_access_log AND action:block | select username,block_info,COUNT(*) AS cn GROUP BY username,block_info order by cn desc limit 10000

Sensitive file detection

Query the number of times a sensitive file policy is matched

* AND log_type : dlp_log | select username,matched_policy,COUNT(*) AS cn GROUP BY username,matched_policy order by cn desc limit 10000

Click Search & Analyze to view the analysis results.

The SLS Logs feature provides query and analysis results in formats such as a log distribution histogram and Raw Logs. It also supports operations such as setting alerts, creating saved searches, refreshing, and sharing. For more information, see Description of the Search & Analyze page.

View data reports

You can view a Data Report for OneData log and Internet access log.

From the drop-down list, select OneData log or Internet access log, and then click the Data Report tab.
On the Data Report tab, view the log-related data.
- Time Range: In the upper-right corner, click the time range to specify the period for the report.
- Drill-Down Analysis: In the upper-right corner of the report, click the icon. In the Drill-Down Analysis dialog box, you can view data from different data sources.
  
  In the upper-left corner of the dialog box, select Prometheus from the Data Source Type drop-down list, set a time range, configure the metric query conditions (including Metrics Explorer, Region, and Instance), and then click Execute Query. On the right, you can switch between visualization types such as Table, Line, Bar, Stat, Pie, Gauge, and Meter.

Log fields

Field name	Description	Example
__time__	The time when the log was received by Simple Log Service.	2018-02-27 11:58:15
aliuid	The Alibaba Cloud account ID.	141681795035****
username	The username of the employee.	John Doe
department	The department of the enterprise employee.	Test Department
action	The value of this field depends on the log type. This field is supported for `private access log` and `client logon log`. For `private access log`, the valid values are: allow: The current policy allows the user or device to access the specified application. block: The current policy denies the user or device access to the specified application. For `client logon log`, the valid values are: logon: The user logs on to the SASE client. logout: The user logs out of the SASE client. exit: The user quits the SASE client.	block
device_type	The endpoint device type. Valid values: Windows macOS Linux Android iOS	Windows
device_tag	A unique identifier for the device.	ccabaebc-77b3-a877-23f1-31b89b59****
domain	The domain name of the website accessed on the private network.	www.aliyundoc.com
dst_addr	The destination address for private access .	10.2.XX.XX
dst_port	The destination port for private access .	80
src_addr	The source address for private access .	10.4.XX.XX
src_port	The source port for private access .	30001
in_bytes	The inbound traffic. Unit: byte.	234
out_bytes	The outbound traffic. Unit: byte.	567
log_type	The log type. Examples: pa_access_log: private access log client_logon_log: client logon log dlp_log: DLP log client_status_log: client status log	ia_access_log
policy_name	The policy name.	test
protocol	The protocol. Valid values: `All` `tcp` `udp`	tcp
request_uri	The request URI.	/test.php
app_status	The client status. Valid values: `Online` `Offline`	Online
event_time	The time when the event occurred. This value is a UNIX timestamp. Unit: seconds.	1675278754
unixtime	The time when the event was recorded. This value is a UNIX timestamp. Unit: seconds.	1675278754