Enable log analysis

更新时间:
复制 MD 格式

Log analysis centralizes security logs from your assets — including security alerts, vulnerabilities, and baseline check results — for queries, compliance audits, and forensic analysis.

Enable and configure log analysis

Important
  • Log Analysis and Agentic SOC (Log Management) are two independent feature modules in Security Center. Their console entries and purchase configurations are separate.

  • If you obtained log analysis through a version upgrade, you may still need to go to the Log Analysis page to complete authorization before you can use the feature.

  1. Log on to the console

    Access the Security Center console - Risk Administration - Log Analysis. In the upper-left corner of the page, select the region where the assets to be protected are located: Chinese Mainland or Outside Chinese Mainland.

  2. Service authorization (first-time use)

    If this is your first time using this feature, follow the on-screen instructions and click Authorize Immediately.

    Note

    After authorization, the system automatically creates the RAM role AliyunServiceRoleForSas. Security Center uses this role to access your resources in other Alibaba Cloud services. For more information, see Service-linked roles for Security Center.

  3. Configure and complete purchase

    After authorization, click Enable Now. You will be redirected to the Security Center purchase page. Configure the following:

    • Edition: Select the Security Center edition you need. For edition descriptions, see Editions.

    • Log Analysis: Turn the Purchase or Not to Yes, and set the monthly storage capacity based on your business needs.

    • Subscription Duration: Select the subscription duration.

  4. Read and select I have read and agree to the Security Center Product Agreement, click Order Now, and complete the payment.

  5. Create log repository

    After purchase, Security Center automatically creates a Project (sas-log-{Alibaba Cloud account ID}-{region ID}) and a Logstore (sas-log) in Simple Log Service (SLS) based on the regions where your assets are located.

    Important
    • For the mapping between asset regions and log storage regions, see Log storage region restrictions.

    • Do not delete the Project or Logstore. Deletion causes permanent data loss that cannot be recovered.

Billing

Log analysis is a value-added feature billed separately from your Security Center edition.

  • Billing method: Subscription only.

  • Billable item: Subscribed log storage capacity (subscription billing).

    Note

    If the monthly log storage capacity is unused, it will be cleared at the start of the next month.

  • Price: CNY 0.5/GB/month.

  • Capacity recommendation: Per China's Cybersecurity Law, logs should be retained for at least 180 days. Allocate 50 GB of log storage per server, then adjust based on actual log volume.

  • Cost example: For 10 servers with 50 GB each, total = 500 GB. Monthly cost: 500 GB × CNY 0.5/GB/month = CNY 250500 GB × = USD 50.

Limitations

  • Log storage region restrictions

    The log storage region is determined by the region where your assets are located. It cannot be customized.

    Asset region

    Log Project region

    Region ID

    Description

    Chinese Mainland

    China (Hangzhou)

    cn-hangzhou

    All asset logs in the Chinese Mainland region are consolidated and stored in the Hangzhou region.

    Outside Chinese Mainland

    Singapore

    ap-southeast-1

    All asset logs outside the Chinese Mainland, including Hong Kong (China), are consolidated and stored in the Singapore region.

  • Logstore restrictions

    To preserve data integrity and format consistency, the dedicated Logstore (sas-log) has the following restrictions:

    • You cannot write data to the Logstore via API or SDK.

    • You cannot modify Logstore properties such as the storage period.

    • The dedicated Logstore (sas-log) is automatically created by Security Center and is exclusive to your Alibaba Cloud account. It is not a multi-tenant shared instance, ensuring data isolation and security.

FAQ

  • What happens when storage capacity is exhausted?

  • I already use Simple Log Service (SLS). Do I still need to enable log analysis for Security Center?

    Yes. The comparison is as follows:

    • Self-managed SLS: Typically collects OS or application logs from servers.

    • Log Analysis: In addition to basic host logs, it also centrally stores and analyzes security event logs generated by Security Center itself — including security alerts, vulnerabilities, and baseline check results — providing a comprehensive security audit and forensic platform.

  • I accidentally deleted the dedicated sas-log Logstore. What should I do?

    All stored data is permanently lost and cannot be recovered, and log analysis stops immediately. Return to the Log Analysis page in the Security Center console and re-enable the feature as prompted. The system creates a new Project and Logstore, but historical data cannot be retrieved.

  • Why does the console still show log analysis as not enabled after I purchased it?

    Troubleshoot as follows:

    1. Verify that you purchased the Log Analysis add-on service, not Agentic SOC or other security modules. Different modules have separate console entries and independent features.

    2. Confirm you are accessing the correct menu path: Risk Governance > Log Analysis.

    3. Try logging in using an incognito browser window to rule out browser cache issues.

    4. Check RAM permissions. Ensure the current account has the AliyunSASFullAccess access policy.

    5. Confirm you have completed the first-time service authorization (the system needs to create the RAM role AliyunServiceRoleForSas). If not yet authorized, go to the Log Analysis page and follow the on-screen instructions.

  • Why can't I find historical logs after enabling log analysis?

    Log analysis only collects and stores logs after the feature is enabled. If you did not enable the feature immediately after purchase — for example, you did not turn on the feature switch or complete SLS authorization — no logs are collected during that period. As a result, you cannot query logs from that time. Enable and configure the feature as soon as possible after purchase to ensure continuous log collection.