Log Audit Service automates centralized log collection from Alibaba Cloud services across multiple accounts for compliance auditing, threat detection, and security analysis.
The entry to the old version of the Log Audit Service console is removed on January 21, 2025. However, existing users (those who started using the service before this date) still have access to the entry. New users who want to use the old version can visit the new version of the Log Audit Service and click Back to Old Version to return to the old version.
Log Audit Service (old version) is no longer being updated. We recommend that you migrate to the new version of Log Audit Service at the earliest opportunity.
Features
Log Audit Service extends Simple Log Service with automated, cross-account log collection in real time. It collects, stores, queries, and aggregates audit data from ActionTrail, Container Service for Kubernetes (ACK), Object Storage Service (OSS), Apsara File Storage NAS (NAS), Server Load Balancer (SLB), Application Load Balancer (ALB), API Gateway, Virtual Private Cloud (VPC), ApsaraDB RDS, PolarDB-X 1.0, PolarDB, Web Application Firewall (WAF), Anti-DDoS, Cloud Firewall, Security Center, third-party cloud services, and self-managed SOCs.
Background information
-
Log audit is legally required.
Enterprises worldwide must meet regulatory requirements such as the Cybersecurity Law of the People's Republic of China (effective 2017) and MLPS 2.0 (effective December 2019).
-
Log audit underpins enterprise data security compliance.
Enterprise compliance teams audit device operations, network behavior, and logs. Log Audit Service consumes raw logs, generates compliance reports, and integrates with self-managed SOCs or Alibaba Cloud Security Center.
-
Log audit is critical for data security.
According to the FireEye M-Trends 2018 report, the global median dwell time (from breach to detection) was 101 days, and 498 days in Asia Pacific. Shortening dwell time requires reliable log data, durable storage, and audit capabilities.
Scenarios
-
SLS-based audit
SLS provides end-to-end log collection, cleansing, analysis, visualization, and alerting for DevOps, operations, security, and audit scenarios.
-
Typical log audit
Log audit requirements are classified into four levels.
-
Basic: Small and medium enterprises need automatic log collection and storage to meet MLPS 2.0 requirements.
-
Intermediate: Large or multinational enterprises with multiple Alibaba Cloud accounts need centralized log collection, account management, and real-time synchronization with existing audit systems.
-
Advanced: Enterprises with dedicated compliance teams need log monitoring, analysis, alerting, and visualization — either forwarding logs to their own systems or using SLS built-in audit features.
-
Top: Large enterprises with professional compliance teams need to synchronize self-managed SOCs or audit systems with Log Audit Service for centralized data management.
Log Audit Service meets all four levels of requirements.
-
Benefits
-
Centralized log collection
-
Cross-account collection: Collect logs from multiple Alibaba Cloud accounts into one project. Configure multi-account collection in custom authentication mode or resource directory mode (recommended). Configure multi-account collection.
-
Ease of use: Configure collection policies once. Log Audit Service automatically collects logs from new resources (RDS instances, SLB instances, OSS buckets) across accounts in real time.
-
Centralized storage: Logs are stored in a central project of one region, enabling efficient querying, analysis, visualization, alerting, and secondary development.
-
-
Comprehensive audit
-
Log Audit Service supports querying, analysis, transformation, visualization, alerting, and log export — all SLS features plus centralized audit.
-
Integrates with Alibaba Cloud services, open-source software, and third-party SOCs.
-
Supported Alibaba Cloud services
Log Audit Service collects logs from ActionTrail, ACK, OSS, NAS, SLB, ALB, API Gateway, VPC, ApsaraDB RDS, PolarDB-X 1.0, PolarDB, WAF, Cloud Firewall, Security Center, and Anti-DDoS. Logs are automatically stored in dedicated Logstores and Metricstores with auto-generated dashboards.
|
Cloud service |
Audited log |
Supported region for collection |
Prerequisite |
Simple Log Service resource |
|
ActionTrail |
|
China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Hong Kong), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Japan (Tokyo), US (Silicon Valley), US (Virginia), Germany (Frankfurt), UK (London), and UAE (Dubai) |
None |
|
|
Cloud Config |
|
All regions supported by Cloud Config |
To collect Cloud Config logs in Log Audit Service, authorize SLS to extract logs from Cloud Config. After authorization, logs are automatically pushed to SLS. |
|
|
SLB |
Layer 7 network logs of HTTP or HTTPS listeners |
China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), Singapore, Japan (Tokyo), Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), UK (London), UAE (Dubai), US (Silicon Valley), US (Virginia), and Germany (Frankfurt) |
None |
|
|
ALB |
Layer 7 network logs of HTTP or HTTPS listeners |
China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Ulanqab), China (Shenzhen), China (Guangzhou), China (Chengdu), China (Hong Kong), Japan (Tokyo), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Germany (Frankfurt), US (Silicon Valley), and US (Virginia) |
None |
|
|
API Gateway |
Access logs |
All supported regions |
None |
|
|
VPC |
Flow logs |
China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Japan (Tokyo), US (Silicon Valley), US (Virginia), UAE (Dubai), Germany (Frankfurt), and UK (London) |
ecs.c1, ecs.c2, ecs.c4, ecs.ce4, ecs.cm4, ecs.d1, ecs.e3, ecs.e4, ecs.ga1, ecs.gn4, ecs.gn5, ecs.i1, ecs.m1, ecs.m2, ecs.mn4, ecs.n1, ecs.n2, ecs.n4, ecs.s1, ecs.s2, ecs.s3, ecs.se1, ecs.sn1, ecs.sn2, ecs.t1, and ecs.xn4 |
|
|
DNS |
Intranet DNS logs |
China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Shenzhen), China (Guangzhou), China (Hong Kong), China (Chengdu), Singapore, and US (Silicon Valley) |
Go to the Alibaba Cloud DNS console of the new version to activate Alibaba Cloud DNS PrivateZone. |
|
|
Public DNS resolution logs |
N/A |
|
|
|
|
Global Traffic Manager logs |
N/A |
|
|
|
|
WAF |
|
All supported regions |
|
|
|
Security Center |
Important
Starting March 27, 2025, network log delivery is no longer supported, but previously delivered data will be preserved and available for queries. For more information, see [Notice] updates on log analysis and CTDR features. |
China (Hangzhou) and Singapore |
|
|
|
Cloud Firewall |
Traffic logs of the Internet firewall and VPC firewalls |
N/A |
|
|
|
Bastionhost |
Operation logs |
All supported regions |
Your Bastionhost must be of V3.2 or later. |
|
|
OSS |
|
China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), Japan (Tokyo), South Korea (Seoul), Thailand (Bangkok), Germany (Frankfurt), UAE (Dubai), UK (London), US (Virginia), and US (Silicon Valley) |
None |
|
|
ApsaraDB RDS |
|
|
|
|
|
PolarDB for MySQL |
|
All supported regions |
|
|
|
PolarDB-X 1.0 |
PolarDB-X 1.0 audit logs |
China (Qingdao), China (Shenzhen), China (Shanghai), China (Beijing), China (Hangzhou), China (Zhangjiakou), China (Chengdu), and China (Hong Kong) |
None |
|
|
IDaaS |
|
China (Hangzhou) |
None |
|
|
Privileged Access Management (PAM) |
|
All commercially available regions |
A Bastionhost instance (Developer or Lite edition) is purchased. Purchase an instance. |
|
|
NAS |
Access logs |
All supported regions |
None |
|
|
Mobile Push |
Push callback events |
Chinese mainland |
None |
|
|
ACK |
|
China (Shanghai), China (Beijing), China (Hangzhou), China (Shenzhen), China (Hohhot), China (Zhangjiakou), China (Chengdu), and China (Hong Kong) |
Manually enable the log collection feature for Kubernetes logs. Note
|
|
|
Anti-DDoS |
|
N/A |
|
|
If an ApsaraDB RDS instance or a PolarDB for MySQL cluster is restarted, Log Audit Service may fail to collect some logs that are generated within 5 minutes after the restart.
Finance Cloud scenario
In Finance Cloud, Log Audit Service differs from the public cloud in cloud service coverage and region restrictions.
-
Cloud service coverage
Log Audit Service supports collecting logs from ActionTrail, SLB, API Gateway, RDS, Bastionhost, Anti-DDoS, and Cloud Firewall.
Cloud service
Audited log
Supported region for collection
Prerequisite
SLS resource
ActionTrail
-
RAM logon logs
-
Resource operation logs of Alibaba Cloud services
-
Logs of API operations
China (Shanghai) Finance Cloud
None
-
Logstore
actiontrail_log
-
Dashboard
-
ActionTrail Audit Center
-
ActionTrail Core Configuration Center
-
ActionTrail Login Center
-
SLB
Layer 7 network logs of HTTP or HTTPS listeners
China (Hangzhou) Finance Cloud, China (Shanghai) Finance Cloud, China (Shenzhen) Finance Cloud
None
-
Logstore
slb_log
-
Dashboard
-
SLB Audit Center
-
SLB Access Center
-
SLB Overall Data View
-
API Gateway
Access logs
China (Hangzhou) Finance Cloud, China (Shanghai) Finance Cloud, China (Shenzhen) Finance Cloud
None
-
Logstore
apigateway_log
-
Dashboard
API Gateway Audit Center
Cloud Firewall
Internet firewall traffic logs, VPC firewall traffic logs
Not applicable
-
Premium Edition or higher
-
Purchase the log analysis module in the Cloud Firewall console. Enable log analysis.
-
Logstore
cloudfirewall_log
-
Dashboard
Cloud Firewall Audit Center
ApsaraDB RDS
-
RDS audit logs
-
MySQL slow query logs
China (Hangzhou) Finance Cloud, China (Shanghai) Finance Cloud, China (Shenzhen) Finance Cloud
-
Audit logs
-
MySQL: Basic Edition not supported
-
PostgreSQL, Microsoft SQL Server: No restrictions
-
SQL Explorer or SQL Audit must be enabled.
Automatically enabled by Log Audit Service.
-
-
Slow query logs
Only non-Basic Edition MySQL instances are supported.
-
Audit logs
-
Logstore
rds_log
-
Dashboard
-
RDS Audit Center
-
RDS Security Center
-
RDS Performance Center
-
RDS Overall Data View
-
-
-
Slow query logs
-
Logstore
rds_log
-
Dashboard
None
-
Bastionhost
Operation command logs
China (Hangzhou) Finance Cloud, China (Shanghai) Finance Cloud, China (Shenzhen) Finance Cloud
V3.2 or later
-
Logstore
bastion_log
-
Dashboard
None
Anti-DDoS
Anti-DDoS Proxy (New BGP) access logs
Not applicable
The full log analysis module must be purchased in the Anti-DDoS Proxy (New BGP) console. Enable full log analysis.
-
Logstore
ddos_log
-
Dashboard
-
Anti-DDoS Proxy (New BGP) Access Center
-
Anti-DDoS Proxy (New BGP) Operation Center
-
-
-
Region restrictions
With centralized storage, logs collected from all accounts and regions are stored in a central project. Available central storage regions include China (Hangzhou) Finance Cloud, China (Shanghai) Finance Cloud, and China (Shenzhen) Finance Cloud. Usage limits.