Manage collection rules for cloud services

更新时间:
复制 MD 格式

After you enable log collection for cloud services with the new Log Audit Service, you can create, modify, disable, and delete collection rules in the associated project.

Procedure

Console

  1. Go to the collection rules page.

    1. Log on to the Simple Log Service console. In the Log Application section, on the Audit & Security tab, click Log Audit Service (New Version).

    2. Click the name of the target project. On the Cloud service tab, click the card for the corresponding cloud service. Alternatively, on the Rules tab, click Create collection rule.

  2. You can Create a collection rule, or Modify, Disable, or Delete an existing one.

    Important
    • When you modify a collection rule, you cannot change the log type or cloud service name. Otherwise, an error occurs.

    • You can create multiple collection rules for different log types of a cloud service. These rules are applied in combination to a specific cloud service instance. Log collection for the instance is disabled only after all of its collection rules are disabled or deleted.

    • Disabling or deleting a cloud service collection rule stops log collection only for instances that were enabled by that specific rule. It does not affect instances where you manually enabled log collection in the cloud service console or through CloudLens.

API

Important
  • When you call an API, you must specify the service endpoint of the China (Shanghai) or Singapore region.

  • Disabling or deleting a cloud service collection rule stops log collection only for instances that were enabled by that specific rule. It does not affect instances where you manually enabled log collection in the cloud service console or through CloudLens.

  • You can create multiple collection rules for different log types of a cloud service. These rules are applied in combination to a specific cloud service instance. Log collection for the instance is disabled only after all of its collection rules are disabled or deleted.

  • When you modify a collection rule, you cannot change the log type or cloud service name. Otherwise, an error occurs.

Use the following API operations to manage Log Audit Service collection rules:

Collection rule parameters

Basic parameters

Parameter

Description

Rule name

The name of the collection rule. The name must be globally unique within an account, be 3 to 63 characters long, and start with a letter.

Cloud service name

For more information, see Log collection reference for cloud services.

Log type

For more information, see Log collection reference for cloud services.

Resource matching mode

  • All Resources (all): Collects logs from all instances of the specified cloud service.

  • Attribute Mode (attributeMode): Collects logs from instances that match specified attributes.

  • Instance Mode (instanceMode): Collects logs from instances with the specified instance IDs.

Instances

This parameter is valid only when Instance Mode is set to Instance Mode. Logs are collected only from instances with IDs in the specified list.

Note

If no options are available in the drop-down list, you can manually enter instance IDs. After you create at least one collection rule for the cloud service, the drop-down list automatically populates with existing instance names.

Region list, Resource tags

  • These parameters are valid only when Attribute Mode is set to Attribute Mode. Logs are collected only from instances that match the specified set of regions and resource tags.

  • If you leave the Region List or Resource Tags parameter empty, the corresponding filter condition is ignored.

Global log storage region

This parameter is available only when the log type is a global log type. It specifies the region where the service collects global logs during the initial configuration.

  • For different log types of the same cloud service, we recommend that you configure the same storage region. For example, store the global audit logs, global error logs, and performance monitoring metrics of Simple Log Service in a project within the default region.

  • The global log storage region takes effect immediately after the initial configuration.

    Important
    • We recommend that you do not modify the global log storage region. If you need to make changes, you must first delete all collection rules for the corresponding log type. This includes the default rules created by CloudLens and the rules created automatically when you create a new project.

    • For information about the global logs of Simple Log Service (SLS), see Enable the log collection feature. The metering logs of Object Storage Service (OSS) are global logs. For more information, see Log fields.

Centralized storage configuration

The service uses data transformation to write logs to a centralized destination logstore. If you deliver logs from the default logstore to multiple centralized destinations, ensure that each logstore exists. If you need to delete a centralized logstore, first remove the related collection rules to avoid disrupting write operations to other destination logstores.

When you create a new logstore, the default name template is central-{productCode}-{dataCode}-{policyName}.

Parameter

Description

Centralized destination project

The project for centralized log shipping. It is fixed to the project associated with the collection rule and cannot be modified.

Centralized destination logstore

  • Select Existing: Select an existing logstore in the destination project.

  • Create New: Create a new logstore in the destination project.

    The default data retention period is 30 days. The value can range from 1 to 3,650 days. A longer data retention period incurs higher log storage costs. For information about how to change the data retention period of a logstore, see Manage logstores. For suggestions on how to reduce log storage costs, see How do I reduce log storage costs?.

Centralized storage retention period

This parameter takes effect only when you create a new logstore. It initializes the data retention period for the new logstore and does not affect existing logstores.

Multi-account configuration

  1. Use Resource Directory to set up a multi-account structure. Only a Resource Directory management account or delegated administrator can enable the multi-account mode.

    1. Log on to the Resource Management console as the management account and enable a resource directory.

    2. Create a folder.

    3. Create a member or invite an existing Alibaba Cloud account to join. Then, move these members to the corresponding folder.

      For more information, see Create a member, Invite an Alibaba Cloud account to join a resource directory, and Move a member.

    4. Add a delegated administrator account.

  2. Configure the multi-account mode.

    Multi-account mode

    Description

    All (all)

    • Collects logs of the specified cloud service from all member accounts.

    • A collection rule configured by a management account or delegated administrator affects all member accounts in the Resource Directory. If a new account is added to or an existing account is changed in the Resource Directory, the service automatically creates or modifies the rule accordingly.

    Custom (custom)

    • Collects logs of the specified cloud service from selected member accounts.

    • A collection rule configured by a management account or delegated administrator affects only the member accounts specified in the custom configuration. Other member accounts are not affected.

Common error codes

Error code

Error message

Description

DeregisterDA.Deny.TrustedService

Forbidden, the current management account has configured unified access under the resource directory, please update or delete the unified access related configuration first.

This error occurs if you try to remove a Resource Directory, trusted service, or delegated administrator while collection rules still exist under the delegated administrator account.

To resolve this issue, perform the following steps:

  1. Log on as the delegated administrator account and list the collection rules for cloud service logs.

  2. As the delegated administrator account, delete all cross-account rules. These are rules for which the resourceDirectory.accountGroupType parameter is not empty.

  3. Log on as the management account and return to the Resource Directory console to remove the delegated administrator.

NotMatch

productCode or dataCode are not match to current productCode or dataCode

When you modify a rule, you cannot change the product code and data code. Otherwise, a mismatch error occurs.

PolicyNotExist

the collection policy does not exist

The collection rule that you are trying to query or delete does not exist.

InvalidSLR

SLR not exist or created failed

The service-linked role does not exist or its creation failed. When you create a rule in Log Audit Service, the service automatically creates the AliyunServiceRoleForSLSAudit service-linked role in the current account and in member accounts (if Resource Directory is enabled).

InvalidRAM

RAM is not enough for execute this action, please check current account ram policy of this operation

The RAM user does not have the required permissions to perform operations in Log Audit Service. For more information, see Authorize a RAM user to manage Log Audit Service (New Version).

InvalidProductData

Invalid Product Code or Data Code

The specified product code or data code is invalid.

InvalidProductData

Invalid Policy Name

The specified rule name is invalid.

InvalidPolicyConfig

Policy Config : resourceMode should be all/instanceMode/attributeMode

The resource matching mode must be one of the following: all, instanceMode, or attributeMode.

InvalidPolicyConfig

Policy Config : resourceMode should be all for lens global log type

For a CloudLens global log type, the resource matching mode must be set to all.

InvalidPolicyConfig

Policy Config : resourceMode should be attribute mode for security log type

For a security log type, the resource matching mode must be set to attributeMode.

InvalidPolicyConfig

Policy Config : you should set at least one center region for security log type

For a security log type, you must configure at least one primary central region.

InvalidPolicyConfig

Policy Config : this productCode and dataCode not allowed to config instance ids

For a security log type, you cannot configure an instance list.

InvalidConfig

Please check if the project/logstore belongs to you or the project/logstore in right region

The specified project or logstore for centralized storage either does not belong to the current account or is in the wrong region.

InvalidConfig

policyCode and dataCode is required when you need to list policy by instanceId that meet the filter conditions

When you search for matching rules by instance ID, you must specify the product code and data code.

InvalidCentralizeConfig

when centralizeEnabled, you should set at least one centralize config

When centralized storage is enabled, you must configure the corresponding centralized logstore information.

InvalidCentralizeConfig

centralize config is necessary for security product log collection

For security log types, you must configure centralized storage.

InvalidCentralizeConfig

dest project, dest logstore, dest region, dest ttl should not be empty when centralize enabled

When centralized storage is enabled, the destination project, destination logstore, and data retention period cannot be empty.

InvalidCentralizeConfig

dest project invalid for centralize config

The destination project for centralized storage is invalid.

InvalidCentralizeConfig

dest logstore invalid for centralize config

The destination logstore for centralized storage is invalid.

InvalidCentralizeConfig

dest region invalid for centralize config

The destination region for centralized storage is invalid.

InvalidResourceDirectoryConfig

Policy ResourceDirectory Config : when you set resource directory, you should set account group type first

When you configure a Resource Directory, you must first configure the multi-account mode.

InvalidResourceDirectoryConfig

Policy ResourceDirectory Config: instance mode not allowed to set resource directory

If you enable multi-account settings for a Resource Directory, you cannot set the resource matching mode to instance mode.

InvalidResourceDirectoryConfig

Policy ResourceDirectory Config : members should not be empty

When the multi-account mode is set to Custom, you must specify a non-empty list of members.

InvalidResourceDirectoryConfig

Policy ResourceDirectory Config : centralize config enabled is required for resource directory

To collect logs from multiple accounts in a Resource Directory, you must enable and configure centralized storage to define a common destination.

InvalidResourceDirectoryConfig

Policy ResourceDirectory Config : the account resource directory not in use

Resource Directory is not enabled for the current account.

InvalidResourceDirectoryConfig

Policy ResourceDirectory Config : the account is neither a delegated admin nor a master, just a member account

The current account is a member account, not a management account or a delegated administrator. Therefore, it cannot configure the Resource Directory mode in the rule.

InvalidResourceDirectoryConfig

Policy ResourceDirectory Config : custom members include invalid account

When the multi-account mode is set to Custom, the list of specified member accounts contains an invalid account ID.

InvalidDataConfig

Policy DataConfig: the data region is not valid

The configured default destination region for the global log type is invalid.

InvalidDataConfig

Policy DataConfig: this kind of product is not allowed to set data config

This configuration is not allowed because the current product or log type is not a global log type.

InvalidDataConfig

Policy DataConfig: the data region already exist in other policy, you cannot change

For global log types, once you configure a default destination region, it takes effect immediately and you cannot change it later.

Related documentation