After you enable log collection for cloud services with the new Log Audit Service, you can create, modify, disable, and delete collection rules in the associated project.
Procedure
Console
-
Go to the collection rules page.
-
Log on to the Simple Log Service console. In the Log Application section, on the Audit & Security tab, click Log Audit Service (New Version).
-
Click the name of the target project. On the Cloud service tab, click the card for the corresponding cloud service. Alternatively, on the Rules tab, click Create collection rule.
-
-
You can Create a collection rule, or Modify, Disable, or Delete an existing one.
Important-
When you modify a collection rule, you cannot change the log type or cloud service name. Otherwise, an error occurs.
-
You can create multiple collection rules for different log types of a cloud service. These rules are applied in combination to a specific cloud service instance. Log collection for the instance is disabled only after all of its collection rules are disabled or deleted.
-
Disabling or deleting a cloud service collection rule stops log collection only for instances that were enabled by that specific rule. It does not affect instances where you manually enabled log collection in the cloud service console or through CloudLens.
-
API
-
When you call an API, you must specify the service endpoint of the China (Shanghai) or Singapore region.
-
Disabling or deleting a cloud service collection rule stops log collection only for instances that were enabled by that specific rule. It does not affect instances where you manually enabled log collection in the cloud service console or through CloudLens.
-
You can create multiple collection rules for different log types of a cloud service. These rules are applied in combination to a specific cloud service instance. Log collection for the instance is disabled only after all of its collection rules are disabled or deleted.
-
When you modify a collection rule, you cannot change the log type or cloud service name. Otherwise, an error occurs.
Use the following API operations to manage Log Audit Service collection rules:
Collection rule parameters
Basic parameters
|
Parameter |
Description |
|
Rule name |
The name of the collection rule. The name must be globally unique within an account, be 3 to 63 characters long, and start with a letter. |
|
Cloud service name |
For more information, see Log collection reference for cloud services. |
|
Log type |
For more information, see Log collection reference for cloud services. |
|
Resource matching mode |
|
|
Instances |
This parameter is valid only when Instance Mode is set to Instance Mode. Logs are collected only from instances with IDs in the specified list. Note
If no options are available in the drop-down list, you can manually enter instance IDs. After you create at least one collection rule for the cloud service, the drop-down list automatically populates with existing instance names. |
|
Region list, Resource tags |
|
|
Global log storage region |
This parameter is available only when the log type is a global log type. It specifies the region where the service collects global logs during the initial configuration.
|
Centralized storage configuration
The service uses data transformation to write logs to a centralized destination logstore. If you deliver logs from the default logstore to multiple centralized destinations, ensure that each logstore exists. If you need to delete a centralized logstore, first remove the related collection rules to avoid disrupting write operations to other destination logstores.
When you create a new logstore, the default name template is central-{productCode}-{dataCode}-{policyName}.
|
Parameter |
Description |
|
Centralized destination project |
The project for centralized log shipping. It is fixed to the project associated with the collection rule and cannot be modified. |
|
Centralized destination logstore |
|
|
Centralized storage retention period |
This parameter takes effect only when you create a new logstore. It initializes the data retention period for the new logstore and does not affect existing logstores. |
Multi-account configuration
-
Use Resource Directory to set up a multi-account structure. Only a Resource Directory management account or delegated administrator can enable the multi-account mode.
-
Log on to the Resource Management console as the management account and enable a resource directory.
-
Create a member or invite an existing Alibaba Cloud account to join. Then, move these members to the corresponding folder.
For more information, see Create a member, Invite an Alibaba Cloud account to join a resource directory, and Move a member.
-
-
Configure the multi-account mode.
Multi-account mode
Description
All (all)
-
Collects logs of the specified cloud service from all member accounts.
-
A collection rule configured by a management account or delegated administrator affects all member accounts in the Resource Directory. If a new account is added to or an existing account is changed in the Resource Directory, the service automatically creates or modifies the rule accordingly.
Custom (custom)
-
Collects logs of the specified cloud service from selected member accounts.
-
A collection rule configured by a management account or delegated administrator affects only the member accounts specified in the custom configuration. Other member accounts are not affected.
-
Common error codes
|
Error code |
Error message |
Description |
|
DeregisterDA.Deny.TrustedService |
Forbidden, the current management account has configured unified access under the resource directory, please update or delete the unified access related configuration first. |
This error occurs if you try to remove a Resource Directory, trusted service, or delegated administrator while collection rules still exist under the delegated administrator account. To resolve this issue, perform the following steps:
|
|
NotMatch |
productCode or dataCode are not match to current productCode or dataCode |
When you modify a rule, you cannot change the product code and data code. Otherwise, a mismatch error occurs. |
|
PolicyNotExist |
the collection policy does not exist |
The collection rule that you are trying to query or delete does not exist. |
|
InvalidSLR |
SLR not exist or created failed |
The service-linked role does not exist or its creation failed. When you create a rule in Log Audit Service, the service automatically creates the AliyunServiceRoleForSLSAudit service-linked role in the current account and in member accounts (if Resource Directory is enabled). |
|
InvalidRAM |
RAM is not enough for execute this action, please check current account ram policy of this operation |
The RAM user does not have the required permissions to perform operations in Log Audit Service. For more information, see Authorize a RAM user to manage Log Audit Service (New Version). |
|
InvalidProductData |
Invalid Product Code or Data Code |
The specified product code or data code is invalid. |
|
InvalidProductData |
Invalid Policy Name |
The specified rule name is invalid. |
|
InvalidPolicyConfig |
Policy Config : resourceMode should be all/instanceMode/attributeMode |
The resource matching mode must be one of the following: |
|
InvalidPolicyConfig |
Policy Config : resourceMode should be all for lens global log type |
For a CloudLens global log type, the resource matching mode must be set to |
|
InvalidPolicyConfig |
Policy Config : resourceMode should be attribute mode for security log type |
For a security log type, the resource matching mode must be set to |
|
InvalidPolicyConfig |
Policy Config : you should set at least one center region for security log type |
For a security log type, you must configure at least one primary central region. |
|
InvalidPolicyConfig |
Policy Config : this productCode and dataCode not allowed to config instance ids |
For a security log type, you cannot configure an instance list. |
|
InvalidConfig |
Please check if the project/logstore belongs to you or the project/logstore in right region |
The specified project or logstore for centralized storage either does not belong to the current account or is in the wrong region. |
|
InvalidConfig |
policyCode and dataCode is required when you need to list policy by instanceId that meet the filter conditions |
When you search for matching rules by instance ID, you must specify the product code and data code. |
|
InvalidCentralizeConfig |
when centralizeEnabled, you should set at least one centralize config |
When centralized storage is enabled, you must configure the corresponding centralized logstore information. |
|
InvalidCentralizeConfig |
centralize config is necessary for security product log collection |
For security log types, you must configure centralized storage. |
|
InvalidCentralizeConfig |
dest project, dest logstore, dest region, dest ttl should not be empty when centralize enabled |
When centralized storage is enabled, the destination project, destination logstore, and data retention period cannot be empty. |
|
InvalidCentralizeConfig |
dest project invalid for centralize config |
The destination project for centralized storage is invalid. |
|
InvalidCentralizeConfig |
dest logstore invalid for centralize config |
The destination logstore for centralized storage is invalid. |
|
InvalidCentralizeConfig |
dest region invalid for centralize config |
The destination region for centralized storage is invalid. |
|
InvalidResourceDirectoryConfig |
Policy ResourceDirectory Config : when you set resource directory, you should set account group type first |
When you configure a Resource Directory, you must first configure the multi-account mode. |
|
InvalidResourceDirectoryConfig |
Policy ResourceDirectory Config: instance mode not allowed to set resource directory |
If you enable multi-account settings for a Resource Directory, you cannot set the resource matching mode to instance mode. |
|
InvalidResourceDirectoryConfig |
Policy ResourceDirectory Config : members should not be empty |
When the multi-account mode is set to Custom, you must specify a non-empty list of members. |
|
InvalidResourceDirectoryConfig |
Policy ResourceDirectory Config : centralize config enabled is required for resource directory |
To collect logs from multiple accounts in a Resource Directory, you must enable and configure centralized storage to define a common destination. |
|
InvalidResourceDirectoryConfig |
Policy ResourceDirectory Config : the account resource directory not in use |
Resource Directory is not enabled for the current account. |
|
InvalidResourceDirectoryConfig |
Policy ResourceDirectory Config : the account is neither a delegated admin nor a master, just a member account |
The current account is a member account, not a management account or a delegated administrator. Therefore, it cannot configure the Resource Directory mode in the rule. |
|
InvalidResourceDirectoryConfig |
Policy ResourceDirectory Config : custom members include invalid account |
When the multi-account mode is set to Custom, the list of specified member accounts contains an invalid account ID. |
|
InvalidDataConfig |
Policy DataConfig: the data region is not valid |
The configured default destination region for the global log type is invalid. |
|
InvalidDataConfig |
Policy DataConfig: this kind of product is not allowed to set data config |
This configuration is not allowed because the current product or log type is not a global log type. |
|
InvalidDataConfig |
Policy DataConfig: the data region already exist in other policy, you cannot change |
For global log types, once you configure a default destination region, it takes effect immediately and you cannot change it later. |
Related documentation
-
If you use a RAM user to manage the new Log Audit Service, you must use an Alibaba Cloud account to grant the required permissions to the RAM user. For more information, see Authorize a RAM user to manage Log Audit Service (New Version).
-
For information about log types, default project and logstore names, and billing for different cloud services, see Log collection reference for cloud services.
-
To collect cloud service logs from multiple Alibaba Cloud accounts, you must first enable Resource Directory. Then, as the management account or a delegated administrator of the Resource Directory, configure collection rules. This allows you to collect logs from member accounts into a specified project. For more information, see Log collection reference for cloud services.