Enable Log Analysis in Security Center

Risk Level: Medium (should be achieved)

Ensure that the Log Analysis feature is enabled in the Security Center settings. Once the feature is enabled, the Security Center service integrates with Simple Log Service (SLS) to provide network, host, and security log analysis. With Log Analysis, SLS can collect multiple log types including: vulnerability, baseline, and security alerting logs for security logs, DNS, web, and network session logs for network logs, network connection, system logon, brute-force cracking, and process initiation logs for host logs. Log Analysis is available only in Anti-virus, Advanced, Enterprise, or Ultimate edition of Security Center.

Security

Enabling Log Analysis in Alibaba Cloud Security Center unlocks real-time log querying and analysis. This translates to better security by letting you identify suspicious activity, potential network attacks, and vulnerabilities faster. The feature is well-suited for enterprises and organizations needing network and host security compliance, flexible configuration, and comprehensive real-time monitoring and analysis of traffic at the network and host level.

Audit

To determine if Log Analysis is enabled within the Security Center settings, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Security Center console available at https://yundun.console.aliyun.com/?p=sas#/overview/home.

03 In the top navigation bar, select the region where your cloud resources reside (China or Outside China).

04 In the left navigation panel, under Risk Governance, choose Log Analysis.

05 If the Authorize Immediately button is displayed on the Log Analysis page, Security Center has not been authorized to access your cloud resources, therefore, the Log Analysis feature is not enabled. If the Activate Now button is displayed on the Log Analysis page, the Log Analysis feature is not enabled for querying and analyzing logs in real time. If the feature is enabled, ensure that all the supported log types are enabled in the feature dropdown. If one or more log types are not enabled, the Log Analysis feature is not properly configured. If the feature is enabled, check the Storage Usage indicator to determine the remaining log storage. If the Storage Usage indicator is at 100%, the log storage is exhausted, therefore, the Log Analysis feature is not operational.

Using Alibaba Cloud CLI

01 Run DescribeLogMeta command (OSX/Linux/UNIX) to describe the configuration information available for each log type supported by Log Analysis in the Security Center:

aliyun sas DescribeLogMeta --Lang en --From sas

02 The command output should return the requested configuration information (including the operational status of each supported log type, i.e. "Status" attribute value):

{
	"LogMetaList": [
		{
			"Category": "host",
			"LogDesc": "Login",
			"LogStore": "aegis-log-login",
			"Project": "aegis-log-southeast-1",
			"Status": "disabled",
			"Topic": "aegis-log-login",
			"UserLogStore": "sas-log",
			"UserProject": "sas-log-1234567890123456-ap-southeast-1",
			"UserRegion": "ap-southeast-1"
		},
		{
			"Category": "host",
			"LogDesc": "Network",
			"LogStore": "aegis-log-network",
			"Project": "aegis-log-southeast-1",
			"Status": "disabled",
			"Topic": "aegis-log-network",
			"UserLogStore": "sas-log",
			"UserProject": "sas-log-1234567890123456-ap-southeast-1",
			"UserRegion": "ap-southeast-1"
		},
		{
			"Category": "host",
			"LogDesc": "Process",
			"LogStore": "aegis-log-process",
			"Project": "aegis-log-southeast-1",
			"Status": "disabled",
			"Topic": "aegis-log-process",
			"UserLogStore": "sas-log",
			"UserProject": "sas-log-1234567890123456-ap-southeast-1",
			"UserRegion": "ap-southeast-1"
		},
		{
			"Category": "host",
			"LogDesc": "Brute Force",
			"LogStore": "aegis-log-crack",
			"Project": "aegis-log-southeast-1",
			"Status": "disabled",
			"Topic": "aegis-log-crack",
			"UserLogStore": "sas-log",
			"UserProject": "sas-log-1234567890123456-ap-southeast-1",
			"UserRegion": "ap-southeast-1"
		},
		{
			"Category": "host",
			"LogDesc": "Account Snapshot",
			"LogStore": "aegis-snapshot-host",
			"Project": "aegis-log-southeast-1",
			"Status": "disabled",
			"Topic": "aegis-snapshot-host",
			"UserLogStore": "sas-log",
			"UserProject": "sas-log-1234567890123456-ap-southeast-1",
			"UserRegion": "ap-southeast-1"
		},
		{
			"Category": "host",
			"LogDesc": "Network Snapshot",
			"LogStore": "aegis-snapshot-port",
			"Project": "aegis-log-southeast-1",
			"Status": "disabled",
			"Topic": "aegis-snapshot-port",
			"UserLogStore": "sas-log",
			"UserProject": "sas-log-1234567890123456-ap-southeast-1",
			"UserRegion": "ap-southeast-1"
		},
		{
			"Category": "host",
			"LogDesc": "Process Snapshot",
			"LogStore": "aegis-snapshot-process",
			"Project": "aegis-log-southeast-1",
			"Status": "disabled",
			"Topic": "aegis-snapshot-process",
			"UserLogStore": "sas-log",
			"UserProject": "sas-log-1234567890123456-ap-southeast-1",
			"UserRegion": "ap-southeast-1"
		},
		{
			"Category": "security",
			"LogDesc": "Vulnerability",
			"LogStore": "sas-vul-log",
			"Project": "sas-operation-log-southeast-1",
			"Status": "disabled",
			"Topic": "sas-vul-log",
			"UserLogStore": "sas-log",
			"UserProject": "sas-log-1234567890123456-ap-southeast-1",
			"UserRegion": "ap-southeast-1"
		},
		{
			"Category": "security",
			"LogDesc": "Baseline",
			"LogStore": "sas-hc-log",
			"Project": "sas-operation-log-southeast-1",
			"Status": "disabled",
			"Topic": "sas-hc-log",
			"UserLogStore": "sas-log",
			"UserProject": "sas-log-1234567890123456-ap-southeast-1",
			"UserRegion": "ap-southeast-1"
		},
		{
			"Category": "security",
			"LogDesc": "Events",
			"LogStore": "sas-security-log",
			"Project": "sas-operation-log-southeast-1",
			"Status": "disabled",
			"Topic": "sas-security-log",
			"UserLogStore": "sas-log",
			"UserProject": "sas-log-1234567890123456-ap-southeast-1",
			"UserRegion": "ap-southeast-1"
		},
		{
			"Category": "host",
			"LogDesc": "DNS Query",
			"LogStore": "aegis-log-dns-query",
			"Project": "aegis-log-southeast-1",
			"Status": "disabled",
			"Topic": "aegis-log-dns-query",
			"UserLogStore": "sas-log",
			"UserProject": "sas-log-1234567890123456-ap-southeast-1",
			"UserRegion": "ap-southeast-1"
		},
		{
			"Category": "security",
			"LogDesc": "Cloud Platform Configuration Assessment",
			"LogStore": "sas-cspm-log",
			"Project": "sas-operation-log-southeast-1",
			"Status": "disabled",
			"Topic": "sas-cspm-log",
			"UserLogStore": "sas-log",
			"UserProject": "sas-log-1234567890123456-ap-southeast-1",
			"UserRegion": "ap-southeast-1"
		},
		{
			"Category": "security",
			"LogDesc": "Network Defense",
			"LogStore": "sas-net-block",
			"Project": "sas-common-log-ap-southeast-1",
			"Status": "disabled",
			"Topic": "sas-net-block",
			"UserLogStore": "sas-log",
			"UserProject": "sas-log-1234567890123456-ap-southeast-1",
			"UserRegion": "ap-southeast-1"
		},
		{
			"Category": "security",
			"LogDesc": "Application Protection",
			"LogStore": "sas-rasp-log",
			"Project": "sas-operation-log-southeast-1",
			"Status": "disabled",
			"Topic": "sas-rasp-log",
			"UserLogStore": "sas-log",
			"UserProject": "sas-log-1234567890123456-ap-southeast-1",
			"UserRegion": "ap-southeast-1"
		}
	],
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD",
	"TotalCount": 14
}

If the "Status" attribute value for one or more log types is set to "disabled", as shown in the example above, Log Analysis is not enabled for all the supported log types, therefore the feature is considered disabled.

Remediation / Resolution

To ensure that Log Analysis is enabled within the Security Center settings, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Security Center console available at https://yundun.console.aliyun.com/?p=sas#/overview/home.

03 In the top navigation bar, select the region where your cloud resources reside (China or Outside China).

04 In the left navigation panel, under Risk Governance, choose Log Analysis.

05 If the Authorize Immediately button is displayed on the Log Analysis page, Security Center has not been authorized to access your cloud resources. Choose Authorize Immediately to authorize Security Center to access and protect your cloud resources.

06 If the Activate Now button is displayed on the Log Analysis page, choose Activate Now and perform the following actions:

For Edition, ensure that one of the following editions of Security Center is selected: Anti-virus, Advanced, Enterprise, or Ultimate.
For Log Analysis, configure the log storage capacity for Log Analysis. Alibaba Cloud recommends that you allocate 40 GB of log storage capacity to each server to store logs.
Choose Buy Now, read and select I have read and agree to Security Center Agreement of Service, then choose Pay to complete the purchasing process and activate the Log Analysis feature. After you enable the feature, Simple Log Service (SLS) automatically creates a dedicated Logstore to store Security Center logs.

07 On the Log Analysis page, ensure that all the supported log types are enabled in the feature dropdown.

Using Alibaba Cloud CLI

01 Run ModifyOpenLogShipper command (OSX/Linux/UNIX) to activate the Simple Log Service (SLS) for Security Center. This is required for enabling the Log Analysis feature:

aliyun sas ModifyOpenLogShipper --From sas

02 If successful, the output should return the command request ID:

{
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD"
}

03 Install and configure Simple Log Service (SLS) CLI. SLS CLI is a dedicated command-line tool for Alibaba Cloud's Simple Log Service (SLS).

04 Run create_project command (OSX/Linux/UNIX) to create the Simple Log Service (SLS) project that will manage the log data for Log Analysis (the command does not produce an output):

aliyunlog log create_project 
  --project_name=tm-sls-project 
  --project_des="SLS Project for ACK Cluster Logs" 
  --region-endpoint=eu-west-1.log.aliyuncs.com

05 Run create_logstore command (OSX/Linux/UNIX) to create a new Simple Log Service (SLS) Logstore for storing the log data collected with Log Analysis (the command does not produce an output):

aliyunlog log create_logstore 
  --project_name=tm-sls-project 
  --logstore_name=tm-sls-project-logstore

06 Run ModifyLogMetaStatus command (OSX/Linux/UNIX) to enable the Log Analysis feature for Security Center using the SLS project and Logstore created at the previous steps:

aliyun sas ModifyLogMetaStatus 
  --From sas 
  --Project 'tm-sls-project' 
  --LogStore 'tm-sls-project-logstore' 
  --Status enabled

07 If successful, the output should return the command request ID:

{
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD"
}

References

Alibaba Cloud Documentation
Enable log analysis
Log types and log fields

Alibaba Cloud CLI Documentation
DescribeLogMeta
ModifyLogMetaStatus
ModifyOpenLogShipper

SLS CLI Documentation
create_project
create_logstore

Publication date Apr 26, 2024

Audit

Using Alibaba Cloud Console

Using Alibaba Cloud CLI

Remediation / Resolution

Using Alibaba Cloud Console

Using Alibaba Cloud CLI

References

Related AlibabaCloud-SLS rules