Logo of Trend Micro

Check for Sufficient Log Retention Period

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

For reliability and compliance purposes, ensure that your Simple Log Service (SLS) Logstores are configured with a log retention period of 365 days or more. In Alibaba Cloud, an SLS Logstore is used to collect, store, and query logs. Each Logstore belongs to an SLS project. The retention period represents the number of days to retain activity logs for a specific Logstore.

Security

A retention period of 365 days or more should allow you to collect the necessary amount of activity log data useful to find any anomalies and potential security breaches. Because the average time to detect a breach is 200 days, your activity logs should be retained for 365 days or more in order to give you enough time to respond efficiently to any incidents.

Audit

To determine if your SLS Logstores have a sufficient retention period configured for log data, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Simple Log Service (SLS) console available at https://sls.console.aliyun.com/.

03 Click on the name (link) of the SLS project that you want to examine, listed in the Projects section.

04 Choose Log Storage (Magnifying Glass icon) from the left navigation panel to view the Logstores created for the selected project.

05 Choose the SLS Logstore that you want to examine, click on the Expand button (down arrow icon), and choose Modify (edit icon).

06 In the Logstore Attributes section, check the Data Retention Period setting to determine the number of days to retain activity logs for the selected Logstore. If Data Retention Period is less than 365 days and different from Permanent Storage (i.e. retain data permanently), the selected Simple Log Service (SLS) Logstore does not have a sufficient log retention period configured.

07 Repeat steps no. 5 and 6 for each SLS Logstore created for the selected project.

08 Repeat steps no. 3 - 7 for each SLS project available within your Alibaba Cloud account.

Using Alibaba Cloud CLI

01 Install and configure Simple Log Service (SLS) CLI. SLS CLI is a dedicated command-line tool for Alibaba Cloud's Simple Log Service (SLS).

02 Run list_project command (OSX/Linux/UNIX) to describe the information available for each Simple Log Service (SLS) project deployed in your Alibaba Cloud account: 

aliyunlog log list_project --format-output=json

03 The command output should return the requested information (including the project name, i.e. the "projectName" value): 

{
	"projects": [
		{
			"createTime": "1709556764",
			"dataRedundancyType": "LRS",
			"description": "",
			"lastModifyTime": "1709556764",
			"owner": "",
			"projectName": "tm-sls-main-project",
			"region": "eu-west-1",
			"resourceGroupId": "rg-abcdabcdabcdabc",
			"status": "Normal"
		},
		{
			"createTime": "1709222851",
			"dataRedundancyType": "LRS",
			"description": "",
			"lastModifyTime": "1709222851",
			"owner": "",
			"projectName": "slsaudit-region-1234567890123456-eu-west-1",
			"region": "eu-west-1",
			"resourceGroupId": "rg-abcdabcdabcdabc",
			"status": "Normal"
		}
	],
	"count": 2,
	"total": 2
}

04 Run list_logstore command (OSX/Linux/UNIX) using the name of the SLS project that you want to examine as the identifier parameter, to list the name of each Logstore created for the selected project: 

aliyunlog log list_logstore 
  --project_name=tm-sls-main-project 
  --format-output=json

05 The command output should return the requested information: 

{
	"logstores": [
		"tm-sls-main-project-logstore",
		"tm-sls-audit-data-logstore"
	],
	"count": 2,
	"total": 2
}

06 Run get_logstore command (OSX/Linux/UNIX) to describe the configuration information available for the specified Simple Log Service (SLS) Logstore: 

aliyunlog log get_logstore 
  --project_name=tm-sls-main-project 
  --logstore_name=tm-sls-main-project-logstore 
  --format-output=json

07 The command output should return the requested configuration information (including the log retention period, i.e. the "ttl" value): 

{
	"shardCount": 1,
	"telemetryType": "",
	"ttl": 90,
	"appendMeta": true,
	"archiveSeconds": 0,
	"autoSplit": true,
	"createTime": 1709556812,
	"enable_tracking": false,
	"hot_ttl": 90,
	"infrequentAccessTTL": 0,
	"lastModifyTime": 1709568873,
	"logstoreName": "tm-sls-main-project-logstore",
	"maxSplitShard": 64,
	"mode": "standard",
	"productType": "",
	"resourceQuota": {
		"storage": {
			"preserved": -1,
			"used": 0
		}
	}
}

Check the "ttl" attribute value to determine the number of days to retain activity logs for the selected Logstore. If the "ttl" value is less than 365 days and different from 3650 (i.e. retain data permanently), the selected Simple Log Service (SLS) Logstore does not have a sufficient log retention period configured.

08 Repeat steps no. 6 and 7 for each SLS Logstore created for the selected project.

09 Repeat steps no. 4 - 8 for each SLS project available within your Alibaba Cloud account.

Remediation / Resolution

To extend the log data retention period for your Simple Log Service (SLS) Logstores, perform the following operations:

Creating and managing Simple Log Service (SLS) alerts via Alibaba Cloud CLI (aliyun) is not currently supported.

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Simple Log Service (SLS) console available at https://sls.console.aliyun.com/.

03 Click on the name (link) of the SLS project that you want to access, listed in the Projects section.

04 Choose Log Storage (Magnifying Glass icon) from the left navigation panel to view the Logstores created for the selected project.

05 Choose the SLS Logstore that you want to configure, click on the Expand button (down arrow icon), and choose Modify (edit icon).

06 Choose Modify from the top-right menu and set the Data Retention Period to 365 days or more. To permanently store the collected logs in the selected Logstore, set Data Retention Period to Permanent Storage. Choose Save from the top-right menu to apply the configuration changes. After the log retention period ends, your logs are automatically deleted.

07 Repeat steps no. 5 and 6 for each SLS Logstore that you want to configure, created for the selected project.

08 Repeat steps no. 3 - 7 for each SLS project available within your Alibaba Cloud account.

Using Alibaba Cloud CLI

01 Install and configure Simple Log Service (SLS) CLI. SLS CLI is a dedicated command-line tool for Alibaba Cloud's Simple Log Service (SLS).

02 Run update_logstore command (OSX/Linux/UNIX) to update the configuration of the specified Simple Log Service (SLS) Logstore in order to extend the log retention period to 365 days or more. Use the --ttl command parameter to set the desired retention period. If you set the --ttl parameter to 3650, data is permanently stored within the selected Logstore (the command does not produce an output): 

aliyunlog log update_logstore 
  --project_name=tm-sls-main-project 
  --logstore_name=tm-sls-main-project-logstore 
  --ttl=365

03 Repeat step no. 2 for each SLS Logstore created for the selected project.

04 Repeat steps no. 1 and 2 for each SLS project available within your Alibaba Cloud account.

References

Publication date Apr 29, 2024

Related AlibabaCloud-SLS rules