Why Log Auditing Is Essential for Cloud Security and Compliance

Why Log Auditing Matters

Centralized log audit and analysis is a key component of modern information security management. It aggregates logs from different regions, accounts, and cloud products, breaking information silos, improving threat detection, and providing deeper security insights.

Legal and Regulatory Drivers

Chinese regulations such as the Cybersecurity Law require organizations to monitor and retain network logs for at least six months. The law also mandates that network‑critical devices and security‑specific products obtain certification from qualified authorities. In July 2023, the National Internet Information Office updated the Network‑Critical Equipment and Security‑Specific Product Catalog , adding log‑analysis products to the list of certified security products.

Alibaba Cloud Simple Log Service (SLS) Certification

SLS complies with the national standards GB 42250‑2022 (security technical requirements for network‑security products) and GA/T 911‑2019 (security technical requirements for log‑analysis products). It provides centralized log storage and analysis, supporting cross‑region and cross‑account audit capabilities.

Benefits of Log Auditing

Scalability: Automatic collection of logs from multiple cloud products across accounts and regions.

Operational Efficiency: Simple UI or a few API calls reduce debugging time and errors.

Visibility: A unified audit console shows collection rules and log status, facilitating team collaboration.

Maintainability: Reduces the burden of custom tooling, letting teams focus on core business.

VPC Flow Log Use Cases

VPC flow logs record inbound and outbound traffic for virtual private clouds. They help understand internal traffic patterns, optimize network architecture, quickly locate security incidents, and satisfy compliance requirements such as the Cybersecurity Law, GDPR, and PCI‑DSS.

Workflow Overview

1. Define a collection rule specifying the cloud product and log type. 2. The audit service automatically discovers matching resources using a resource‑matching model. 3. Logs are ingested into a default log store. 4. Data is processed according to centralized and multi‑account configurations.

Key Features of the New Log Audit Service

Broad cloud product coverage (OSS, VPC, CLB, RDS, WAF, etc.).

Automated log collection and ingestion.

Three resource selection modes: all resources, instance‑filter, attribute‑filter.

Cross‑region data aggregation via data transformation.

Multi‑log‑store targets with a single ingestion point.

Resource directory integration for multi‑account aggregation.

Custom Analysis Examples

Inbound traffic source statistics

(log-status : OK and version : 1) and direction: 'in' | select concat('src: ', srcaddr) as src, concat('dst: ', dstaddr) as dst, sum(bytes) as total_bytes group by src, dst order by total_bytes desc limit 10

Geographic distribution of inbound traffic

(log-status : OK and version : 1 and action : Accept) and direction: "out" | select ip_to_country(srcaddr) as country, count(*) as accept_actions where ip_to_country(srcaddr)!='保留地址' group by country order by accept_actions desc limit 20

Port‑scan detection (short‑term high‑frequency requests)

(log-status : OK and version : 1) and direction: "in" | select * from (select dstaddr, srcaddr, count(dstport) as dst_port_nums from log where (srcaddr not like '100.127.%' and srcaddr not like '100.100.2.%') group by dstaddr, srcaddr order by dst_port_nums desc) where dst_port_nums > 50 limit 10

Traffic anomaly alert (5‑minute inbound volume exceeds 1.25× the max of the past 7 days or falls below 0.75× the min)

WITH latest_5_min AS (SELECT count(bytes) AS latest_sum FROM log WHERE __time__ > to_unixtime(current_timestamp) - 300 AND __time__ < to_unixtime(current_timestamp)), previous_time_buckets AS (SELECT count(bytes) AS cnt, __time__ - __time__ % 300 AS t FROM log WHERE __time__ < to_unixtime(current_timestamp) - 300 AND __time__ > to_unixtime(current_timestamp) - 7*24*3600 GROUP BY t), agg_previous_5_min AS (SELECT max(cnt)*1.25 AS max_previous_threshold, min(cnt)*0.75 AS min_previous_threshold FROM previous_time_buckets) SELECT latest_sum, max_previous_threshold, min_previous_threshold FROM latest_5_min, agg_previous_5_min;

When latest_sum > max_previous_threshold or latest_sum < min_previous_threshold, an alert is triggered and notification policies can be configured.

Summary

Log auditing fulfills legal obligations, eliminates information silos, and enhances threat detection. Choosing SLS for log audit provides a certified security product, simplifies multi‑region and multi‑account log management, and offers built‑in reports and alerting to proactively discover security risks.