4. After the configuration, check whether shipping is enabled for each log type and the topic ID/name.
Cross-Account Log Shipping Through the Public Domain Name
Step 1. Select the shipping method
1. On the Log Analysis page, click Log shipping > KAFKA/CLS at the top.
2. On the KAFKA tab, select Ship to another Tencent Cloud account and enter the UIN of the recipient account.
Note:
**When configuring the message instance for the recipient account in the CKafka console, you need to select Public domain name and create three topics that can receive TCSS audit logs.
Back up the ID and public domain name of the message instance, as well as the ID and name of the topics for receiving the three types of logs. Remember the username and password. After cross-account authorization, you need to enter the above information for the shipping account.
Step 2. Authorize cross-account log shipping
To ship TCSS logs across accounts, you need to perform authorization for the recipient account and allow the shipping account to verify the CKafka instance of the recipient account and pull the topic ID and name.
If a TCSS role already exists
1. Log in to CAM console and click Role on the left sidebar.
2. On the Role page, enter TCSS in the search box. If the following content is found: role name: TCSS_QCSRole; role entity: Product Service - tcss, a TCSS role has been bound to the account, and you only need to add the CAM and CKafka policy permissions in Associate Policy.
Note:
The UIN of the recipient account should be the same as that entered in step 1.
3. Click TCSS_QCSRole to enter the Permission tab.
4. On the Permission tab, search for QcloudCamSubaccountsAuthorizeRoleFullAccess and QcloudAccessForTCSSRoleInCkafka policies.
If the policies already exist:
Go back to the TCSS console, log in to the shipping account, and check whether the authorization is successful as prompted on the page, and if so, configure the public domain name, message queue, and topic information for log shipping to CKafka.
If the policies do not exist:
2.1 Click Associate Policy and confirm the information to pop up the Associate Policy window.
Note:
The role is authorized by you and changes to the role content (such as the associated policy and role entity) may lead to the consequence that the service you authorize the role to cannot use the role normally.
2.2 In the Associate Policy pop-up window, search for QcloudCamSubaccountsAuthorizeRoleFullAccess and QcloudAccessForTCSSRoleInCkafka policies, select the policies, and click OK. Then, you can view the policies in the details of the TCSS_QCSRole role.
2.3 After the configuration, go back to the TCSS console, log in to the shipping account, and check whether the authorization is successful as prompted on the page, and if so, configure the public domain name, message queue, and topic information for log shipping to CKafka.
If no TCSS roles exist
1. On the Role page, enter TCSS in the search box. If the following content cannot be found: role name: TCSS_QCSRole; role entity: Product Service - tcss, no TCSS roles have been bound to the account, and you need to create a role in the list.
2. On the Role page, click Create Role and select Tencent Cloud Product Service.
3. In the Enter Role Entity Info step, select Tencent Container Security Service (tcss) and click Next.
4. In the Configure Role Policy step, search for and select QcloudCamSubaccountsAuthorizeRoleFullAccess and QcloudAccessForTCSSRoleInCkafka and click Next.
5. In the Set Role Tag step, customize the role tag or leave it empty and click Next.
6. In the Review step, configure Role Name as TCSS_QCSRole (as TCSS pulls the configured permission based on the role name) and customize Description or leave it empty. After the configuration, click Complete. Then, you can view the role and associated policy on the Role page after authentication.
7. After the configuration, go back to the TCSS console, log in to the shipping account, and check whether the authorization is successful as prompted on the page, and if so, configure the public domain name, message queue, and topic information for log shipping to CKafka.
Shipping to CLS
Shipping to CLS requires authorization for access. After the authorization, check whether shipping is enabled for each log type and the logset and log topic information.
1. On the Log Analysis page, click Log shipping > CLS at the top.
2. On the CLS tab, select the target log type and click Configure now.
3. On the shipping settings page, configure parameters and click OK.
Note:
After CLS access is authorized and shipping to CLS is enabled under your account, pay-as-you-go storage space will be automatically created in CLS, along with pay-as-you-go bills. For billing details, see Billing Overview.
