This document compiles frequently asked questions (FAQs) and their answers regarding the use of the Log Analysis Service. It covers typical inquiries on topics such as log delivery, multi-account capacity sharing, storage policies, renewal, and scaling.
Service Activation and Permissions
1. Can I Use It Without Purchasing the Log Analysis Service?
Yes, but the following condition must be met: Your account has been granted shared log storage capacity by an administrator account. In multi-account scenarios, an administrator can share storage capacity with member accounts using the Multi-Account Configuration feature. Accounts that have been shared capacity can use the Log Analysis Service without needing to purchase it separately. 2. In a Multi-Account Scenario, Does a Member Account Need to Purchase Kafka or CLS Services to Configure Log Delivery?
No, you can choose to deliver logs to the account where the service is activated. The delivery targets can be consistent.
Log Search and Analysis
1. What Are the Possible Reasons for Not Being Able to Search Log Data?
Log storage is not enabled: In the log configuration, confirm that the storage switch for the target product's log type is enabled.
Incorrect time range selected: Check whether the search time range covers the generation time of the target logs.
Source account not switched in a multi-account scenario: In the Log Source Account section at the top right corner of the page, confirm that the correct source account is selected.
Storage time has expired: If the storage time is set to a short period (for example, 30 days), historical logs that exceed the storage period are automatically cleaned up.
2. What Is the Difference Between CQL and Filter Search? Which One Should I Use?
|
Usage | Manually entering CQL query statements in the search bar. | Selecting fields, conditions, and values via a visual interface. |
Applicable Scenario | Complex queries with multiple conditions and precise analysis | Quick filtering and simple condition-based filtering |
Learning curve | Requiring knowledge of CQL syntax rules. | No statement writing is required, and it is easy to get started. |
Target Audience | Security Ops engineers and senior analysts | All users |
Note:
Use filter search for daily quick queries, and use CQL statement search for complex analysis scenarios.
Log Configuration and Storage
1. How Is Data Handled When the Storage Period Is Shortened (such as from Unlimited to 180 Days)?
The system works backward from the latest data point, retaining only data from the most recent specified number of days. Historical data that exceeds the time limit will be cleared. For example, if you change the storage time from unlimited to 180 days, the system will clear all log data older than 180 days, and this data cannot be restored.
Multi-Account Configuration and Capacity Sharing
1. What Happens to the Log Data of Member Accounts After Capacity Sharing Is Disabled?
After capacity sharing is canceled, the historical log data of that member account will be cleared immediately and cannot be restored.
2. When Can Sharing Be Re-enabled If the Member Account Tag Shows "Data Cleanup in Progress"?
Data Cleanup in Progress indicates that capacity sharing for this account was recently canceled, and the system is cleaning up historical data. You must wait until the data cleanup is complete and the Tag status is updated before you can re-enable sharing. The cleanup time depends on the volume of data.
3. Can Third-Party Cloud Accounts Use the Capacity Sharing Feature?
Not supported currently. Currently, capacity sharing only supports sharing capacity with Tencent Cloud accounts. Capacity quota sharing is not supported for third-party cloud accounts (such as accounts accessed via AWS, Azure, and so on).
Log Shipping
1. Is Log Shipping Real-Time or Non-Real-Time?
Log delivery is real-time. After you enable the delivery switch, logs are delivered immediately.
2. What Should I Do If the Connectivity Test Fails When Logs Are Shipped to Kafka?
Please troubleshoot by following these steps:
Check the network access method: Confirm that the selected access method (public network domain name/support environment/private network environment/other Kafka) matches the actual network environment.
Check the username and password: If you use public network domain name access or support environment access, you need to enter the username and password for the Kafka instance. Note: For the username, enter only the part after the # symbol. Do not enter the CKafka instance ID.
Check the CKafka instance status: Confirm that the CKafka instance is in a normal running state.
Check the ACL policy: Confirm that the ACL policy of the CKafka instance allows access for the current user.
Check the TLS configuration: If TLS encryption is enabled, ensure that the corresponding SSL access method is also enabled for the CKafka instance.
3. Can a Log Type Be Shipped to Kafka, CLS, and Splunk Simultaneously?
Yes. The three delivery channels, Kafka, CLS, and Splunk, are independent of each other. The same log type can be configured for simultaneous delivery to multiple target platforms.
4. Does Splunk Shipping Support Cross-Account Shipping?
When Splunk delivery uses the private network access method, you can currently only select to deliver to VPC resources within your own account. Cross-account delivery is not supported at this time.
Renewal and Scaling
1. What Is the Difference Between Renewal and Scaling?
|
Feature | Extend the validity period of the log analysis service | Increasing the log storage capacity limit |
Impact Scope | Service expiration time | Storage capacity |
Interrelationship | Does not increase storage capacity | Not extending service time |
2. What Happens When Storage Capacity Is Full?
When storage capacity reaches its limit, new log data cannot be stored. It is recommended to scale out in a timely manner when capacity usage approaches the limit, or to free up space by adjusting the storage time (shortening the storage duration for infrequently used log types).
Appendix: Glossary
|
CQL | Cloud Query Language | The log search and query language built into CSC, supporting multi-condition combination and complex queries. |
CLS | Cloud Log Service | Tencent Cloud Log Service (CLS), used for log collection, storage, search, and analysis. |
CKafka | Cloud Kafka | Tencent Cloud Message Queue service, based on Apache Kafka. |
HEC | HTTP Event Collector | Splunk's HTTP Event Collector, used for receiving log data via HTTP(S). |
VPC | Virtual Private Cloud | Virtual Private Cloud |
CLB | Cloud Load Balancer | Tencent Cloud Load Balancer (CLB) |
ACL | Access Control List | Access Control List |
SASL_PLAINTEXT | - | A Kafka authentication and access method. |