CloudLens 基于日志服务构建统一的云产品可观测能力，通过日志、指标、配置计量等数据的关联分析，提供阿里云产品的用量分析、性能监控、安全分析、数据保护、异常检测、访问分析等服务。从成本、性能、安全、数据保护、稳定性、访问分析六个维度，助力企业快速构建云产品的可观测性，更好地使用云产品。

CloudLens for OSS介绍

日志服务联合阿里云OSS推出CloudLens for OSS，支持Bucket粒度的统一管理视图，支持资源用量、访问分析、异常检测、安全分析等可视化分析能力，提供场景化运维管理，实现Bucket资产的可观测性。主要功能如下：

接入管理：支持集中管理所有Bucket访问明细日志的采集状态；支持集中管理所有的日志存储库
查询分析：支持实时查询与分析OSS访问明细日志和计量日志。
异常监测：支持按照Bucket维度统一配置关键的异常检测告警。
报表中心：支持内置Bucket核心指标的可视化报表。
自定义仪表盘：支持集中管理Project下自定义仪表盘。

应用入口

CloudLens for OSS 当前已集成到阿里云控制台首页与 OSS控制台内，您可以分别通过OSS、SLS或者控制台首页三个入口进入。

控制台首页

阿里云控制台首页入口：登录控制台首页后在云产品可观测tab查看，接入管理支持日志的开通，首页链接

OSS控制台

OSS控制台入口：点击OSS控制台左侧资源用量tab即可直接使用，控制台链接

SLS 控制台

SLS控制台入口：日志应用->云产品Lens->CloudLens for OSS，入口链接

日志类型

CloudLens默认免费开通中心化计量日志及时序监控数据，自开通之日起，可免费查询60天的数据；访问明细日志（最近7天免费，限额900GB/天的日志写入额度（如果一条日志为1KB，约为9亿条））的查询分析。

日志类型	说明
访问明细日志	记录相关OSS Bucket的所有访问日志及批量删除日志时具体的删除信息，实时采集，同时也包含计量日志。
计量日志	记录特定OSS Bucket每小时累计的计量数据。延迟时间为小时级别，用于辅助分析，默认免费开通。
时序监控数据	记录10秒粒度的请求、延迟、流量等指标及5分钟粒度的请求、流量等指标。默认免费开通。

报表中心全新升级

基于三大类日志孵化出资源用量、访问分析、安全分析三类报表，对应报表项均可预览查询语句，方便构建自定义报表、监控。

资源用量

报表项	依赖日志	报表说明
OSS用量总览	计量日志、时序监控数据	提供Bucket存储、流量等用量总览、趋势以及TOP统计分析
存储用量详情	计量日志	提供计量相关的Bucket用量趋势、地域分布
流量带宽用量详情	时序监控数据	提供Bucket流量类趋势、TOP统计
请求用量	时序监控数据	提供Bucket读写请求趋势、地域分布以及TOP统计

访问分析

报表项	依赖日志	报表说明
Top分析	时序监控数据	提供Bucket上传/下载/删除数据量Top统计、流量、请求分析
访问分析	访问明细日志	提供Bucket内外网流量分布

安全分析

安全分析报表中心基于OSS Bucket资产数据结合访问明细日志对可能存在风险（公共读写、为配置数据加密、未开启防盗链等属性）Bucket进行标识，可视化统计文件删除等高危操作。

自定义报表集中管理

当内置报表中心报表满足不了业务需求时，可以使用自定义仪表盘选择账号下任意Project下仪表盘，导入后到CloudLens for OSS内集中管理。

全新API助力OSS日志隔离

上述介绍了基于CloudLens for OSS的基本功能，自定义仪表盘可以导入Region化Project内自定义构建的报表，如果有中心化需求或者数据隔离需求应该如何操作？统一接入API可以帮助您实现。

统一接入API基于规则策略实现自动化采集云产品日志，通过全选、属性、实例三种模式实现精细化日志采集控制，其高级功能上也支持数据中心化汇总、数据实例粒度隔离、数据跨境合规等需求。目前统一接入API已支持OSS 访问明细日志的规则配置，通过数据加工流转，使得不同bucket的访问日志按照业务属性划分投递到不同的logstore下，对于不同的业务团队，给予不同logstore的RAM访问权限，从而实现了访问日志的权限隔离。

关于统一接入API的更多功能可参考：统一接入API赋能开发者：自动高效、灵活编排的云产品日志采集方案
接口说明：API说明文档

访问明细日志AK安全审计实践

越来越多的企业对AK的安全访问提出要求，通过开启Bucket的访问明细日志可轻松构建阿里云账号下所有AK 对 Bucket/Object操作视图。构建AK安全审计报表之前需要先开通Bucket的访问明细日志，访问明细日志是按地域纬度存储在账号下oss-log-{uid}-{region} / oss-log-store 目标库下，可针对所需监控地域的目标库构建如下报表。（如需监控全地域审计报表或者多地域中心化报表，可通过统一接入API开通）

操作步骤

开通CloudLens for OSS
开通Bucket访问明细日志，两种方式任选

单Region操作：控制台操作

CloudLens for OSS控制台左侧导航栏-> 接入管理 -> 勾选Bucket 访问明细日志开通

中心化需求：统一接入API -> UpsertCollectionPolicy 配置规则

resourceMode: all，默认开启账号下所有Bucket访问明细日志
centralizeEnable : true ，启用跨域中心投递
centralizeConfig 中dstProject 配置中心化投递的目标库，建议logstore设置为oss-log-store

进入访问明细日志目标存储库

报表分为操作概览、查询审计、更新操作审计、删除操作审计四个部分

操作概览

操作概览提供Bucket纬度操作全览，基于Bucket资产构建天纬度的操作（读/更新/删除）趋势图，并列出所有Bucket内文件操作详细。过滤器配置好后可针对AK，Region，Bucket做到更精细化审计。

构建报表所需SQL如下：

公共读写Bucket数量

*|SELECTCOUNT(DISTINCT id)as"公共读写Bucket数量"from"resource.sls.cmdb.oss"WHERE released_flag ='0'and grant ='public-read-write'AND region LIKE'${{region|%}}'AND id LIKE'${{bucket|%}}'limit1000

公共读Bucket总数

*|SELECTCOUNT(DISTINCT id)as"公共读Bucket数量"from"resource.sls.cmdb.oss"WHERE released_flag ='0'and grant ='public-read'AND region LIKE'${{region|%}}'AND id LIKE'${{bucket|%}}'limit1000

未配置数据加密Bucket数量

*|SELECTCOUNT(DISTINCT id)as"未配置数据加密Bucket数量"from"resource.sls.cmdb.oss"WHERE released_flag ='0'and sse_algorithm =''AND region LIKE'${{region|%}}'AND id LIKE'${{bucket|%}}'limit1000

操作统计趋势图

*|select date_format(__time__,'%Y-%m-%d')astime, sum("查询")as"查询", sum("删除")as"删除", sum("更新")as"更新"from(select __time__,  access_id,  bucket,CASE WHEN operation in('DeleteObject','DeleteObjects') then 1 else 0 end as"删除",CASE WHEN http_method in('GET','HEAD') then 1 else 0 end as"查询",CASE WHEN http_method in('PUT','POST','DELETE') then 1 else 0 end as"更新"from log)where access_id like'${{access_id|%}}'and  bucket LIKE'${{bucket|%}}'groupbytimeorderbytime

文件操作统计列表

(__topic__: oss_access_log or __topic__: oss_batch_delete_log)and(OPERATION:"DeleteObject"OR OPERATION:PutObject OR OPERATION:GetObject OR OPERATION:"DeleteObjects")AND(NOT object:-)AND http_status>=200AND http_status <300|SELECT bucket AS"Bucket", url_decode(object)AS"文件", date_format(from_unixtime(last_access_time),'%Y-%m-%d %H:%i:%S')AS"最近访问时间", concat(cast(op_cnt ASvarchar),' ( ',(CASE WHEN write_times =0 THEN '' ELSE concat(cast(write_times ASvarchar),'写 ') END),(CASE WHEN delete_times =0 THEN '' ELSE concat(cast(delete_times ASvarchar),'删 ') END),(CASE WHEN read_times =0 THEN '' ELSE concat(cast(read_times ASvarchar),'读 ') END),')')AS"操作总数 (写, 删, 读)"FROM(SELECT object, bucket , MAX(__time__)as last_access_time, Sum(CASE WHEN OPERATION ='GetObject' THEN 1 ELSE 0 END)AS read_times , Sum(CASE WHEN OPERATION ='PutObject' THEN 1 ELSE 0 END)AS write_times , Sum(CASE WHEN OPERATION ='DeleteObject'OR OPERATION ='DeleteObjects' THEN 1 ELSE 0 END)AS delete_times ,count(*)AS op_cnt FROM log WHERE bucket LIKE'${{bucket|%}}'and access_id like'${{access_id|%}}'GROUPBY object, bucket ORDERBY delete_times DESC, write_times DESC, op_cnt DESCLIMIT1000)

查询审计

查询审计展示了AK在1天内（时间可调整）访问Bucket总数，其中公共读写Bucket、公共读Bucket、未配置数据加密的Bucket中有多少有被查询，并针对这几种场景通过列表展示各Bucket的查询次数。

构建报表所需SQL如下：

有查询请求Bucket总数

(__topic__: oss_access_log OR __topic__: oss_batch_delete_log)AND(NOT object:-)AND http_status>=200AND http_status <300|selectcount(1)from(select bucket ,count(1)ascountfrom log where http_method in('GET','HEAD')and access_id like'${{access_id|%}}'AND bucket LIKE'${{bucket|%}}'groupby bucket)wherecount>0

公共读写Bucket中有查询Bucket数量

(__topic__: oss_access_log OR __topic__: oss_batch_delete_log)AND(NOT object:-)AND http_status>=200AND http_status <300|selectcount(1)as bucket_num from(select l.idas bucket, COALESCE(r.count,0)ascountfrom"resource.sls.cmdb.oss"as l left join(select bucket ,count(1)ascountfrom log where http_method in('GET','HEAD')and access_id like'${{access_id|%}}'groupby bucket)as r on l.id= r.bucketWHERE l.released_flag='0'and l.grant='public-read-write'AND l.regionLIKE'${{region|%}}'AND l.idLIKE'${{bucket|%}}'groupby l.id, r.count)wherecount>0

公共读Bucket中有查询的Bucket数

(__topic__: oss_access_log OR __topic__: oss_batch_delete_log)AND(NOT object:-)AND http_status>=200AND http_status <300|selectcount(1)as bucket_num from(select l.idas bucket, COALESCE(r.count,0)ascountfrom"resource.sls.cmdb.oss"as l left join(select bucket ,count(1)ascountfrom log where http_method in('GET','HEAD')and access_id like'${{access_id|%}}'groupby bucket)as r on l.id= r.bucketWHERE l.released_flag='0'and l.grant='public-read'AND l.regionLIKE'${{region|%}}'AND l.idLIKE'${{bucket|%}}'groupby l.id, r.count)wherecount>0

未配置数据加密Bucket中有查询的Bucket数

(__topic__: oss_access_log OR __topic__: oss_batch_delete_log)AND(NOT object:-)AND http_status>=200AND http_status <300|selectcount(1)as bucket_num from(select l.idas bucket, COALESCE(r.count,0)ascountfrom"resource.sls.cmdb.oss"as l left join(select bucket ,count(1)ascountfrom log where http_method in('GET','HEAD')and access_id like'${{access_id|%}}'groupby bucket)as r on l.id= r.bucketWHERE l.released_flag='0'and l.sse_algorithm=''AND l.regionLIKE'${{region|%}}'AND l.idLIKE'${{bucket|%}}'groupby l.id, r.count)wherecount>0

公共读写Bucket查询统计

(__topic__: oss_access_log OR __topic__: oss_batch_delete_log)AND(NOT object:-)AND http_status>=200AND http_status <300|select*from(select l.idas Bucket, COALESCE(r.count,0)as"查询请求数"from"resource.sls.cmdb.oss"as l left join(select bucket ,count(1)ascountfrom log where http_method in('GET','HEAD')and access_id like'${{access_id|%}}'groupby bucket)as r on l.id= r.bucketWHERE l.released_flag='0'and l.grant='public-read-write'AND l.regionLIKE'${{region|%}}'AND l.idLIKE'${{bucket|%}}'groupby l.id, r.count)where"查询请求数">0orderby"查询请求数"desc

公共读Bucket查询统计

(__topic__: oss_access_log OR __topic__: oss_batch_delete_log)AND(NOT object:-)AND http_status>=200AND http_status <300|select*from(select l.idas Bucket, COALESCE(r.count,0)as"查询请求数"from"resource.sls.cmdb.oss"as l left join(select bucket ,count(1)ascountfrom log where http_method in('GET','HEAD')and access_id like'${{access_id|%}}'groupby bucket)as r on l.id= r.bucketWHERE l.released_flag='0'and l.grant='public-read'AND l.regionLIKE'${{region|%}}'AND l.idLIKE'${{bucket|%}}'groupby l.id, r.count)where"查询请求数">0orderby"查询请求数"desc

未配置数据加密Bucket查询统计

(__topic__: oss_access_log OR __topic__: oss_batch_delete_log)AND(NOT object:-)AND http_status>=200AND http_status <300|select*from(select l.idas Bucket, COALESCE(r.count,0)as"查询请求数"from"resource.sls.cmdb.oss"as l left join(select bucket ,count(1)ascountfrom log where http_method in('GET','HEAD')and access_id like'${{access_id|%}}'groupby bucket)as r on l.id= r.bucketWHERE l.released_flag='0'and l.sse_algorithm=''AND l.regionLIKE'${{region|%}}'AND l.idLIKE'${{bucket|%}}'groupby l.id, r.count)where"查询请求数">0orderby"查询请求数"desc

文件查询统计列表

(__topic__: oss_access_log or __topic__: oss_batch_delete_log)and(http_method:GET or http_method: HEAD)AND(NOT object:-)AND http_status>=200AND http_status <300|SELECT bucket AS"Bucket", url_decode(object)AS"文件", date_format(from_unixtime(last_access_time),'%Y-%m-%d %H:%i:%S')AS"最近访问时间", read_times as"读取次数"FROM(SELECT object, bucket , MAX(__time__)as last_access_time, Sum(CASE WHEN OPERATION ='GetObject' THEN 1 ELSE 0 END)AS read_times  FROM log WHERE bucket LIKE'${{bucket|%}}'and access_id like'${{access_id|%}}'GROUPBY object, bucket ORDERBY read_times DESCLIMIT1000)

更新操作审计

更新操作审计展示了账号下有哪些Bucket、文件有更新操作，以及不同文件被修改次数统计。方便您查看是否有高危的操作。

构建报表所需SQL如下：

有更新请求Bucket总数

__topic__: oss_access_log and(http_method: PUT or http_method: POST or http_method:DELETE)AND(NOT object:-)AND http_status>=200AND http_status <300|selectcount(1)from(select bucket ,count(1)ascountfrom log where http_method in('PUT','POST','DELETE')and access_id like'${{access_id|%}}'AND bucket LIKE'${{bucket|%}}'groupby bucket)wherecount>0

修改文件个数

__topic__: oss_access_log and(http_method: PUT or http_method: POST or http_method:DELETE)AND(NOT object:-)AND http_status>=200AND http_status <300|SELECT approx_distinct(concat(bucket, object))AS writeCount from log WHERE bucket LIKE'${{bucket|%}}'and access_id like'${{access_id|%}}'

公共读Bucket中有更新的Bucket数

__topic__: oss_access_log and(http_method: PUT or http_method: POST or http_method:DELETE)AND(NOT object:-)AND http_status>=200AND http_status <300|selectcount(1)as bucket_num from(select l.idas bucket, COALESCE(r.count,0)ascountfrom"resource.sls.cmdb.oss"as l left join(select bucket ,count(1)ascountfrom log where http_method in('PUT','POST','DELETE')and access_id like'${{access_id|%}}'groupby bucket)as r on l.id= r.bucketWHERE l.released_flag='0'and l.grant='public-read'AND l.regionLIKE'${{region|%}}'AND l.idLIKE'${{bucket|%}}'groupby l.id, r.count)wherecount>0

公共读写Bucket中有更新Bucket数量

__topic__: oss_access_log and(http_method: PUT or http_method: POST or http_method:DELETE)AND(NOT object:-)AND http_status>=200AND http_status <300|selectcount(1)as bucket_num from(select l.idas bucket, COALESCE(r.count,0)ascountfrom"resource.sls.cmdb.oss"as l left join(select bucket ,count(1)ascountfrom log where http_method in('PUT','POST','DELETE')and access_id like'${{access_id|%}}'groupby bucket)as r on l.id= r.bucketWHERE l.released_flag='0'and l.grant='public-read-write'AND l.regionLIKE'${{region|%}}'AND l.idLIKE'${{bucket|%}}'groupby l.id, r.count)wherecount>0

未配置数据加密Bucket中有更新的Bucket数

__topic__: oss_access_log and(http_method: PUT or http_method: POST or http_method:DELETE)AND(NOT object:-)AND http_status>=200AND http_status <300|selectcount(1)as bucket_num from(select l.idas bucket, COALESCE(r.count,0)ascountfrom"resource.sls.cmdb.oss"as l left join(select bucket ,count(1)ascountfrom log where http_method in('PUT','POST','DELETE')and access_id like'${{access_id|%}}'groupby bucket)as r on l.id= r.bucketWHERE l.released_flag='0'and l.sse_algorithm=''AND l.regionLIKE'${{region|%}}'AND l.idLIKE'${{bucket|%}}'groupby l.id, r.count)wherecount>0

公共读Bucket更新统计

__topic__: oss_access_log and(http_method: PUT or http_method: POST or http_method:DELETE)AND(NOT object:-)AND http_status>=200AND http_status <300|select*from(select l.idas Bucket, COALESCE(r.count,0)as"修改请求数"from"resource.sls.cmdb.oss"as l left join(select bucket ,count(1)ascountfrom log where http_method in('PUT','POST','DELETE')and access_id like'${{access_id|%}}'groupby bucket)as r on l.id= r.bucketWHERE l.released_flag='0'and l.grant='public-read'AND l.regionLIKE'${{region|%}}'AND l.idLIKE'${{bucket|%}}'groupby l.id, r.count)where"修改请求数">0orderby"修改请求数"desc

未配置数据加密Bucket更新统计

__topic__: oss_access_log and(http_method: PUT or http_method: POST or http_method:DELETE)AND(NOT object:-)AND http_status>=200AND http_status <300|select*from(select l.idas Bucket, COALESCE(r.count,0)as"修改请求数"from"resource.sls.cmdb.oss"as l left join(select bucket ,count(1)ascountfrom log where http_method in('PUT','POST','DELETE')and access_id like'${{access_id|%}}'groupby bucket)as r on l.id= r.bucketWHERE l.released_flag='0'and l.sse_algorithm=''AND l.regionLIKE'${{region|%}}'AND l.idLIKE'${{bucket|%}}'groupby l.id, r.count)where"修改请求数">0orderby"修改请求数"desc

文件修改统计列表

__topic__: oss_access_log and(http_method: PUT or http_method: POST or http_method:DELETE)AND(NOT object:-)AND http_status>=200AND http_status <300|SELECT bucket AS"Bucket", url_decode(object)AS"文件", date_format(from_unixtime(last_access_time),'%Y-%m-%d %H:%i:%S')AS"最近访问时间", update_times as"修改次数"FROM(SELECT object, bucket , MAX(__time__)as last_access_time, Sum(CASE WHEN http_method in('PUT','POST','DELETE') THEN 1 ELSE 0 END)AS update_times  FROM log WHERE bucket LIKE'${{bucket|%}}'and access_id like'${{access_id|%}}'GROUPBY object, bucket ORDERBY update_times DESCLIMIT1000)

删除操作审计

删除操作审计列举了Bucket纬度文件删除个数，以及文件删除时间。

构建报表所需SQL如下：

Bucket删除文件统计

((__topic__: oss_access_log or __topic__: oss_batch_delete_log)and(OPERATION:"DeleteObject"OR OPERATION:"DeleteObjects")AND http_status>=200AND http_status <300)|SELECT bucket as"Bucket", sum(if(object !='-',1,0))as"删除文件个数", sum(if(delta_data_size <0,-delta_data_size, delta_data_size))as"删除总空间"from log WHERE bucket LIKE'${{bucket|%}}'and access_id like'${{access_id|%}}'GROUPBY bucket ORDERBY"删除文件个数"DESC

文件删除详情

((__topic__: oss_access_log or __topic__: oss_batch_delete_log)and(OPERATION:"DeleteObject"OR OPERATION:"DeleteObjects")AND(NOT object:-)AND http_status>=200AND http_status <300)|SELECT bucket as"Bucket",  url_decode(object)as"文件", date_format(from_unixtime(__time__),'%Y-%m-%d %H:%i:%S')"文件删除时间"from log WHERE bucket LIKE'${{bucket|%}}'and access_id like'${{access_id|%}}'ORDERBYtimeDESCLIMIT1000

自定义仪表盘导入

构建好报表后可通过CloudLens for OSS自定义仪表盘导入功能，在Lens内做统一管理。

CloudLens for OSS全新升级助力OSS 安全审计

CloudLens for OSS介绍

应用入口

控制台首页

OSS控制台

SLS 控制台

日志类型

报表中心全新升级

资源用量

访问分析

安全分析

自定义报表集中管理

全新API助力OSS日志隔离

访问明细日志AK安全审计实践

操作步骤

操作概览

查询审计

更新操作审计

删除操作审计

自定义仪表盘导入

日志服务SLS

热门文章

最新文章

相关课程

相关电子书

相关实验场景