{"id":115,"date":"2026-04-12T21:10:39","date_gmt":"2026-04-12T21:10:39","guid":{"rendered":"https:\/\/www.devopsschool.com\/tutorials\/alibaba-cloud-simple-log-service-sls-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-migration-o-m-management\/"},"modified":"2026-04-12T21:10:39","modified_gmt":"2026-04-12T21:10:39","slug":"alibaba-cloud-simple-log-service-sls-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-migration-o-m-management","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/tutorials\/alibaba-cloud-simple-log-service-sls-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-migration-o-m-management\/","title":{"rendered":"Alibaba Cloud Simple Log Service (SLS) Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Migration & O&M Management"},"content":{"rendered":"\n

Category<\/h2>\n\n\n\n

Migration & O&M Management<\/p>\n\n\n\n

1. Introduction<\/h2>\n\n\n\n

What this service is<\/strong>\nSimple Log Service (SLS) is Alibaba Cloud\u2019s fully managed platform for collecting, storing, searching, analyzing, visualizing, and alerting on logs and event-like data at scale. It is commonly used as the central \u201clog brain\u201d for operations (O&M), DevOps, security monitoring, troubleshooting, and migration cutovers.<\/p>\n\n\n\n

Simple explanation (one paragraph)<\/strong>\nIf you have applications, servers, containers, gateways, or cloud services producing logs, Simple Log Service (SLS) helps you send those logs to a central place where you can quickly search them, build dashboards, and create alerts\u2014without running your own Elasticsearch or log pipeline.<\/p>\n\n\n\n

Technical explanation (one paragraph)<\/strong>\nIn practice, you create an SLS Project<\/strong> (regional namespace) and one or more Logstores<\/strong> (time-series log datasets). Logs are ingested via Logtail<\/strong> agents, SDK\/API ingestion, or cloud service integrations. SLS stores data, optionally builds indexes for fast search, provides SQL-like analytics and aggregation, supports visualization dashboards, and can trigger alerts to notify operators. SLS also integrates with the broader Alibaba Cloud ecosystem for O&M and governance.<\/p>\n\n\n\n

What problem it solves<\/strong>\nDuring daily operations and especially during migrations, teams need a reliable, scalable way to:\n– centralize logs from many sources,\n– search incidents quickly,\n– detect anomalies and failures early,\n– keep audit trails,\n– reduce time-to-resolution without maintaining heavy logging infrastructure.<\/p>\n\n\n\n

\n

Naming note: Alibaba Cloud product pages sometimes refer to the offering as Log Service<\/strong>, while the official service name in many documents is Simple Log Service (SLS)<\/strong>. This tutorial uses Simple Log Service (SLS)<\/strong> consistently and refers to \u201cLog Service\u201d only as a common alias. Verify naming in your region\u2019s console if it appears differently.<\/p>\n<\/blockquote>\n\n\n\n

\n\n\n\n

2. What is Simple Log Service (SLS)?<\/h2>\n\n\n\n

Official purpose<\/strong>\nSimple Log Service (SLS) is Alibaba Cloud\u2019s managed service for log collection, log storage, log query\/search, log analytics, visualization, and alerting<\/strong>. It is positioned as an O&M and observability building block and is widely used for production troubleshooting, security investigations, and operational reporting.<\/p>\n\n\n\n

Core capabilities<\/strong>\n– Log ingestion<\/strong> from servers (Logtail), applications (SDK\/API), and supported Alibaba Cloud services.\n– Storage and retention<\/strong> of log data with configurable retention policies.\n– Indexing<\/strong> to enable fast full-text and field-based search.\n– Query and analytics<\/strong>, including aggregation and SQL-like analysis for metrics derived from logs.\n– Dashboards<\/strong> for visualization of trends and operational KPIs.\n– Alerting<\/strong> based on query results and thresholds (notification channels vary by region and configuration\u2014verify in official docs).\n– Data consumption\/export<\/strong> patterns to integrate with downstream systems (exact sinks and features vary\u2014verify in official docs for your region).<\/p>\n\n\n\n

Major components (conceptual model)<\/strong>\n– Project<\/strong>: A regional container for log resources (namespace, access control boundary).\n– Logstore<\/strong>: A dataset within a Project that stores logs for a retention period.\n– Logtail<\/strong>: A lightweight agent (Linux\/Windows) that collects local files and system logs and ships them to SLS.\n– Machine Group<\/strong>: A logical grouping of servers for Logtail management (how you bind collection configs).\n– Index<\/strong>: Configuration enabling searchable fields and full-text search; impacts cost and query capability.\n– Dashboard<\/strong>: Visualizations built from saved queries\/charts.\n– Alert<\/strong>: Rules that run queries on a schedule and notify when conditions are met.\n– Consumption\/Consumer Group<\/strong>: Patterns to read logs programmatically\/streamingly (names and mechanics vary across SLS features\u2014verify in official docs).<\/p>\n\n\n\n

Service type<\/strong>\n– Fully managed, regional logging and analytics service (SaaS-like). You do not manage cluster nodes, shards (in the infrastructure sense), or patching as you would in self-hosted stacks.<\/p>\n\n\n\n

Regional\/global\/zonal scope<\/strong>\n– SLS resources are primarily regional<\/strong>. A Project<\/strong> typically exists in a specific region and exposes regional endpoints. Cross-region log centralization is possible architecturally, but it introduces latency and data transfer considerations. Verify region-specific capabilities and endpoints in the official documentation.<\/p>\n\n\n\n

How it fits into the Alibaba Cloud ecosystem<\/strong>\nSimple Log Service (SLS) is frequently used alongside:\n– ECS<\/strong> (Elastic Compute Service): collect OS\/app logs via Logtail.\n– ACK<\/strong> (Alibaba Cloud Container Service for Kubernetes): container logs and platform logs (integration patterns vary).\n– SLB\/ALB\/NLB<\/strong>, CDN<\/strong>, WAF<\/strong>, API Gateway<\/strong>, RDS<\/strong>: service logs (availability varies).\n– ActionTrail<\/strong>: governance\/audit events; often exported to SLS or used together for security visibility (verify supported integrations).\n– CloudMonitor<\/strong>: metrics\/alarms; SLS often complements it with richer log context.\n– OSS<\/strong> (Object Storage Service): long-term archival and data lake workflows.<\/p>\n\n\n\n

\n\n\n\n

3. Why use Simple Log Service (SLS)?<\/h2>\n\n\n\n

Business reasons<\/h3>\n\n\n\n
    \n
  • Lower operational burden<\/strong>: no self-managed Elasticsearch\/OpenSearch clusters, indexing nodes, or scaling work.<\/li>\n
  • Faster incident response<\/strong>: centralized searchable logs reduce time-to-resolution.<\/li>\n
  • Migration confidence<\/strong>: during cutovers, consolidated logs help validate behavior and detect regressions early.<\/li>\n
  • Pay-as-you-go alignment<\/strong>: costs track usage (ingest, storage, queries\/indexing), which can be optimized.<\/li>\n<\/ul>\n\n\n\n

    Technical reasons<\/h3>\n\n\n\n
      \n
    • Unified ingestion layer<\/strong>: Logtail + APIs + cloud integrations reduce custom log plumbing.<\/li>\n
    • Search and analytics on raw logs<\/strong>: field extraction and SQL-like queries support deep troubleshooting.<\/li>\n
    • Dashboards and alerts<\/strong>: turn logs into operational signals.<\/li>\n<\/ul>\n\n\n\n

      Operational reasons (Migration & O&M Management fit)<\/h3>\n\n\n\n
        \n
      • Standardize log formats and retention<\/strong> across teams and environments.<\/li>\n
      • Centralize access and governance<\/strong> with RAM policies and project boundaries.<\/li>\n
      • Enable runbooks<\/strong>: dashboards, saved queries, and alert rules can be embedded into incident processes.<\/li>\n<\/ul>\n\n\n\n

        Security\/compliance reasons<\/h3>\n\n\n\n
          \n
        • Auditability<\/strong>: centralized storage and controlled access help investigations and compliance reporting.<\/li>\n
        • Least privilege<\/strong> with RAM policies at Project\/Logstore scope (verify exact permission granularity in docs).<\/li>\n
        • Data retention policies<\/strong> to match compliance requirements (e.g., 30\/90\/180\/365 days), with optional archival patterns.<\/li>\n<\/ul>\n\n\n\n

          Scalability\/performance reasons<\/h3>\n\n\n\n
            \n
          • Designed for high-ingest, high-query workloads<\/strong> typical of large fleets and distributed systems.<\/li>\n
          • Supports parallelism<\/strong> and structured indexing for efficient queries (exact scaling mechanisms are service-managed; verify performance guidance in docs).<\/li>\n<\/ul>\n\n\n\n

            When teams should choose it<\/h3>\n\n\n\n

            Choose Simple Log Service (SLS) when you need:\n– centralized logging for ECS\/containers\/cloud services,\n– fast search and analytics,\n– dashboards and alerting for O&M,\n– managed service with minimal ops overhead.<\/p>\n\n\n\n

            When teams should not choose it<\/h3>\n\n\n\n

            Consider alternatives when:\n– you require strictly on-prem-only<\/strong> data processing without cloud storage,\n– you need full control<\/strong> of a self-hosted observability stack (custom plugins, full Lucene tuning),\n– your organization mandates a different vendor for centralized logging,\n– your primary need is APM tracing<\/strong> rather than logs (Alibaba Cloud has other services focused on tracing\/APM; SLS can complement but is not a full APM replacement).<\/p>\n\n\n\n

            \n\n\n\n

            4. Where is Simple Log Service (SLS) used?<\/h2>\n\n\n\n

            Industries<\/h3>\n\n\n\n
              \n
            • Internet\/SaaS: high-volume application logs, CI\/CD visibility, incident response.<\/li>\n
            • Finance\/FinTech: audit trails, security monitoring, controlled retention and access.<\/li>\n
            • E-commerce\/retail: traffic analysis, conversion funnel logs, fraud signals.<\/li>\n
            • Gaming: real-time operational monitoring, anti-cheat signals (log-derived).<\/li>\n
            • Manufacturing\/IoT: gateway logs, fleet monitoring, anomaly detection.<\/li>\n<\/ul>\n\n\n\n

              Team types<\/h3>\n\n\n\n
                \n
              • SRE and platform engineering teams building internal observability platforms.<\/li>\n
              • DevOps teams managing deployment pipelines and runtime troubleshooting.<\/li>\n
              • Security teams doing detection and response on cloud activity and app logs.<\/li>\n
              • App developers who need self-service logs, dashboards, and alerts.<\/li>\n<\/ul>\n\n\n\n

                Workloads<\/h3>\n\n\n\n
                  \n
                • Web applications (Nginx\/Apache, application logs)<\/li>\n
                • Microservices (structured JSON logs)<\/li>\n
                • Containerized workloads (Kubernetes logs)<\/li>\n
                • Batch jobs (ETL pipeline logs)<\/li>\n
                • API gateways and edge services (access logs)<\/li>\n<\/ul>\n\n\n\n

                  Architectures<\/h3>\n\n\n\n
                    \n
                  • Monolith + ECS<\/li>\n
                  • Microservices + containers<\/li>\n
                  • Hybrid: on-prem workloads shipping to cloud (network planning required)<\/li>\n
                  • Multi-region architectures with region-local SLS plus aggregation\/export patterns<\/li>\n<\/ul>\n\n\n\n

                    Real-world deployment contexts<\/h3>\n\n\n\n
                      \n
                    • Production<\/strong>: strict retention, indexing strategy, alerting, least privilege, controlled dashboards.<\/li>\n
                    • Dev\/test<\/strong>: shorter retention, limited indexing, low-cost sampling, ad-hoc queries.<\/li>\n<\/ul>\n\n\n\n
                      \n\n\n\n

                      5. Top Use Cases and Scenarios<\/h2>\n\n\n\n

                      Below are realistic, common uses of Simple Log Service (SLS). Each one includes the problem, why SLS fits, and a short scenario.<\/p>\n\n\n\n

                      1) Centralized application logging for ECS fleets<\/strong>\n– Problem<\/strong>: Logs spread across hundreds of servers; SSH-based debugging is slow and inconsistent.\n– Why SLS fits<\/strong>: Logtail collects logs centrally; indexed search finds errors fast; retention policies reduce manual cleanup.\n– Scenario<\/strong>: A web team collects \/var\/log\/nginx\/access.log<\/code> and app logs from 200 ECS instances into a single Logstore for incident triage.<\/p>\n\n\n\n

                      2) Kubernetes\/ACK container log aggregation<\/strong>\n– Problem<\/strong>: Pods are ephemeral; node disk logs rotate; incidents require historical context.\n– Why SLS fits<\/strong>: Centralized storage with retention and dashboards; standardized queries across namespaces\/services.\n– Scenario<\/strong>: Platform team builds dashboards for 5 clusters to visualize error rates and 95th percentile response times derived from logs (integration pattern varies\u2014verify in official docs).<\/p>\n\n\n\n

                      3) Migration cutover verification (dual-run observability)<\/strong>\n– Problem<\/strong>: During migration, you run old and new systems in parallel and must confirm behavior matches.\n– Why SLS fits<\/strong>: Query and compare logs across environments; track error codes and latency patterns.\n– Scenario<\/strong>: For a database migration, teams compare application error logs before\/after cutover using saved queries and dashboards.<\/p>\n\n\n\n

                      4) Security investigations and audit log retention<\/strong>\n– Problem<\/strong>: Security needs centralized, tamper-resistant-ish retention with controlled access for investigations.\n– Why SLS fits<\/strong>: Central storage, role-based access, query capability, and export\/archival options.\n– Scenario<\/strong>: Security team stores authentication logs and cloud activity logs in a dedicated Project and grants read-only access with strict RAM policies.<\/p>\n\n\n\n

                      5) Alerting on error spikes and SLO signals from logs<\/strong>\n– Problem<\/strong>: Monitoring only infrastructure metrics misses application-level failures.\n– Why SLS fits<\/strong>: Alerts can run log queries and trigger notifications when thresholds are exceeded.\n– Scenario<\/strong>: An alert triggers when 5xx responses exceed a threshold in the last 5 minutes, based on Nginx access logs.<\/p>\n\n\n\n

                      6) Operational dashboards for business-critical flows<\/strong>\n– Problem<\/strong>: Business stakeholders need near-real-time visibility into order success\/failure.\n– Why SLS fits<\/strong>: Build dashboards from structured logs; track key events.\n– Scenario<\/strong>: Dashboard shows order placements per minute and payment failures by provider.<\/p>\n\n\n\n

                      7) Troubleshooting distributed systems with correlation IDs<\/strong>\n– Problem<\/strong>: Requests traverse many services; debugging requires correlating logs across them.\n– Why SLS fits<\/strong>: Field-based queries on trace_id<\/code> \/ request_id<\/code> retrieve all related logs quickly.\n– Scenario<\/strong>: Engineers search trace_id=abc123<\/code> across Logstores to see the full path and pinpoint the failing service.<\/p>\n\n\n\n

                      8) Compliance reporting and retention enforcement<\/strong>\n– Problem<\/strong>: Logs must be retained for a fixed period and accessible for audits.\n– Why SLS fits<\/strong>: Retention configuration and access control boundaries per Project\/Logstore.\n– Scenario<\/strong>: A fintech retains login events for 180 days and archives older logs to OSS for long-term storage (verify supported export methods).<\/p>\n\n\n\n

                      9) Automated analysis and log-derived metrics<\/strong>\n– Problem<\/strong>: Metrics are missing for certain application behaviors; adding instrumentation takes time.\n– Why SLS fits<\/strong>: Derive metrics using aggregation queries on existing logs; visualize trends.\n– Scenario<\/strong>: Team calculates error rate per API endpoint from access logs, without code changes.<\/p>\n\n\n\n

                      10) Multi-tenant platform logging<\/strong>\n– Problem<\/strong>: Shared platform hosts multiple teams; each needs access to its logs without seeing others.\n– Why SLS fits<\/strong>: Separate Projects\/Logstores and RAM policies; standardized naming and tagging.\n– Scenario<\/strong>: Platform team provides one Project per tenant team and enforces least-privilege access.<\/p>\n\n\n\n

                      11) Log analytics for capacity planning<\/strong>\n– Problem<\/strong>: Hard to predict traffic growth and resource needs.\n– Why SLS fits<\/strong>: Historical analytics and dashboards to visualize traffic patterns.\n– Scenario<\/strong>: Weekly report aggregates peak QPS and request sizes from access logs.<\/p>\n\n\n\n

                      12) Root cause analysis for intermittent errors<\/strong>\n– Problem<\/strong>: Rare errors disappear before engineers can capture enough context.\n– Why SLS fits<\/strong>: Persist logs centrally, query with time windows, and correlate by fields.\n– Scenario<\/strong>: A once-per-hour timeout error is detected by alert, and engineers retrieve all related logs across services.<\/p>\n\n\n\n

                      \n\n\n\n

                      6. Core Features<\/h2>\n\n\n\n
                      \n

                      Feature availability and names can differ slightly by region or console version. When a feature label differs, use the closest equivalent in your console and verify in official docs<\/strong>.<\/p>\n<\/blockquote>\n\n\n\n

                      6.1 Projects and Logstores (resource model)<\/h3>\n\n\n\n
                        \n
                      • What it does<\/strong>: Organizes logs into regional Projects and datasets (Logstores). <\/li>\n
                      • Why it matters<\/strong>: Strong separation for environments (dev\/test\/prod), tenants, or business units. <\/li>\n
                      • Practical benefit<\/strong>: Clear ownership, IAM boundaries, and cost allocation per Project\/Logstore. <\/li>\n
                      • Caveats<\/strong>: Cross-Project queries and cross-region aggregation may require export\/ETL patterns; verify supported approaches.<\/li>\n<\/ul>\n\n\n\n

                        6.2 Logtail agent collection (file-based ingestion)<\/h3>\n\n\n\n
                          \n
                        • What it does<\/strong>: Collects logs from Linux\/Windows servers and sends them to SLS. <\/li>\n
                        • Why it matters<\/strong>: Most operational logs start on hosts; agents standardize collection and parsing. <\/li>\n
                        • Practical benefit<\/strong>: Central logging without building custom shippers. <\/li>\n
                        • Caveats<\/strong>: You must manage agent rollout, permissions to log files, and network access to SLS endpoints.<\/li>\n<\/ul>\n\n\n\n

                          6.3 Machine Groups and collection configurations<\/h3>\n\n\n\n
                            \n
                          • What it does<\/strong>: Groups instances and applies Logtail configs (paths, parsing rules, filters). <\/li>\n
                          • Why it matters<\/strong>: Enables centralized control over what is collected and how it\u2019s parsed. <\/li>\n
                          • Practical benefit<\/strong>: Repeatable configuration and consistent parsing across fleets. <\/li>\n
                          • Caveats<\/strong>: Mis-grouping leads to missing logs; ensure machine identifiers are stable (verify best practice in docs).<\/li>\n<\/ul>\n\n\n\n

                            6.4 Indexing (full-text and field-based search)<\/h3>\n\n\n\n
                              \n
                            • What it does<\/strong>: Builds indexes to support fast search and analytics on specific fields. <\/li>\n
                            • Why it matters<\/strong>: Without indexes, queries are limited and\/or slower (depending on feature). <\/li>\n
                            • Practical benefit<\/strong>: Fast \u201cfind the error\u201d workflows, filters by service\/version\/host, and aggregations. <\/li>\n
                            • Caveats<\/strong>: Indexing typically increases cost (index traffic and index storage). Index only what you query.<\/li>\n<\/ul>\n\n\n\n

                              6.5 Query and analysis (search + SQL-like analytics)<\/h3>\n\n\n\n
                                \n
                              • What it does<\/strong>: Lets you search logs and run aggregations (counts, group-by, percentiles if supported, etc.). <\/li>\n
                              • Why it matters<\/strong>: Turns raw logs into operational insight and alert conditions. <\/li>\n
                              • Practical benefit<\/strong>: Build SLO\/SLA-style dashboards from logs, troubleshoot spikes, detect patterns. <\/li>\n
                              • Caveats<\/strong>: Query concurrency, time ranges, and high-cardinality fields affect performance and cost. Verify query limits and best practices.<\/li>\n<\/ul>\n\n\n\n

                                6.6 Dashboards and visualization<\/h3>\n\n\n\n
                                  \n
                                • What it does<\/strong>: Charts and tables from saved queries; share operational views. <\/li>\n
                                • Why it matters<\/strong>: Makes logs usable for on-call workflows and non-engineering stakeholders. <\/li>\n
                                • Practical benefit<\/strong>: Standard dashboards for services (error rate, traffic, latency buckets derived from logs). <\/li>\n
                                • Caveats<\/strong>: Dashboard permissions must be managed carefully; avoid exposing sensitive data.<\/li>\n<\/ul>\n\n\n\n

                                  6.7 Alerting on log queries<\/h3>\n\n\n\n
                                    \n
                                  • What it does<\/strong>: Evaluates scheduled queries and triggers notifications when conditions match. <\/li>\n
                                  • Why it matters<\/strong>: Detect issues early without constant manual searching. <\/li>\n
                                  • Practical benefit<\/strong>: Alert on error spikes, suspicious activity, missing heartbeat logs, or unusual patterns. <\/li>\n
                                  • Caveats<\/strong>: Alerts can become noisy if thresholds aren\u2019t tuned. Also, alert evaluation and notifications may introduce costs; verify billing dimensions.<\/li>\n<\/ul>\n\n\n\n

                                    6.8 Data transformation \/ processing (ETL-style)<\/h3>\n\n\n\n
                                      \n
                                    • What it does<\/strong>: Processes logs to clean, enrich, mask, or reshape fields for better analysis and compliance. <\/li>\n
                                    • Why it matters<\/strong>: Raw logs often need normalization (JSON parsing, extracting fields from text, masking PII). <\/li>\n
                                    • Practical benefit<\/strong>: Consistent schema and safer data for broader access. <\/li>\n
                                    • Caveats<\/strong>: Transformation can add compute cost and operational complexity. Verify the current transformation features and their billing.<\/li>\n<\/ul>\n\n\n\n

                                      6.9 Log consumption APIs and integrations<\/h3>\n\n\n\n
                                        \n
                                      • What it does<\/strong>: Programmatic read access for building pipelines, SIEM integrations, or downstream analytics. <\/li>\n
                                      • Why it matters<\/strong>: Logs are often a source for security analytics, data lakes, or incident automation. <\/li>\n
                                      • Practical benefit<\/strong>: Export selected data to OSS\/data warehouses or feed incident responders. <\/li>\n
                                      • Caveats<\/strong>: Egress and API request costs can be significant; design for selective export rather than bulk pulls.<\/li>\n<\/ul>\n\n\n\n

                                        6.10 Multi-environment governance (naming, tagging, resource groups)<\/h3>\n\n\n\n
                                          \n
                                        • What it does<\/strong>: Organize resources for cost allocation and access control. <\/li>\n
                                        • Why it matters<\/strong>: Large organizations need consistent governance across many Projects\/Logstores. <\/li>\n
                                        • Practical benefit<\/strong>: Chargeback\/showback, clean separation, consistent IAM. <\/li>\n
                                        • Caveats<\/strong>: Tagging\/resource group support varies by service; verify SLS support in Resource Management docs.<\/li>\n<\/ul>\n\n\n\n
                                          \n\n\n\n

                                          7. Architecture and How It Works<\/h2>\n\n\n\n

                                          7.1 High-level architecture<\/h3>\n\n\n\n

                                          At a high level, Simple Log Service (SLS) sits between your log producers and your consumers:<\/p>\n\n\n\n

                                            \n
                                          1. Producers<\/strong>: ECS hosts (Logtail), containers, applications (SDK\/API), cloud services.<\/li>\n
                                          2. Ingestion endpoints<\/strong>: regional SLS endpoints receive data.<\/li>\n
                                          3. Storage<\/strong>: logs are stored in Logstores with retention settings.<\/li>\n
                                          4. Indexing<\/strong>: optional; builds searchable indexes.<\/li>\n
                                          5. Consumption<\/strong>: operators query, dashboards visualize, alerts trigger notifications, pipelines export.<\/li>\n<\/ol>\n\n\n\n

                                            7.2 Request\/data\/control flow<\/h3>\n\n\n\n
                                              \n
                                            • Control plane<\/strong>:<\/li>\n
                                            • Create Project\/Logstore<\/li>\n
                                            • Configure retention\/index<\/li>\n
                                            • Create Logtail config and bind to machine groups<\/li>\n
                                            • Configure dashboards and alerts<\/li>\n
                                            • Data plane<\/strong>:<\/li>\n
                                            • Logtail reads local files \u2192 parses \u2192 batches \u2192 sends to SLS endpoint<\/li>\n
                                            • SLS stores raw events and updates indexes (if enabled)<\/li>\n
                                            • Queries run against stored data and indexes<\/li>\n<\/ul>\n\n\n\n

                                              7.3 Integrations with related services (common patterns)<\/h3>\n\n\n\n
                                                \n
                                              • ECS<\/strong>: host-level log collection via Logtail.<\/li>\n
                                              • ACK<\/strong>: cluster\/container logging integrations (verify current setup docs for your cluster version).<\/li>\n
                                              • OSS<\/strong>: archival or export patterns for long-term retention\/data lake (verify current shipping\/export mechanisms).<\/li>\n
                                              • ActionTrail<\/strong>: cloud audit events used alongside SLS for security monitoring (verify current integration options).<\/li>\n
                                              • CloudMonitor<\/strong>: metrics and alarms; SLS adds deep log context.<\/li>\n
                                              • RAM<\/strong>: access control to Projects\/Logstores and dashboards\/alerts.<\/li>\n<\/ul>\n\n\n\n

                                                7.4 Dependency services (typical)<\/h3>\n\n\n\n
                                                  \n
                                                • RAM (Resource Access Management)<\/strong> for identities and policies.<\/li>\n
                                                • VPC<\/strong> and network routing to reach SLS endpoints (public endpoints or internal endpoints in-region).<\/li>\n
                                                • Optional: OSS<\/strong>, data warehouse services, or message queues for export pipelines.<\/li>\n<\/ul>\n\n\n\n

                                                  7.5 Security\/authentication model (conceptual)<\/h3>\n\n\n\n
                                                    \n
                                                  • Users and systems authenticate using RAM users\/roles<\/strong> and potentially STS<\/strong> (temporary credentials) depending on integration.<\/li>\n
                                                  • Logtail authentication and configuration retrieval are managed through SLS\u2019s Logtail management workflow (details vary; follow official Logtail installation guidance).<\/li>\n
                                                  • Fine-grained access can be implemented by:<\/li>\n
                                                  • Separate Projects per environment\/tenant<\/li>\n
                                                  • Read-only vs read-write roles<\/li>\n
                                                  • Restricting access by source IP\/VPC (where supported\u2014verify)<\/li>\n
                                                  • Using internal endpoints to avoid public exposure (where supported)<\/li>\n<\/ul>\n\n\n\n

                                                    7.6 Networking model<\/h3>\n\n\n\n
                                                      \n
                                                    • SLS exposes regional endpoints<\/strong>. Depending on your setup you may use:<\/li>\n
                                                    • Public endpoints<\/strong> (internet access; secure with TLS + IAM and optionally IP restrictions if available).<\/li>\n
                                                    • Internal endpoints<\/strong> (in-region VPC access, if available for SLS in your region\u2014verify in docs).<\/li>\n
                                                    • For cross-region: consider centralizing by exporting\/replicating selected logs rather than querying across regions.<\/li>\n<\/ul>\n\n\n\n

                                                      7.7 Monitoring\/logging\/governance considerations<\/h3>\n\n\n\n
                                                        \n
                                                      • Use SLS to monitor your applications, but also:<\/li>\n
                                                      • Enable Alibaba Cloud governance logs (e.g., ActionTrail) and store them in a dedicated SLS Project (verify integration).<\/li>\n
                                                      • Use consistent naming for Projects\/Logstores so alerts and dashboards are predictable.<\/li>\n
                                                      • Track cost by Project and by indexing strategy.<\/li>\n<\/ul>\n\n\n\n

                                                        7.8 Simple architecture diagram (Mermaid)<\/h3>\n\n\n\n
                                                        flowchart LR\n  A[ECS \/ App Logs] -->|Logtail| B[Simple Log Service (SLS)\\nProject + Logstore]\n  B --> C[Search \/ SQL Analytics]\n  C --> D[Dashboards]\n  C --> E[Alerts -> Notifications]\n<\/code><\/pre>\n\n\n\n
                                                        7.9 Production-style architecture diagram (Mermaid)<\/h3>\n\n\n\n
                                                        flowchart TB\n  subgraph VPC[\"VPC (Production)\"]\n    subgraph ECSF[\"ECS Fleet \/ Nodes\"]\n      N1[Nginx + App] --> LT1[Logtail Agent]\n      N2[Worker + App] --> LT2[Logtail Agent]\n      N3[Gateway] --> LT3[Logtail Agent]\n    end\n  end\n\n  LT1 --> EP[SLS Regional Endpoint]\n  LT2 --> EP\n  LT3 --> EP\n\n  subgraph SLS[\"Simple Log Service (SLS) - Region\"]\n    P1[Project: prod-observability]\n    LS1[Logstore: nginx-access]\n    LS2[Logstore: app-json]\n    IDX[Indexing \/ Parsing Rules]\n    Q[Query & SQL-like Analytics]\n    DB[Dashboards]\n    AL[Alert Rules]\n  end\n\n  EP --> P1\n  P1 --> LS1\n  P1 --> LS2\n  LS1 --> IDX\n  LS2 --> IDX\n  IDX --> Q\n  Q --> DB\n  Q --> AL\n\n  AL --> NT[Notification Channels\\n(e.g., Email\/SMS\/Webhook\/DingTalk - verify)]\n  Q --> EXP[Optional Export\/Shipping\\n(OSS \/ Data Warehouse - verify)]\n<\/code><\/pre>\n\n\n\n
                                                        \n\n\n\n
                                                        8. Prerequisites<\/h2>\n\n\n\n
                                                        Account and billing<\/h3>\n\n\n\n
                                                          \n
                                                        • An Alibaba Cloud account<\/strong> with billing enabled (Pay-As-You-Go is common for SLS).<\/li>\n
                                                        • Access to the Simple Log Service (SLS)<\/strong> console in your target region.<\/li>\n<\/ul>\n\n\n\n
                                                          Permissions \/ IAM (RAM)<\/h3>\n\n\n\n
                                                          You need permissions to:\n– Create and manage SLS Projects\/Logstores\n– Configure Logtail collection\n– Create indexes, dashboards, and alerts\n– (Optional) create ECS resources for the lab<\/p>\n\n\n\n
                                                          Common managed policies often include names like:\n– AliyunLogFullAccess<\/code> (full access)\n– AliyunLogReadOnlyAccess<\/code> (read-only)<\/p>\n\n\n\n
                                                          Policy names and granularity can change; verify in the RAM console and official docs<\/strong>. For production, prefer custom least-privilege policies scoped to specific Projects\/Logstores.<\/p>\n\n\n\n
                                                          Tools (optional but helpful)<\/h3>\n\n\n\n
                                                            \n
                                                          • A Linux shell environment and SSH client (for ECS access).<\/li>\n
                                                          • Basic CLI tools on the server:<\/li>\n
                                                          • curl<\/code><\/li>\n
                                                          • package manager (yum<\/code>\/dnf<\/code> or apt<\/code>)<\/li>\n
                                                          • No SDK is required for the console-based lab in this tutorial.<\/li>\n<\/ul>\n\n\n\n
                                                            Region availability<\/h3>\n\n\n\n
                                                              \n
                                                            • SLS is regional. Choose a region close to your workloads.<\/li>\n
                                                            • Verify:<\/li>\n
                                                            • SLS availability in your region<\/li>\n
                                                            • whether internal endpoints are available<\/li>\n
                                                            • supported integrations (some cloud product logs are region\/service dependent)<\/li>\n<\/ul>\n\n\n\n
                                                              Quotas\/limits<\/h3>\n\n\n\n
                                                              SLS has service quotas (for example, maximum number of Projects\/Logstores, ingestion limits, query limits, retention bounds). Exact limits change and can be region-dependent:\n– Check Quotas<\/strong> in the Alibaba Cloud console if available\n– Or verify in official docs<\/strong> for SLS limits<\/p>\n\n\n\n
                                                              Prerequisite services (for the hands-on lab)<\/h3>\n\n\n\n
                                                                \n
                                                              • One ECS instance<\/strong> (lowest-cost burstable instance type appropriate to your region) running a supported Linux distribution.<\/li>\n<\/ul>\n\n\n\n
                                                                \n\n\n\n
                                                                9. Pricing \/ Cost<\/h2>\n\n\n\n
                                                                \n
                                                                Do not treat this section as a quote. Simple Log Service (SLS) pricing is usage-based and can vary by region and feature. Always confirm on the official pricing page and your region\u2019s billing console.<\/p>\n<\/blockquote>\n\n\n\n
                                                                9.1 Pricing model (typical dimensions)<\/h3>\n\n\n\n
                                                                SLS commonly charges across dimensions such as:\n– Ingestion\/write traffic<\/strong>: data written into Logstores.\n– Storage<\/strong>: GB-month stored, affected by retention and compression.\n– Indexing<\/strong>:\n  – index traffic (data processed for indexing)\n  – index storage (index size grows with fields and cardinality)\n– Query\/analysis<\/strong>: some query\/analysis capabilities may incur compute charges depending on feature and query pattern (verify current billing).\n– API requests<\/strong>: certain API calls may be billed or limited (verify).\n– Data export\/egress<\/strong>:\n  – exporting to OSS or other services can add request\/traffic costs\n  – cross-region or internet egress can add bandwidth costs<\/p>\n\n\n\n
                                                                9.2 Free tier \/ trials<\/h3>\n\n\n\n
                                                                Alibaba Cloud sometimes offers:\n– free trials,\n– promotional quotas,\n– or new-user credits.<\/p>\n\n\n\n
                                                                Availability changes frequently. Verify current offers in your account\u2019s promotions and SLS billing docs<\/strong>.<\/p>\n\n\n\n
                                                                9.3 Primary cost drivers<\/h3>\n\n\n\n
                                                                  \n
                                                                • High ingestion volume<\/strong> (GB\/day) and long retention<\/strong> (days\/months).<\/li>\n
                                                                • Over-indexing<\/strong> (indexing many fields you never query).<\/li>\n
                                                                • High-cardinality fields<\/strong> (e.g., indexing user_id<\/code> for millions of unique values) increasing index size and query cost.<\/li>\n
                                                                • Large time-range queries<\/strong> on indexed data (expensive and slow).<\/li>\n
                                                                • Exports and external consumption<\/strong> (pulling large volumes repeatedly).<\/li>\n<\/ul>\n\n\n\n
                                                                  9.4 Hidden or indirect costs<\/h3>\n\n\n\n
                                                                    \n
                                                                  • Network egress<\/strong> if querying\/exporting across regions or over the public internet.<\/li>\n
                                                                  • Downstream storage<\/strong> if you archive to OSS (OSS storage + requests).<\/li>\n
                                                                  • Notification costs<\/strong> if alerts send SMS\/voice (if used; verify).<\/li>\n<\/ul>\n\n\n\n
                                                                    9.5 Cost optimization strategies<\/h3>\n\n\n\n
                                                                      \n
                                                                    • Right-size retention<\/strong>: keep high-value logs for shorter periods; archive raw logs to OSS if needed.<\/li>\n
                                                                    • Index only what you query<\/strong>: start minimal and expand.<\/li>\n
                                                                    • Use structured logging<\/strong> (JSON) with consistent fields to avoid expensive parsing and reduce noise.<\/li>\n
                                                                    • Separate Logstores<\/strong> by log type and retention (e.g., access logs 30 days, audit logs 180 days).<\/li>\n
                                                                    • Limit query time ranges<\/strong> in dashboards and alerts; aggregate into derived metrics where appropriate.<\/li>\n
                                                                    • Use sampling<\/strong> for very high-volume debug logs in non-prod (where acceptable).<\/li>\n<\/ul>\n\n\n\n
                                                                      9.6 Example low-cost starter estimate (methodology, not numbers)<\/h3>\n\n\n\n
                                                                      A starter environment might look like:\n– 1 ECS instance\n– 1 Logstore collecting Nginx access logs\n– Retention: 7\u201314 days\n– Minimal indexing (only key fields: status, path, upstream time)<\/p>\n\n\n\n
                                                                      To estimate monthly cost:\n1. Estimate daily ingestion (GB\/day).\n2. Multiply by retention to estimate average stored GB-month (roughly: daily ingestion \u00d7 retention\/30).\n3. Add index overhead (depends on enabled indexes).\n4. Add query patterns (dashboard refresh frequency + alert schedule).<\/p>\n\n\n\n
                                                                      Use the official pricing references:\n– Product and docs landing: https:\/\/www.alibabacloud.com\/help\/en\/sls\/\n– Pricing entry point (verify region): https:\/\/www.alibabacloud.com\/product\/log-service\n– Billing overview in docs (verify current page in your region\u2019s docs): https:\/\/www.alibabacloud.com\/help\/en\/sls\/product-overview\/billing-overview (URL structure may vary; search \u201cSLS billing overview\u201d in official docs if needed)<\/p>\n\n\n\n
                                                                      9.7 Example production cost considerations<\/h3>\n\n\n\n
                                                                      For production, budget planning should explicitly include:\n– ingestion from all tiers (edge, app, DB proxy, security logs),\n– retention policy by dataset,\n– index strategy by dataset,\n– dashboards\/alerts count and query schedules,\n– export volume to OSS\/data lake\/SIEM,\n– multi-region logging design and egress.<\/p>\n\n\n\n
                                                                      A common pattern is to run a 2\u20134 week pilot and use actual billing data to refine retention\/index decisions before full rollout.<\/p>\n\n\n\n
                                                                      \n\n\n\n
                                                                      10. Step-by-Step Hands-On Tutorial<\/h2>\n\n\n\n
                                                                      Objective<\/h3>\n\n\n\n
                                                                      Collect Nginx access logs from an Alibaba Cloud ECS instance into Simple Log Service (SLS)<\/strong> using Logtail<\/strong>, then:\n– verify ingestion,\n– enable indexing,\n– run queries,\n– build a small dashboard,\n– create a basic alert,\n– and clean up resources to keep cost low.<\/p>\n\n\n\n
                                                                      Lab Overview<\/h3>\n\n\n\n
                                                                      You will create:\n– 1 SLS Project<\/strong>\n– 1 SLS Logstore<\/strong>\n– 1 Machine Group<\/strong> + Logtail<\/strong> collection configuration\n– 1 ECS instance with Nginx<\/strong>\n– Basic index<\/strong>, query<\/strong>, dashboard<\/strong>, and alert<\/strong><\/p>\n\n\n\n
                                                                      Estimated time: 45\u201390 minutes (depending on ECS provisioning and familiarity).<\/p>\n\n\n\n
                                                                      \n\n\n\n
                                                                      Step 1: Choose a region and plan resource names<\/h3>\n\n\n\n
                                                                        \n
                                                                      1. Pick a region where you can create both ECS and SLS (same region recommended to minimize latency and avoid cross-region traffic).<\/li>\n
                                                                      2. Decide names (example naming):\n   – Project: demo-sls-ops<\/code>\n   – Logstore: nginx-access<\/code>\n   – Machine Group: demo-ecs-nginx<\/code><\/li>\n<\/ol>\n\n\n\n
                                                                        Expected outcome<\/strong>\n– You have a clear naming plan you can reuse in production conventions.<\/p>\n\n\n\n
                                                                        \n\n\n\n
                                                                        Step 2: Create an SLS Project<\/h3>\n\n\n\n
                                                                          \n
                                                                        1. Open the Alibaba Cloud console and go to Simple Log Service (SLS)<\/strong>.<\/li>\n
                                                                        2. Select your target region<\/strong>.<\/li>\n
                                                                        3. Create a Project<\/strong>:\n   – Name: demo-sls-ops<\/code>\n   – (Optional) Description: Lab project for Nginx logs<\/code><\/li>\n<\/ol>\n\n\n\n
                                                                          Expected outcome<\/strong>\n– The Project exists in the selected region.<\/p>\n\n\n\n
                                                                          Verification<\/strong>\n– In the SLS console, you can select the Project and see an empty resource list.<\/p>\n\n\n\n
                                                                          \n\n\n\n
                                                                          Step 3: Create a Logstore with retention<\/h3>\n\n\n\n
                                                                            \n
                                                                          1. Inside demo-sls-ops<\/code>, create a Logstore<\/strong> named nginx-access<\/code>.<\/li>\n
                                                                          2. Configure retention<\/strong> (choose a short retention for the lab, e.g., 7 days, if available).<\/li>\n
                                                                          3. Keep defaults for other options unless your console requires explicit choices.<\/li>\n<\/ol>\n\n\n\n
                                                                            Expected outcome<\/strong>\n– A Logstore exists and is ready to ingest logs.<\/p>\n\n\n\n
                                                                            Verification<\/strong>\n– The Logstore appears in the Project\u2019s Logstore list.<\/p>\n\n\n\n
                                                                            \n\n\n\n
                                                                            Step 4: Create an ECS instance (low-cost) and install Nginx<\/h3>\n\n\n\n
                                                                              \n
                                                                            1. Create a small ECS instance in the same region<\/strong>:\n   – Choose a low-cost instance type and a common Linux OS image.\n   – Ensure it has:
                                                                                \n
                                                                              • Security group allowing inbound TCP\/80<\/strong> from your IP (for testing)<\/li>\n
                                                                              • SSH access (TCP\/22) from your IP<\/li>\n<\/ul>\n<\/li>\n
                                                                              • SSH to the instance.<\/li>\n<\/ol>\n\n\n\n
                                                                                Install Nginx using your distro\u2019s package manager.<\/p>\n\n\n\n
                                                                                For Alibaba Cloud Linux \/ CentOS-like<\/strong><\/p>\n\n\n\n
                                                                                sudo yum install -y nginx\nsudo systemctl enable --now nginx\n<\/code><\/pre>\n\n\n\n
                                                                                For Ubuntu\/Debian<\/strong><\/p>\n\n\n\n
                                                                                sudo apt-get update\nsudo apt-get install -y nginx\nsudo systemctl enable --now nginx\n<\/code><\/pre>\n\n\n\n
                                                                                Generate a small amount of traffic:<\/p>\n\n\n\n
                                                                                curl -I http:\/\/127.0.0.1\/\nfor i in $(seq 1 50); do curl -s http:\/\/127.0.0.1\/ >\/dev\/null; done\n<\/code><\/pre>\n\n\n\n
                                                                                Expected outcome<\/strong>\n– Nginx is running and writing access logs.<\/p>\n\n\n\n
                                                                                Verification<\/strong><\/p>\n\n\n\n
                                                                                sudo tail -n 20 \/var\/log\/nginx\/access.log\n<\/code><\/pre>\n\n\n\n
                                                                                You should see recent requests.<\/p>\n\n\n\n
                                                                                \n\n\n\n
                                                                                Step 5: Create a Machine Group in SLS<\/h3>\n\n\n\n
                                                                                  \n
                                                                                1. In the SLS Project, find Logtail<\/strong> (or log collection) management.<\/li>\n
                                                                                2. Create a Machine Group<\/strong> named demo-ecs-nginx<\/code>.<\/li>\n
                                                                                3. Choose an identification method supported by your console (common options include IP-based or a user-defined identifier).\n   – If you choose IP-based: add the ECS private IP (or public IP depending on the method; follow console guidance).\n   – If you choose a user-defined identifier: you will configure it on the host during Logtail install.<\/li>\n<\/ol>\n\n\n\n
                                                                                  Expected outcome<\/strong>\n– Machine Group exists and is ready to receive Logtail configs.<\/p>\n\n\n\n
                                                                                  Verification<\/strong>\n– Machine Group shows as created (it may show \u201cno machines\u201d until Logtail is installed and connected).<\/p>\n\n\n\n
                                                                                  \n\n\n\n
                                                                                  Step 6: Create a Logtail configuration to collect Nginx access logs<\/h3>\n\n\n\n
                                                                                    \n
                                                                                  1. Create a new Logtail configuration<\/strong> (name example: collect-nginx-access<\/code>).<\/li>\n
                                                                                  2. Source type: File<\/strong>.<\/li>\n
                                                                                  3. Log path:\n   – Directory: \/var\/log\/nginx\/<\/code>\n   – File pattern: access.log<\/code> (or access*.log<\/code> if rotation is used)<\/li>\n
                                                                                  4. Parsing:\n   – For a lab, start with delimiter\/text<\/strong> parsing or a simple mode.\n   – If your console supports Nginx parsing templates, select one (verify correctness against your Nginx log format).<\/li>\n
                                                                                  5. Destination:\n   – Project: demo-sls-ops<\/code>\n   – Logstore: nginx-access<\/code><\/li>\n
                                                                                  6. Apply\/bind the config to Machine Group demo-ecs-nginx<\/code>.<\/li>\n<\/ol>\n\n\n\n
                                                                                    Expected outcome<\/strong>\n– SLS knows what to collect and where to store it.<\/p>\n\n\n\n
                                                                                    Verification<\/strong>\n– The config appears as \u201capplied\u201d (or similar status) to the Machine Group.<\/p>\n\n\n\n
                                                                                    \n\n\n\n
                                                                                    Step 7: Install Logtail on the ECS instance<\/h3>\n\n\n\n
                                                                                    Because Logtail installation commands and packages can change, the safest method is:<\/p>\n\n\n\n
                                                                                      \n
                                                                                    1. In the SLS console\u2019s Logtail section, find Install Logtail<\/strong> for your region\/OS.<\/li>\n
                                                                                    2. Copy the official installation command<\/strong> generated by the console\/docs.<\/li>\n
                                                                                    3. Run it on your ECS instance as root (or with sudo).<\/li>\n<\/ol>\n\n\n\n
                                                                                      Typical workflow looks like this (structure only; use the exact command from the console<\/strong>):<\/p>\n\n\n\n
                                                                                      # Example structure only. Copy the real command from the SLS console.\nsudo bash -c '<INSTALL_LOGTAIL_COMMAND_FROM_SLS_CONSOLE>'\n<\/code><\/pre>\n\n\n\n
                                                                                      After installation, ensure the agent is running (service name can vary by OS\/package; verify in the install output):<\/p>\n\n\n\n
                                                                                      # Try common service checks (one of these should work depending on your OS\/package)\nsudo systemctl status logtail || true\nsudo systemctl status ilogtail || true\nps -ef | grep -i logtail | grep -v grep || true\n<\/code><\/pre>\n\n\n\n
                                                                                      Expected outcome<\/strong>\n– Logtail is installed and running.\n– The ECS instance appears as \u201conline\u201d (or similar) in the Machine Group.<\/p>\n\n\n\n
                                                                                      Verification (in console)<\/strong>\n– Machine Group shows the instance connected within a few minutes.<\/p>\n\n\n\n
                                                                                      \n\n\n\n
                                                                                      Step 8: Verify logs are arriving in the Logstore<\/h3>\n\n\n\n
                                                                                        \n
                                                                                      1. In SLS, open Logstore nginx-access<\/code>.<\/li>\n
                                                                                      2. Go to Query<\/strong> (or \u201cSearch\/Query\u201d).<\/li>\n
                                                                                      3. Use a short time range like \u201cLast 15 minutes\u201d.<\/li>\n
                                                                                      4. Run a basic query (examples vary by query language mode; try a simple search like GET<\/code> or 200<\/code>).<\/li>\n<\/ol>\n\n\n\n
                                                                                        Example query patterns (adjust to your console\u2019s query syntax):\n– Full-text: GET<\/code>\n– Filter status (if parsed into a field): status: 200<\/code><\/p>\n\n\n\n
                                                                                        Expected outcome<\/strong>\n– You can see Nginx access log entries in SLS.<\/p>\n\n\n\n
                                                                                        If no logs appear<\/strong>\n– Confirm \/var\/log\/nginx\/access.log<\/code> is being written.\n– Confirm the Logtail config path and file pattern match.\n– Confirm the ECS instance is in the correct Machine Group.\n– Check Logtail status and logs (location varies; verify in Logtail docs).<\/p>\n\n\n\n
                                                                                        \n\n\n\n
                                                                                        Step 9: Enable indexing for fast search and field queries<\/h3>\n\n\n\n
                                                                                        Without indexing, search and structured queries may be limited. Enable indexing carefully to manage cost.<\/p>\n\n\n\n
                                                                                          \n
                                                                                        1. In nginx-access<\/code> Logstore settings, locate Index<\/strong> configuration.<\/li>\n
                                                                                        2. Enable:\n   – Full-text index (useful for simple searching)\n   – Key fields index for fields you care about (if parsing created fields), such as:
                                                                                            \n
                                                                                          • status<\/code><\/li>\n
                                                                                          • request_method<\/code><\/li>\n
                                                                                          • request_uri<\/code> (or uri<\/code>)<\/li>\n
                                                                                          • remote_addr<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
                                                                                            Expected outcome<\/strong>\n– Queries become faster and support field filters\/aggregations.<\/p>\n\n\n\n
                                                                                            Verification<\/strong>\n– Run a query filtering on status<\/code> and confirm it returns results quickly.<\/p>\n\n\n\n
                                                                                            \n\n\n\n
                                                                                            Step 10: Run practical queries (errors, top URLs, traffic)<\/h3>\n\n\n\n
                                                                                            Below are examples. Your exact fields depend on parsing. If your logs are unstructured, start with keyword searches and then improve parsing.<\/p>\n\n\n\n
                                                                                            Find 5xx responses<\/strong>\n– If status<\/code> is a field:\n  – status >= 500<\/code>\n– Otherwise use full-text search for 500<\/code>, 502<\/code>, etc.<\/p>\n\n\n\n
                                                                                            Top requested paths (requires structured fields)<\/strong>\nIf SLS supports SQL-like analysis in your console, a common pattern is:\n– Search + pipeline aggregation (syntax varies). Use the console\u2019s query builder examples.\n– Verify the correct SQL\/query format in the official docs for your console version.<\/p>\n\n\n\n
                                                                                            Expected outcome<\/strong>\n– You can identify error spikes and the busiest endpoints from logs.<\/p>\n\n\n\n
                                                                                            Verification<\/strong>\n– Generate a few 404s:<\/p>\n\n\n\n
                                                                                            for i in $(seq 1 20); do curl -s -o \/dev\/null -w \"%{http_code}\\n\" http:\/\/127.0.0.1\/does-not-exist; done\nsudo tail -n 5 \/var\/log\/nginx\/access.log\n<\/code><\/pre>\n\n\n\n
                                                                                            Then query for 404<\/code> in SLS and confirm those entries appear.<\/p>\n\n\n\n
                                                                                            \n\n\n\n
                                                                                            Step 11: Build a small dashboard<\/h3>\n\n\n\n
                                                                                              \n
                                                                                            1. Go to SLS Dashboard<\/strong> feature.<\/li>\n
                                                                                            2. Create a dashboard named nginx-ops-dashboard<\/code>.<\/li>\n
                                                                                            3. Add panels such as:\n   – Requests per minute (count over time)\n   – 4xx count over time\n   – 5xx count over time\n   – Top endpoints by requests (table)<\/li>\n<\/ol>\n\n\n\n
                                                                                              Expected outcome<\/strong>\n– A dashboard provides a quick operational overview.<\/p>\n\n\n\n
                                                                                              Verification<\/strong>\n– Refresh the dashboard and confirm charts change after generating new traffic.<\/p>\n\n\n\n
                                                                                              \n\n\n\n
                                                                                              Step 12: Create a basic alert for 5xx spikes<\/h3>\n\n\n\n
                                                                                                \n
                                                                                              1. Go to Alert<\/strong> (or alarm rules) in SLS.<\/li>\n
                                                                                              2. Create an alert rule:\n   – Data source: Logstore nginx-access<\/code>\n   – Query: filter 5xx status codes\n   – Condition: count > threshold in last 5 minutes (choose a small threshold for the lab)\n   – Notification: email\/webhook\/DingTalk\/etc. depending on what your account has configured (verify supported channels)<\/li>\n<\/ol>\n\n\n\n
                                                                                                Expected outcome<\/strong>\n– An alert rule exists and evaluates periodically.<\/p>\n\n\n\n
                                                                                                Verification<\/strong>\n– Temporarily configure Nginx to return 500 for a test location (optional advanced step), or simulate by generating logs with 5xx (if you can).\n– Confirm the alert transitions to triggered state when conditions are met.<\/p>\n\n\n\n
                                                                                                If you cannot easily generate real 5xx responses, validate the alert by lowering the threshold and using an easier condition (e.g., 404 count).<\/p>\n\n\n\n
                                                                                                \n\n\n\n
                                                                                                Validation<\/h3>\n\n\n\n
                                                                                                Use this checklist:<\/p>\n\n\n\n
                                                                                                  \n
                                                                                                • ECS<\/strong><\/li>\n
                                                                                                • curl http:\/\/127.0.0.1\/<\/code> returns a response.<\/li>\n
                                                                                                • \n
                                                                                                  \/var\/log\/nginx\/access.log<\/code> is growing.<\/p>\n<\/li>\n
                                                                                                • \n
                                                                                                  SLS<\/strong><\/p>\n<\/li>\n
                                                                                                • Machine Group shows your ECS as connected\/online.<\/li>\n
                                                                                                • Logstore nginx-access<\/code> shows recent logs.<\/li>\n
                                                                                                • Index is enabled for key fields you query.<\/li>\n
                                                                                                • Dashboard panels show data.<\/li>\n
                                                                                                • Alert evaluates and can trigger (at least with a test threshold).<\/li>\n<\/ul>\n\n\n\n
                                                                                                  \n\n\n\n
                                                                                                  Troubleshooting<\/h3>\n\n\n\n
                                                                                                  Common issues and fixes:<\/p>\n\n\n\n
                                                                                                  1) No logs in SLS<\/strong>\n– Confirm Nginx is writing logs:\n  bash\n  sudo ls -l \/var\/log\/nginx\/\n  sudo tail -n 50 \/var\/log\/nginx\/access.log<\/code>\n– Confirm Logtail is running:\n  bash\n  ps -ef | grep -i logtail | grep -v grep<\/code>\n– Confirm the Logtail config path matches exactly (directory + filename pattern).\n– Confirm the Machine Group identifier is correct (IP or user-defined ID).\n– Check host firewall\/security group outbound access (Logtail must reach SLS endpoint).<\/p>\n\n\n\n
                                                                                                  2) Logs appear but fields are missing<\/strong>\n– Your parsing config may not match Nginx\u2019s log format.\n– Switch to a known Nginx parsing template if available, or adjust the parsing rule.\n– Start with full-text index to search while you refine parsing.<\/p>\n\n\n\n
                                                                                                  3) Queries are slow or limited<\/strong>\n– Ensure indexing is enabled for fields you filter\/group by.\n– Reduce the time range (e.g., last 15 minutes instead of 24 hours).\n– Avoid high-cardinality group-bys during the lab.<\/p>\n\n\n\n
                                                                                                  4) Alert is too noisy<\/strong>\n– Increase evaluation window (e.g., 10 minutes) or raise threshold.\n– Alert on error rate<\/em> rather than raw counts (requires total request count query + derived calculation; verify SLS alert capabilities).<\/p>\n\n\n\n
                                                                                                  \n\n\n\n
                                                                                                  Cleanup<\/h3>\n\n\n\n
                                                                                                  To minimize cost, delete or stop resources:<\/p>\n\n\n\n
                                                                                                    \n
                                                                                                  1. \n
                                                                                                    SLS cleanup<\/strong>\n   – Delete the alert rule(s).\n   – Delete the dashboard.\n   – Delete the Logstore nginx-access<\/code>.\n   – Delete the Project demo-sls-ops<\/code> (only if it contains no other needed resources).<\/p>\n<\/li>\n
                                                                                                  2. \n
                                                                                                    ECS cleanup<\/strong>\n   – Stop and release the ECS instance (or delete it).\n   – Optionally uninstall Logtail (follow official Logtail uninstall steps\u2014verify in docs).\n   – Remove security group rules if they were created solely for this lab.<\/p>\n<\/li>\n<\/ol>\n\n\n\n
                                                                                                    \n\n\n\n
                                                                                                    11. Best Practices<\/h2>\n\n\n\n
                                                                                                    Architecture best practices<\/h3>\n\n\n\n
                                                                                                      \n
                                                                                                    • Separate Projects by environment<\/strong> (prod vs non-prod) to prevent accidental access and to isolate blast radius.<\/li>\n
                                                                                                    • Separate Logstores by log type<\/strong> (access logs, app logs, audit logs) because retention, indexing, and access patterns differ.<\/li>\n
                                                                                                    • Design for migrations<\/strong>: during migration phases, keep old\/new logs in separate Logstores and build comparison dashboards.<\/li>\n<\/ul>\n\n\n\n
                                                                                                      IAM\/security best practices<\/h3>\n\n\n\n
                                                                                                        \n
                                                                                                      • Prefer RAM roles<\/strong> and STS<\/strong> (temporary credentials) for programmatic access where possible.<\/li>\n
                                                                                                      • Use least privilege<\/strong>:<\/li>\n
                                                                                                      • Read-only for most users.<\/li>\n
                                                                                                      • Write-only for shippers\/agents.<\/li>\n
                                                                                                      • Admin only for platform owners.<\/li>\n
                                                                                                      • Restrict who can export logs or create alerts (alerts can leak information via notifications).<\/li>\n<\/ul>\n\n\n\n
                                                                                                        Cost best practices<\/h3>\n\n\n\n
                                                                                                          \n
                                                                                                        • Minimize indexing<\/strong>: start with full-text + a few key fields.<\/li>\n
                                                                                                        • Right-size retention<\/strong>: short retention for high-volume access logs; longer for security\/audit logs.<\/li>\n
                                                                                                        • Avoid wide dashboards<\/strong> that run heavy queries on refresh for long time windows.<\/li>\n
                                                                                                        • Watch for data duplication<\/strong> (shipping the same logs multiple times from multiple agents\/configs).<\/li>\n<\/ul>\n\n\n\n
                                                                                                          Performance best practices<\/h3>\n\n\n\n
                                                                                                            \n
                                                                                                          • Use structured JSON logs<\/strong> when possible; it improves parsing reliability and query performance.<\/li>\n
                                                                                                          • Keep field names consistent across services.<\/li>\n
                                                                                                          • Avoid indexing extremely high-cardinality fields unless necessary.<\/li>\n<\/ul>\n\n\n\n
                                                                                                            Reliability best practices<\/h3>\n\n\n\n
                                                                                                              \n
                                                                                                            • Deploy Logtail with a repeatable method (images, automation, or configuration management).<\/li>\n
                                                                                                            • Monitor Logtail health (agent process, backlog, error counters\u2014verify available metrics\/logs for Logtail).<\/li>\n
                                                                                                            • Ensure endpoints are reachable from private networks (consider internal endpoints when available).<\/li>\n<\/ul>\n\n\n\n
                                                                                                              Operations best practices<\/h3>\n\n\n\n
                                                                                                                \n
                                                                                                              • Build a standard set of dashboards:<\/li>\n
                                                                                                              • Traffic, errors, latency signals derived from logs<\/li>\n
                                                                                                              • Deployment markers (include build version in logs)<\/li>\n
                                                                                                              • Use saved queries as runbook steps (\u201cwhen X happens, run query Y\u201d).<\/li>\n
                                                                                                              • Regularly review alert noise and adjust thresholds.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                Governance\/tagging\/naming best practices<\/h3>\n\n\n\n
                                                                                                                  \n
                                                                                                                • Naming convention example:<\/li>\n
                                                                                                                • Project: {org}-{env}-obs<\/code> (e.g., acme-prod-obs<\/code>)<\/li>\n
                                                                                                                • Logstore: {service}-{logtype}<\/code> (e.g., checkout-app<\/code>, edge-access<\/code>)<\/li>\n
                                                                                                                • Tag resources for cost allocation (verify current tag\/resource group support for SLS in your account).<\/li>\n<\/ul>\n\n\n\n
                                                                                                                  \n\n\n\n
                                                                                                                  12. Security Considerations<\/h2>\n\n\n\n
                                                                                                                  Identity and access model<\/h3>\n\n\n\n
                                                                                                                    \n
                                                                                                                  • SLS access is controlled via RAM<\/strong> (users, roles, policies).<\/li>\n
                                                                                                                  • Common patterns:<\/li>\n
                                                                                                                  • Platform admin<\/strong>: manage Projects\/Logstores, index settings, dashboards\/alerts.<\/li>\n
                                                                                                                  • Service team<\/strong>: read their own Logstores; optionally create dashboards within scope.<\/li>\n
                                                                                                                  • Ingestion identity<\/strong>: write-only access for agents\/pipelines.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                    Recommendation<\/strong>: Use separate Projects for sensitive datasets (auth logs, security audit logs). Apply stricter policies and logging of access.<\/p>\n\n\n\n
                                                                                                                    Encryption<\/h3>\n\n\n\n
                                                                                                                      \n
                                                                                                                    • Data is typically encrypted in transit via TLS to SLS endpoints.<\/li>\n
                                                                                                                    • At-rest encryption options may exist depending on service capabilities and region; verify in official docs<\/strong> for SLS encryption and key management support (and whether KMS\/CMK integration is available).<\/li>\n<\/ul>\n\n\n\n
                                                                                                                      Network exposure<\/h3>\n\n\n\n
                                                                                                                        \n
                                                                                                                      • Prefer private connectivity where supported (internal endpoints\/VPC access). Verify in official docs<\/strong> for your region.<\/li>\n
                                                                                                                      • If using public endpoints:<\/li>\n
                                                                                                                      • restrict outbound access from servers to SLS endpoints only as required,<\/li>\n
                                                                                                                      • consider IP allowlists where supported,<\/li>\n
                                                                                                                      • ensure TLS is enforced.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                        Secrets handling<\/h3>\n\n\n\n
                                                                                                                          \n
                                                                                                                        • Avoid embedding long-term AccessKeys on servers.<\/li>\n
                                                                                                                        • If you must use AccessKeys (lab-only), store them securely and rotate them. For production, prefer roles\/STS and managed identity patterns.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                          Audit\/logging<\/h3>\n\n\n\n
                                                                                                                            \n
                                                                                                                          • Enable cloud governance logs (e.g., ActionTrail) and store them in a protected location (SLS Project with restricted access) to track administrative actions.<\/li>\n
                                                                                                                          • Log access to sensitive dashboards\/exports where possible (verify audit features in official docs).<\/li>\n<\/ul>\n\n\n\n
                                                                                                                            Compliance considerations<\/h3>\n\n\n\n
                                                                                                                              \n
                                                                                                                            • Retention and access control are central to compliance:<\/li>\n
                                                                                                                            • define retention by log type,<\/li>\n
                                                                                                                            • implement separation of duties (security vs dev access),<\/li>\n
                                                                                                                            • mask or avoid collecting PII in logs where possible.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                              Common security mistakes<\/h3>\n\n\n\n
                                                                                                                                \n
                                                                                                                              • Indexing or storing secrets\/PII in logs without masking.<\/li>\n
                                                                                                                              • Granting broad *<\/code> permissions to many users.<\/li>\n
                                                                                                                              • Allowing public endpoint ingestion from unrestricted networks without monitoring.<\/li>\n
                                                                                                                              • Exporting logs broadly to external systems without access controls.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                Secure deployment recommendations<\/h3>\n\n\n\n
                                                                                                                                  \n
                                                                                                                                • Implement a \u201clogging platform\u201d Project for shared datasets and dedicated Projects for sensitive data.<\/li>\n
                                                                                                                                • Use transformation\/masking to remove secrets\/PII (verify current SLS transformation capabilities).<\/li>\n
                                                                                                                                • Enforce least-privilege policies and periodic access reviews.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                  \n\n\n\n
                                                                                                                                  13. Limitations and Gotchas<\/h2>\n\n\n\n
                                                                                                                                  \n
                                                                                                                                  Exact quotas and limits change; confirm the current numbers in official SLS docs and your region\u2019s Quotas page.<\/p>\n<\/blockquote>\n\n\n\n
                                                                                                                                  Common limitations\/constraints<\/h3>\n\n\n\n
                                                                                                                                    \n
                                                                                                                                  • Regional scope<\/strong>: Projects and data are region-bound; cross-region strategies require planning and may incur cost\/latency.<\/li>\n
                                                                                                                                  • Indexing tradeoff<\/strong>: enabling many indexes increases cost and can impact ingestion performance.<\/li>\n
                                                                                                                                  • High-cardinality fields<\/strong>: indexing fields with many unique values can significantly increase index size and query cost.<\/li>\n
                                                                                                                                  • Alert noise<\/strong>: naive thresholds create noisy alerts; build rate-based or baseline-aware alerts where possible.<\/li>\n
                                                                                                                                  • Parsing mismatch<\/strong>: incorrect parsing config results in missing fields; start with full-text search and iteratively refine parsing.<\/li>\n
                                                                                                                                  • Agent operational overhead<\/strong>: Logtail is managed but still an agent\u2014you must plan installation, upgrades (if required), and health monitoring.<\/li>\n
                                                                                                                                  • Retention vs compliance<\/strong>: short retention saves cost but may violate audit\/compliance needs; plan archival.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                    Pricing surprises<\/h3>\n\n\n\n
                                                                                                                                      \n
                                                                                                                                    • Index costs can exceed storage costs if you index too broadly.<\/li>\n
                                                                                                                                    • Frequent dashboards\/alerts running heavy queries can increase compute\/query-related charges (verify how your account is billed for queries).<\/li>\n
                                                                                                                                    • Exporting large volumes repeatedly (pull-based integrations) can cause unexpected bandwidth and request charges.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                      Compatibility issues<\/h3>\n\n\n\n
                                                                                                                                        \n
                                                                                                                                      • Some cloud product log integrations are region- or product-version-specific (verify compatibility matrices in docs).<\/li>\n
                                                                                                                                      • OS support for Logtail can differ (verify supported OS list in official docs).<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                        Migration challenges (vendor-specific nuance)<\/h3>\n\n\n\n
                                                                                                                                          \n
                                                                                                                                        • Migrating from ELK\/Loki\/other stacks often requires:<\/li>\n
                                                                                                                                        • mapping fields and parsing rules,<\/li>\n
                                                                                                                                        • re-creating dashboards and alerts,<\/li>\n
                                                                                                                                        • revisiting retention and index strategy to control costs.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                          \n\n\n\n
                                                                                                                                          14. Comparison with Alternatives<\/h2>\n\n\n\n
                                                                                                                                          Alibaba Cloud alternatives (same cloud)<\/h3>\n\n\n\n
                                                                                                                                            \n
                                                                                                                                          • Elasticsearch \/ OpenSearch managed offerings (if available in your account\/region)<\/strong>: more control and ecosystem plugins, but more tuning and cost management.<\/li>\n
                                                                                                                                          • CloudMonitor<\/strong>: metric-focused monitoring; complements SLS rather than replacing it.<\/li>\n
                                                                                                                                          • ARMS \/ tracing\/APM services<\/strong>: focused on tracing and application performance; can integrate with logs but is not the same as log analytics.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                            Other cloud providers (nearest equivalents)<\/h3>\n\n\n\n
                                                                                                                                              \n
                                                                                                                                            • AWS CloudWatch Logs<\/strong> (and CloudWatch Logs Insights)<\/li>\n
                                                                                                                                            • Azure Monitor Logs<\/strong> (Log Analytics Workspace)<\/li>\n
                                                                                                                                            • Google Cloud Logging<\/strong> (Logs Explorer)<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                              Open-source\/self-managed alternatives<\/h3>\n\n\n\n
                                                                                                                                                \n
                                                                                                                                              • ELK\/Elastic Stack<\/strong> (Elasticsearch + Logstash + Kibana)<\/li>\n
                                                                                                                                              • Grafana Loki<\/strong> (often paired with Promtail\/Fluent Bit + Grafana)<\/li>\n
                                                                                                                                              • OpenSearch stack<\/strong><\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                Comparison table<\/h4>\n\n\n\n
                                                                                                                                                \n\n\n\n\n\n\n\n\n\n\n\n
                                                                                                                                                Option<\/th>\nBest For<\/th>\nStrengths<\/th>\nWeaknesses<\/th>\nWhen to Choose<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                Alibaba Cloud Simple Log Service (SLS)<\/strong><\/td>\nAlibaba Cloud-native centralized logging and O&M<\/td>\nManaged ingestion\/storage\/search, dashboards, alerts, strong ecosystem fit<\/td>\nRegional boundaries; costs depend on indexing\/query\/export; less low-level control than self-managed<\/td>\nYou want managed logs with fast time-to-value in Alibaba Cloud<\/td>\n<\/tr>\n
                                                                                                                                                Managed Elasticsearch\/OpenSearch (Alibaba Cloud offering, if used)<\/td>\nAdvanced search use cases, custom plugins, full-text heavy workloads<\/td>\nFamiliar ELK patterns, flexible queries and tooling<\/td>\nMore tuning\/ops overhead; scaling and indexing management<\/td>\nYou require Elasticsearch compatibility or custom plugin ecosystem<\/td>\n<\/tr>\n
                                                                                                                                                Alibaba Cloud CloudMonitor<\/td>\nInfrastructure and service metrics<\/td>\nSimple metric alarms, native monitoring<\/td>\nNot a full log analytics platform<\/td>\nYou need metrics-first monitoring and basic alarms; use SLS for deep log context<\/td>\n<\/tr>\n
                                                                                                                                                AWS CloudWatch Logs<\/td>\nAWS-native logging<\/td>\nTight AWS integration, Logs Insights<\/td>\nDifferent query semantics; pricing and retention considerations<\/td>\nYou are primarily on AWS<\/td>\n<\/tr>\n
                                                                                                                                                Azure Monitor Logs<\/td>\nAzure-native logging and analytics<\/td>\nStrong workspace model, KQL<\/td>\nAzure-specific; can be costly at scale<\/td>\nYou are primarily on Azure<\/td>\n<\/tr>\n
                                                                                                                                                Google Cloud Logging<\/td>\nGCP-native logging<\/td>\nDeep GCP integration<\/td>\nGCP-specific<\/td>\nYou are primarily on GCP<\/td>\n<\/tr>\n
                                                                                                                                                ELK self-managed<\/td>\nFull control, custom pipelines<\/td>\nMaximum flexibility<\/td>\nHigh operational burden (clusters, scaling, patching)<\/td>\nYou have strict control requirements and staff to operate it<\/td>\n<\/tr>\n
                                                                                                                                                Grafana Loki<\/td>\nCost-efficient log aggregation for some use cases<\/td>\nLabel-based indexing, integrates with Grafana<\/td>\nDifferent model; can struggle with some full-text patterns<\/td>\nYou want Grafana-centric workflows and can design around labels<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                \n\n\n\n
                                                                                                                                                15. Real-World Example<\/h2>\n\n\n\n
                                                                                                                                                Enterprise example: regulated fintech migration and security visibility<\/h3>\n\n\n\n
                                                                                                                                                Problem<\/strong>\nA fintech is migrating customer-facing services from an older architecture to microservices on Alibaba Cloud. During the migration, they must:\n– confirm functional parity between old and new services,\n– reduce incident MTTR,\n– retain audit\/security logs for compliance,\n– enforce strict access control.<\/p>\n\n\n\n
                                                                                                                                                Proposed architecture<\/strong>\n– Separate SLS Projects:\n  – fin-prod-app-logs<\/code> for application logs\n  – fin-prod-access-logs<\/code> for edge\/access logs\n  – fin-prod-security-audit<\/code> for auth\/audit datasets\n– Logtail on ECS nodes and Kubernetes nodes (ACK integration as supported).\n– Standard JSON schema for app logs including:\n  – service<\/code>, env<\/code>, version<\/code>, request_id<\/code>, user_tier<\/code>, latency_ms<\/code>, result<\/code>\n– Dashboards:\n  – error rate by service\/version\n  – login failures by reason\n  – request volume by endpoint\n– Alerts:\n  – 5xx spike for critical APIs\n  – unusual authentication failures\n  – missing heartbeat logs from critical components\n– Archive older logs to OSS for long retention (verify official mechanisms and compliance controls).<\/p>\n\n\n\n
                                                                                                                                                Why SLS was chosen<\/strong>\n– Alibaba Cloud-native operations model.\n– Managed ingestion\/search\/alerting reduces time to implement during migration.\n– Project-level boundaries help separate duties and restrict access.<\/p>\n\n\n\n
                                                                                                                                                Expected outcomes<\/strong>\n– Faster incident triage (central searchable logs).\n– Safer migration cutovers (side-by-side comparisons).\n– Compliance alignment (retention + controlled access + audit trails).<\/p>\n\n\n\n
                                                                                                                                                \n\n\n\n
                                                                                                                                                Startup\/small-team example: one dashboard for a small SaaS<\/h3>\n\n\n\n
                                                                                                                                                Problem<\/strong>\nA small SaaS runs 10 ECS instances and wants:\n– one place to search errors,\n– an operational dashboard,\n– and alerts when the site breaks\u2014without hiring a dedicated observability engineer.<\/p>\n\n\n\n
                                                                                                                                                Proposed architecture<\/strong>\n– One SLS Project startup-prod-obs<\/code>\n– Logstores:\n  – nginx-access<\/code> (short retention, minimal indexes)\n  – app-json<\/code> (structured logs, moderate retention)\n– Dashboards:\n  – request count, 4xx\/5xx, top endpoints\n– Alerts:\n  – 5xx count threshold\n  – \u201cno logs received\u201d heartbeat alert (requires periodic log events)<\/p>\n\n\n\n
                                                                                                                                                Why SLS was chosen<\/strong>\n– Minimal ops overhead compared to running ELK.\n– Simple setup with Logtail and console-driven dashboards.<\/p>\n\n\n\n
                                                                                                                                                Expected outcomes<\/strong>\n– Better on-call outcomes without building a full logging stack.\n– Predictable costs through retention and index control.<\/p>\n\n\n\n
                                                                                                                                                \n\n\n\n
                                                                                                                                                16. FAQ<\/h2>\n\n\n\n
                                                                                                                                                1) Is Simple Log Service (SLS) the same as \u201cLog Service\u201d on Alibaba Cloud?<\/strong>\nIn many contexts, yes\u2014Alibaba Cloud sometimes uses \u201cLog Service\u201d as the product label, while documentation frequently calls it Simple Log Service (SLS)<\/strong>. Confirm the naming in your console\/region, but the service scope is the managed logging platform described here.<\/p>\n\n\n\n
                                                                                                                                                2) Do I need to run Elasticsearch to use SLS?<\/strong>\nNo. SLS is a managed service that provides storage, search, analytics, dashboards, and alerting without you running Elasticsearch yourself.<\/p>\n\n\n\n
                                                                                                                                                3) What is the difference between a Project and a Logstore?<\/strong>\nA Project<\/strong> is a regional container\/namespace. A Logstore<\/strong> is a dataset inside a Project that stores a specific type of logs with its own retention and index settings.<\/p>\n\n\n\n
                                                                                                                                                4) How do I decide how many Logstores to create?<\/strong>\nCreate separate Logstores when retention, access control, parsing, or indexing needs differ. Typical splits are by service and log type (access vs app vs audit).<\/p>\n\n\n\n
                                                                                                                                                5) Should I enable full-text indexing for everything?<\/strong>\nNot necessarily. Full-text index improves ad-hoc searching, but it may increase cost. For production, index only what you commonly search, and add field indexes for structured filtering.<\/p>\n\n\n\n
                                                                                                                                                6) What\u2019s the best log format for SLS?<\/strong>\nStructured JSON logs are usually best because they are easy to parse and query. For text logs (like Nginx), use consistent formats and parsing templates.<\/p>\n\n\n\n
                                                                                                                                                7) Can SLS collect logs from on-prem servers?<\/strong>\nOften yes via agent\/API, but you must plan network connectivity to the SLS region endpoints and consider security and bandwidth costs. Verify supported methods in official docs.<\/p>\n\n\n\n
                                                                                                                                                8) How does SLS handle multi-region applications?<\/strong>\nCommon practice is region-local SLS Projects for ingestion and local operations, with selective export\/aggregation for central reporting. Cross-region transfers add cost and latency.<\/p>\n\n\n\n
                                                                                                                                                9) Can I use SLS for security monitoring?<\/strong>\nYes, many teams use it for security investigations and audit retention. However, you must implement strict access control and consider masking sensitive data.<\/p>\n\n\n\n
                                                                                                                                                10) Does SLS support long-term archival?<\/strong>\nSLS supports retention settings, and many architectures archive older logs to OSS for long-term storage. Verify the current recommended export\/shipping features in official docs.<\/p>\n\n\n\n
                                                                                                                                                11) How can I reduce SLS costs quickly?<\/strong>\nThe fastest levers are: reduce retention for high-volume logs, reduce indexing scope, and reduce heavy dashboard\/alert query frequency and time ranges.<\/p>\n\n\n\n
                                                                                                                                                12) What happens if Logtail stops running?<\/strong>\nYou will stop receiving logs from that host. In production, monitor agent health and consider alerts for missing data (heartbeats).<\/p>\n\n\n\n
                                                                                                                                                13) Can I restrict who can see certain logs?<\/strong>\nYes, use separate Projects\/Logstores and RAM policies. For sensitive logs, isolate them and grant access only to security\/compliance roles.<\/p>\n\n\n\n
                                                                                                                                                14) Is SLS suitable for application performance monitoring (APM)?<\/strong>\nSLS can derive metrics from logs and help investigate latency errors, but it is not a full tracing\/APM solution by itself. Use it alongside Alibaba Cloud APM\/tracing services if needed.<\/p>\n\n\n\n
                                                                                                                                                15) How do I migrate from ELK to SLS?<\/strong>\nStart with a pilot:\n– map your fields and parsing,\n– recreate critical dashboards\/alerts,\n– validate retention and indexing cost,\n– run dual logging during cutover,\nthen gradually decommission old pipelines.<\/p>\n\n\n\n
                                                                                                                                                16) Can I send logs directly from my application without Logtail?<\/strong>\nYes, SLS supports ingestion via APIs\/SDKs, but you must handle authentication and retries. For host-based logs, Logtail is usually simpler.<\/p>\n\n\n\n
                                                                                                                                                17) How do I prevent sensitive data from entering SLS?<\/strong>\nBest approach is to not log secrets\/PII in the application. Additionally, use transformation\/masking features where available (verify current SLS transformation capabilities).<\/p>\n\n\n\n
                                                                                                                                                \n\n\n\n
                                                                                                                                                17. Top Online Resources to Learn Simple Log Service (SLS)<\/h2>\n\n\n\n
                                                                                                                                                \n\n\n\n\n\n\n\n\n\n\n\n\n\n
                                                                                                                                                Resource Type<\/th>\nName<\/th>\nWhy It Is Useful<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                Official documentation<\/td>\nSimple Log Service (SLS) documentation hub: https:\/\/www.alibabacloud.com\/help\/en\/sls\/<\/td>\nPrimary reference for concepts, APIs, Logtail, indexing, queries, and operations<\/td>\n<\/tr>\n
                                                                                                                                                Official product page<\/td>\nAlibaba Cloud Log Service \/ SLS product page: https:\/\/www.alibabacloud.com\/product\/log-service<\/td>\nHigh-level overview, entry point to pricing and region availability<\/td>\n<\/tr>\n
                                                                                                                                                Official billing docs<\/td>\nSLS Billing overview (verify page for your region): https:\/\/www.alibabacloud.com\/help\/en\/sls\/product-overview\/billing-overview<\/td>\nExplains billing dimensions and how to interpret charges<\/td>\n<\/tr>\n
                                                                                                                                                Official getting started<\/td>\nSearch \u201cQuick Start\u201d or \u201cGetting started with SLS\u201d in official docs: https:\/\/www.alibabacloud.com\/help\/en\/sls\/<\/td>\nStep-by-step onboarding aligned with your console version<\/td>\n<\/tr>\n
                                                                                                                                                API reference<\/td>\nSLS API reference (navigate from docs hub): https:\/\/www.alibabacloud.com\/help\/en\/sls\/developer-reference\/api-reference<\/td>\nNeeded for automation, ingestion, and programmatic consumption<\/td>\n<\/tr>\n
                                                                                                                                                Logtail docs<\/td>\nLogtail installation and configuration (from docs hub): https:\/\/www.alibabacloud.com\/help\/en\/sls\/<\/td>\nThe authoritative install and troubleshooting guidance for agent-based ingestion<\/td>\n<\/tr>\n
                                                                                                                                                Tutorials\/labs<\/td>\nOfficial SLS tutorials (find under \u201cTutorials\u201d in docs hub): https:\/\/www.alibabacloud.com\/help\/en\/sls\/<\/td>\nPractical recipes for common patterns (parsing, dashboards, alerting)<\/td>\n<\/tr>\n
                                                                                                                                                Videos\/webinars<\/td>\nAlibaba Cloud official video channels (search \u201cSimple Log Service SLS\u201d): https:\/\/www.youtube.com\/@AlibabaCloud<\/td>\nVisual walkthroughs and best practices (verify the most recent content)<\/td>\n<\/tr>\n
                                                                                                                                                Samples (SDK)<\/td>\nOfficial Alibaba Cloud SDK repositories (search for SLS\/log examples): https:\/\/github.com\/aliyun<\/td>\nCode examples for ingestion and querying (verify repo relevance and recency)<\/td>\n<\/tr>\n
                                                                                                                                                Community learning<\/td>\nAlibaba Cloud community articles (filter by SLS): https:\/\/www.alibabacloud.com\/blog<\/td>\nAdditional examples and operational stories; validate against official docs<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                \n\n\n\n
                                                                                                                                                18. Training and Certification Providers<\/h2>\n\n\n\n
                                                                                                                                                \n\n\n\n\n\n\n\n\n
                                                                                                                                                Institute<\/th>\nSuitable Audience<\/th>\nLikely Learning Focus<\/th>\nMode<\/th>\nWebsite URL<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                DevOpsSchool.com<\/td>\nDevOps engineers, SREs, cloud engineers<\/td>\nDevOps + cloud operations; may include logging\/monitoring patterns<\/td>\nCheck website<\/td>\nhttps:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n
                                                                                                                                                ScmGalaxy.com<\/td>\nBeginners to intermediate DevOps practitioners<\/td>\nSCM\/DevOps foundations; operational tooling<\/td>\nCheck website<\/td>\nhttps:\/\/www.scmgalaxy.com\/<\/td>\n<\/tr>\n
                                                                                                                                                CLoudOpsNow.in<\/td>\nCloud ops engineers, platform teams<\/td>\nCloud operations and O&M practices<\/td>\nCheck website<\/td>\nhttps:\/\/www.cloudopsnow.in\/<\/td>\n<\/tr>\n
                                                                                                                                                SreSchool.com<\/td>\nSREs, reliability engineers<\/td>\nSRE practices, observability, incident response<\/td>\nCheck website<\/td>\nhttps:\/\/www.sreschool.com\/<\/td>\n<\/tr>\n
                                                                                                                                                AiOpsSchool.com<\/td>\nOps engineers exploring AIOps<\/td>\nAIOps concepts; automation around ops data<\/td>\nCheck website<\/td>\nhttps:\/\/www.aiopsschool.com\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                \n
                                                                                                                                                Note: Certification availability specifically for Alibaba Cloud SLS varies. Verify each provider\u2019s current Alibaba Cloud course coverage and any official certification alignment on their websites.<\/p>\n<\/blockquote>\n\n\n\n
                                                                                                                                                \n\n\n\n
                                                                                                                                                19. Top Trainers<\/h2>\n\n\n\n
                                                                                                                                                \n\n\n\n\n\n\n\n
                                                                                                                                                Platform\/Site<\/th>\nLikely Specialization<\/th>\nSuitable Audience<\/th>\nWebsite URL<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                RajeshKumar.xyz<\/td>\nDevOps\/cloud training content and guidance<\/td>\nBeginners to intermediate engineers<\/td>\nhttps:\/\/rajeshkumar.xyz\/<\/td>\n<\/tr>\n
                                                                                                                                                devopstrainer.in<\/td>\nDevOps training services<\/td>\nDevOps engineers, platform teams<\/td>\nhttps:\/\/www.devopstrainer.in\/<\/td>\n<\/tr>\n
                                                                                                                                                devopsfreelancer.com<\/td>\nFreelance DevOps support\/training resources<\/td>\nTeams needing practical implementation support<\/td>\nhttps:\/\/www.devopsfreelancer.com\/<\/td>\n<\/tr>\n
                                                                                                                                                devopssupport.in<\/td>\nDevOps support and enablement<\/td>\nOps teams needing hands-on help<\/td>\nhttps:\/\/www.devopssupport.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                \n\n\n\n
                                                                                                                                                20. Top Consulting Companies<\/h2>\n\n\n\n
                                                                                                                                                \n\n\n\n\n\n\n
                                                                                                                                                Company<\/th>\nLikely Service Area<\/th>\nWhere They May Help<\/th>\nConsulting Use Case Examples<\/th>\nWebsite URL<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                cotocus.com<\/td>\nCloud\/DevOps consulting<\/td>\nArchitecture, implementation, migrations, O&M processes<\/td>\nDesigning centralized logging on Alibaba Cloud; setting retention\/index policies; building dashboards\/alerts<\/td>\nhttps:\/\/cotocus.com\/<\/td>\n<\/tr>\n
                                                                                                                                                DevOpsSchool.com<\/td>\nDevOps consulting and enablement<\/td>\nDevOps practices, tooling rollout, training + implementation<\/td>\nRolling out SLS collection standards; building runbooks and on-call dashboards<\/td>\nhttps:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n
                                                                                                                                                DEVOPSCONSULTING.IN<\/td>\nDevOps consulting services<\/td>\nCI\/CD, infra automation, ops tooling<\/td>\nIntegrating SLS with incident workflows; implementing least-privilege access and governance<\/td>\nhttps:\/\/www.devopsconsulting.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                \n\n\n\n
                                                                                                                                                21. Career and Learning Roadmap<\/h2>\n\n\n\n
                                                                                                                                                What to learn before SLS<\/h3>\n\n\n\n
                                                                                                                                                  \n
                                                                                                                                                • Linux fundamentals: system logs, file permissions, log rotation.<\/li>\n
                                                                                                                                                • Networking basics: VPC, DNS, endpoints, TLS, egress controls.<\/li>\n
                                                                                                                                                • IAM basics in Alibaba Cloud: RAM users, roles, policies, least privilege.<\/li>\n
                                                                                                                                                • Logging fundamentals:<\/li>\n
                                                                                                                                                • structured logging (JSON),<\/li>\n
                                                                                                                                                • correlation IDs,<\/li>\n
                                                                                                                                                • log levels,<\/li>\n
                                                                                                                                                • avoiding secrets in logs.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                  What to learn after SLS<\/h3>\n\n\n\n
                                                                                                                                                    \n
                                                                                                                                                  • Advanced observability:<\/li>\n
                                                                                                                                                  • metrics and SLOs (CloudMonitor + log-derived metrics),<\/li>\n
                                                                                                                                                  • tracing\/APM services (Alibaba Cloud APM\/tracing offerings, verify current product names),<\/li>\n
                                                                                                                                                  • incident management and on-call practices.<\/li>\n
                                                                                                                                                  • Data lake patterns:<\/li>\n
                                                                                                                                                  • archiving to OSS,<\/li>\n
                                                                                                                                                  • downstream analytics in data warehouses (verify service choices).<\/li>\n
                                                                                                                                                  • Security analytics:<\/li>\n
                                                                                                                                                  • audit event pipelines,<\/li>\n
                                                                                                                                                  • detection rules and alert tuning.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                    Job roles that use SLS<\/h3>\n\n\n\n
                                                                                                                                                      \n
                                                                                                                                                    • Cloud Engineer \/ Platform Engineer<\/li>\n
                                                                                                                                                    • DevOps Engineer<\/li>\n
                                                                                                                                                    • Site Reliability Engineer (SRE)<\/li>\n
                                                                                                                                                    • Security Engineer (cloud security monitoring)<\/li>\n
                                                                                                                                                    • Operations Engineer \/ NOC Engineer<\/li>\n
                                                                                                                                                    • Solutions Architect (designing O&M platforms)<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                      Certification path (if available)<\/h3>\n\n\n\n
                                                                                                                                                      Alibaba Cloud certifications evolve over time. Look for:\n– Alibaba Cloud associate\/professional tracks relevant to cloud operations and architecture\nThen supplement with hands-on SLS labs (official tutorials) and operational scenarios.<\/p>\n\n\n\n
                                                                                                                                                      Verify current Alibaba Cloud certification tracks<\/strong> on the official Alibaba Cloud certification pages (search in official site).<\/p>\n\n\n\n
                                                                                                                                                      Project ideas for practice<\/h3>\n\n\n\n
                                                                                                                                                        \n
                                                                                                                                                      • Build a \u201cgolden\u201d logging baseline: one Project per env, one Logstore per service log type, standard dashboards.<\/li>\n
                                                                                                                                                      • Implement correlation ID propagation and query end-to-end traces in logs.<\/li>\n
                                                                                                                                                      • Create a cost-optimized retention\/index plan and measure real billing changes.<\/li>\n
                                                                                                                                                      • Create security-focused dashboards: auth failures, admin actions (where integrated), suspicious IPs.<\/li>\n
                                                                                                                                                      • Build migration dashboards comparing old vs new environment error rates during cutover.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                        \n\n\n\n
                                                                                                                                                        22. Glossary<\/h2>\n\n\n\n
                                                                                                                                                          \n
                                                                                                                                                        • Simple Log Service (SLS)<\/strong>: Alibaba Cloud managed service for log ingestion, storage, search, analytics, dashboards, and alerts.<\/li>\n
                                                                                                                                                        • Project<\/strong>: Regional namespace\/container in SLS that holds Logstores and configurations.<\/li>\n
                                                                                                                                                        • Logstore<\/strong>: Storage unit within a Project for logs of a particular type with retention and index settings.<\/li>\n
                                                                                                                                                        • Logtail<\/strong>: Agent that collects logs from servers and sends them to SLS.<\/li>\n
                                                                                                                                                        • Machine Group<\/strong>: Group of machines managed together for Logtail configuration targeting.<\/li>\n
                                                                                                                                                        • Index<\/strong>: Data structure that enables fast searching and filtering by full text and\/or fields.<\/li>\n
                                                                                                                                                        • Retention<\/strong>: How long logs are stored before being deleted automatically.<\/li>\n
                                                                                                                                                        • Parsing<\/strong>: Converting raw text logs into structured fields (e.g., extracting status code, URI).<\/li>\n
                                                                                                                                                        • Structured logging<\/strong>: Emitting logs as JSON or key-value fields for easier querying.<\/li>\n
                                                                                                                                                        • High cardinality<\/strong>: A field with many unique values (e.g., unique user IDs). High cardinality indexes can be expensive.<\/li>\n
                                                                                                                                                        • Dashboard<\/strong>: Visual representation of log queries as charts\/tables for monitoring.<\/li>\n
                                                                                                                                                        • Alert rule<\/strong>: Scheduled query + condition that triggers notifications when thresholds are met.<\/li>\n
                                                                                                                                                        • RAM (Resource Access Management)<\/strong>: Alibaba Cloud IAM service for users, roles, and policies.<\/li>\n
                                                                                                                                                        • STS (Security Token Service)<\/strong>: Temporary credentials mechanism (used via roles in many secure designs).<\/li>\n
                                                                                                                                                        • Endpoint<\/strong>: Regional API\/ingestion URL for SLS.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                          \n\n\n\n
                                                                                                                                                          23. Summary<\/h2>\n\n\n\n
                                                                                                                                                          Simple Log Service (SLS) on Alibaba Cloud<\/strong> is a managed logging and analytics platform that fits directly into Migration & O&M Management<\/strong> needs: it centralizes logs, enables fast search and analysis, provides dashboards, and supports alerting so teams can operate systems reliably\u2014especially during migrations and production incidents.<\/p>\n\n\n\n
                                                                                                                                                          Key points to remember:\n– Architecture fit<\/strong>: Use Projects\/Logstores to separate environments and log types.\n– Cost control<\/strong>: Retention and indexing choices are the biggest levers; avoid indexing everything.\n– Security<\/strong>: Apply least privilege with RAM, isolate sensitive logs, and avoid collecting secrets\/PII.\n– Operational success<\/strong>: Standardize parsing, build runbook dashboards, and tune alerts to reduce noise.<\/p>\n\n\n\n
                                                                                                                                                          Next step: replicate the lab pattern for one real service in your environment (app logs + access logs), then iterate on parsing, indexing, dashboards, and alert thresholds using real operational data and the official SLS documentation: https:\/\/www.alibabacloud.com\/help\/en\/sls\/<\/p>\n","protected":false},"excerpt":{"rendered":"
                                                                                                                                                          Migration & O&M Management<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,19],"tags":[],"class_list":["post-115","post","type-post","status-publish","format-standard","hentry","category-alibaba-cloud","category-migration-o-m-management"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/115","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/comments?post=115"}],"version-history":[{"count":0,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/115\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/media?parent=115"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/categories?post=115"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/tags?post=115"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}