This topic describes how to create a single-account trail in the ActionTrail console. A single-account trail can continuously deliver events to the specified Object Storage Service (OSS) bucket or Log Service Logstore for analysis. If no trail is created, you can view only the events of the last 90 days in the ActionTrail console.

Procedure

  1. Log on to the ActionTrail console.
  2. In the top navigation bar, select the region where you want to create a single-account trail.
    Note The region that you select becomes the home region of the trail to be created.
  3. In the left-side navigation pane, choose ActionTrail > Create Trail.
  4. In the Trail Basic Settings step, set the parameters and click Next. The following table describes the parameters.
    Parameter Description
    Trail Name The name of the trail to be created. You must specify a unique trail name under your Alibaba Cloud account.
    Target Regions The one or more regions from which the trail delivers events.
    • All Regions: The trail delivers events from all regions to the specified delivery destination.
    • Selected Regions: The trail delivers events only from the one or more regions you specified in Regions to the specified delivery destination.
    Note The home region indicates the region where you create a trail. An applicable region indicates a region to which a trail is applied. If you want to deliver events only from a specified region, we recommend that you create a trail in that region.
    Event Type The type of events to be delivered.
    • Write: the type of events that can add, delete, or modify cloud resources. For example, a CreateInstance event is generated when a subscription or pay-as-you-go ECS instance is created. If you need to export events only for custom analysis and focus on the events that affect the running of the cloud resources, select Write.
    • Read: the type of events that can read information about cloud resources, but cannot add, delete, or modify cloud resources. For example, a DescribeInstances event is generated when the details of one or more ECS instances are queried. Read events often occur in abundance and occupy a large storage space. We recommend that you do not select this option.
    • All: all read and write events. If you want to create a trail to deliver all events under your Alibaba Cloud account, select All.
  5. In the Event Delivery Settings step, specify the delivery method and click Next.
    Note The events to be delivered are those generated after the single-account trail takes effect. The events generated in the last 90 days are excluded. Later, ActionTrail will deliver events generated in the last 90 days to you at a time to meet your requirements to the greatest extent.
    • If you select Delivery to Log Service, set the parameters as described in the following table.
      Parameter Description
      Logstore Region The region where the Log Service project resides.
      Project Name The name of the Log Service project. The name must be unique to an Alibaba Cloud account in a region.
      • If you select New Log Service Project, ActionTrail will create a project with the name that you specify and create a Logstore in the project.

        For more information about how to create a project in Log Service, see Quick start.

      • If you select Existing Log Service Project, you must select an existing project in Log Service.
    • If you select Delivery to OSS, set the parameters as described in the following table.
      Parameter Description
      Bucket Name The name of the OSS bucket. The name must be unique to an Alibaba Cloud account in a region.
      • If you select New OSS Bucket, ActionTrail will create an OSS bucket with the name that you specify.

        For more information about how to create a bucket in OSS, see Create buckets.

      • If you select Existing OSS Bucket, you must select an existing bucket in OSS.
      Log File Prefix The prefix of the name of the log file where the events are stored.
      Server Encryption Specifies whether to encrypt objects in the OSS bucket. If you select New OSS Bucket, you must set this parameter.
      Valid values:
      • AES256
      • KMS
      • No
      Note For more information about the server-side encryption feature of OSS, see Server-side encryption.
  6. In the Preview and Create step, confirm the trail information and click Submit.

Result

After a single-account trail is created, events are delivered to the specified OSS bucket or Log Service Logstore in the JSON format for query and analysis. You can view event logs stored in the OSS bucket or Log Service Logstore.

  • OSS bucket: You can analyze the event logs by using E-MapReduce or a third-party log analysis service.

    The OSS storage path is in the following format:

    oss://<bucket>/<Log file prefix>/AliyunLogs/Actiontrail/<region>/<YYYY>/<MM>/<DD>/<Log file>
  • Log Service Logstore: ActionTrail automatically creates a Logstore named actiontrail_Single-account trail name as well as the corresponding index and chart.

    For more information, see ActionTrail access logs.

    日志服务