A single-account trail can continuously deliver events to the specified Object Storage Service (OSS) bucket or Log Service Logstore for analysis. By default, ActionTrail records the events that occurred within your Alibaba Cloud account in the last 90 days. You can query these events in the ActionTrail console. To query the events that occurred 90 days ago, you must create a trail first to record these events. This topic describes how to create a single-account trail in the ActionTrail console.

Procedure

  1. Log on to the ActionTrail console.
  2. In the top navigation bar, select the region where you want to create a single-account trail.
    Note The region that you select becomes the home region of the trail that you want to create.
  3. In the left-side navigation pane, click Trails.
  4. On the Trails page, click Create Trail.
  5. In the Trail Basic Settings step, set the parameters and click Next. The following table describes the parameters.
    Parameter Description
    Trail Name The name of the trail that you want to create. The name must be unique within your Alibaba Cloud account. The name applies to the Log Service Logstore that is used to store the events to be delivered.
    Applied Regions The one or more regions from which the trail delivers events. Valid values:
    • All Regions: The trail delivers events from all regions to the specified delivery destination. The events from all regions must be recorded based on the industry compliance regulations. We recommend that you select All Regions.
    • Selected Regions: The trail delivers events only from the one or more regions that you select from the Regions drop-down list to the specified delivery destination.
    Note The home region indicates the region where you create a trail. An applicable region indicates a region to which a trail is applied. If you want to deliver events only from the specified regions, we recommend that you specify one of the specified regions as the home region.
    Event Type The type of the events to be delivered. Valid values:
    • All: all read and write events. All events must be recorded for auditing based on auditing regulations and standards. We recommend that you select All.
    • Write: the type of the events that can add, delete, or modify cloud resources. For example, a CreateInstance event is generated when a subscription or pay-as-you-go ECS instance is created. If you need to export events only for analysis and focus only on the events that affect the operation of cloud resources, select Write.
    • Read: the type of the events that can read information about cloud resources, but cannot add, delete, or modify cloud resources. For example, a DescribeInstances event is generated when the details of one or more ECS instances are queried. Read events often occur in abundance and occupy a large storage space. However, all events must be recorded for auditing based on auditing regulations and standards. We recommend that you specify the trail to deliver both read and write events. This helps you track the use of your AccessKey pair and the access to your resources.
  6. In the Event Delivery Settings step, select the delivery method and click Next.
    You can create a trail to deliver events to Log Service, OSS, or both. For more information about how to select a storage service, see Deliver events to specified Alibaba Cloud services.
    Note The events generated after the single-account trail takes effect are delivered. The events generated in the last 90 days are excluded. To meet your requirements to the greatest extent possible, you can create a historical event delivery task to deliver the events generated in the last 90 days to the storage space that you specify for the trail at a time. For more information, see Create a historical event delivery task.
    • Select Delivery to Log Service
      • If you select Delivery to Current Account, set the parameters that are described in the following table.
        Parameter Description
        Logstore Region The region where the Log Service project resides.
        Project Name The name of the Log Service project. The name must be unique to an Alibaba Cloud account in a region.
        • If you select New Log Service Project, ActionTrail creates a project with the name that you specify and creates a Logstore in the project.
        • If you select Existing Log Service Project, you must select an existing project in Log Service.

          For more information about how to create a project in Log Service, see Quick start.

      • If you select Delivery to Another Account, set the Log Service Project ARN and RAM Role ARN of Destination Account parameters.

        To deliver events to another account, you must create a RAM role by using the destination account, grant ActionTrail the permissions to deliver events to the destination account, and create a Log Service project before you create the trail. For more information, see Aggregate events across Alibaba Cloud accounts.

    • Select Delivery to OSS
      • If you select Delivery to Current Account, set the parameters that are described in the following table.
        Parameter Description
        Bucket Name The name of the OSS bucket. The name must be unique to an Alibaba Cloud account in a region.
        • If you select New OSS Bucket, ActionTrail creates an OSS bucket with the name that you specify.
        • If you select Existing OSS Bucket, you must select an existing bucket in OSS.

          For more information about how to create a bucket in OSS, see Create buckets.

        Log File Prefix The prefix of the name of the log file where the events are stored. This helps you find the events in subsequent operations.
        Server Encryption Specifies whether to encrypt objects in the OSS bucket. If you select New OSS Bucket, you must set this parameter. Valid values:
        • Fully Managed by OSS
        • KMS
        • No
        Note For more information about the server-side encryption feature of OSS, see Server-side encryption.
      • If you select Delivery to Another Account, set the RAM Role ARN of OSS Bucket, Bucket Name, and Log File Prefix parameters.

        To deliver events to another account, you must create a RAM role by using the destination account, grant ActionTrail the permissions to deliver events to the destination account, and create an OSS bucket before you create the trail. For more information, see Aggregate events across Alibaba Cloud accounts.

  7. In the Preview and Create step, confirm the trail information and click Submit.

Result

After you create a single-account trail, the trail delivers events to the OSS bucket or Log Service Logstore that you specify for the trail in the JSON format for query and analysis. You can view the events that are stored in the OSS bucket or Log Service Logstore.

  • Log Service Logstore: ActionTrail automatically creates a Logstore named actiontrail_Single-account trail name as well as the indexes and charts for the events. You can find the trail on the Trails page, click Log Analysis in the Log Service column to analyze the events, or click Log Reports to view the distribution charts of the events.

    For more information, see ActionTrail access logs.

    日志服务
  • OSS bucket: You can analyze the events by using E-MapReduce or a third-party log analysis service.

    You can find the trail on the Trails page, click the name of the OSS bucket in the OSS Bucket column, and then click Files to view the event logs. The OSS storage path is in the following format: 

    oss://<bucket>/<Log file prefix>/AliyunLogs/Actiontrail/<region>/<YYYY>/<MM>/<DD>/<Log file>