This topic describes how to create a multi-account trail in the ActionTrail console. A multi-account trail can deliver the operations logs of all member accounts in a resource directory to the specified Object Storage Service (OSS) bucket or Log Service Logstore.

Prerequisites

The resource directory feature is enabled. For more information, see Enable a resource directory.

  1. Log on to the ActionTrail console by using the master account.
  2. In the top navigation bar, select the region where you want to create a multi-account trail.
    Note The region that you select becomes the home region of the trail to be created.
  3. In the left-side navigation pane, choose ActionTrail > Trails.
  4. Click Create Trail. On the page that appears, enter a name in the Trail Name field.
  5. Set Apply Trail to All Regions to Yes or No as needed.
    • If you select Yes, the multi-account trail will be available in all regions.
      Note We recommend that you select this option unless otherwise specified to avoid event omission.
    • If you select No, select a target region from the Region drop-down list.
  6. Set Event Type to Write, Read, or All.
    • Write: the type of event that can affect the running of cloud resources, which requires special attention.
    • Read: the type of event that does not affect the running of cloud resources. Generally, this type of event occurs in abundance and occupies a large amount of storage space.
    • All: all events related to resource behaviors.
  7. Set Apply Trail to All Member Accounts to Yes or No as required.
    Note
    • This parameter cannot be modified once set. If you want to change the value of Apply Trail to All Member Accounts, delete the multi-account trail and create a new one.
    • After a multi-account trail is created, you can view the value in the Effective Scope column on the Trails page. This value is associated with the value of the Apply Trail to All Member Accounts parameter.
      • If you set Apply Trail to All Member Accounts to Yes, RD-Root is displayed in the Effective Scope column.
      • If you set Apply Trail to All Member Accounts to No, Current Account is displayed in the Effective Scope column.
    • If you select Yes, the created multi-account trail will take effect for the entire resource directory. The operations logs of all member accounts in the resource directory will be delivered to the specified OSS bucket or Log Service Logstore.
    • If you select No, only the operations logs of the master account will be delivered to the specified OSS bucket or Log Service Logstore.
  8. Turn on the Enable Logging switch.
    Note After the switch is turned on, you must select at least one service to which events are delivered.
  9. Set Deliver Events To to OSS bucket or SLS Logstore.
    Note Currently, the events to be delivered are those generated after the multi-account trail takes effect, excluding the existing events generated in the last 90 days. In the future, ActionTrail will deliver events generated in the last 90 days to you at a time to meet your requirements to the greatest extent.
    • OSS bucket: If you select this option, events will be delivered to an existing OSS bucket that you specify or a newly created OSS bucket.
      • If you set Create OSS Bucket to Yes, enter the bucket name and log file prefix in the OSS Bucket and Log File Prefix fields respectively.

        Then, set Server Encryption. Supported encryption methods for the events to be delivered include AES256 and KMS. For more information about the server-side encryption feature of OSS, see Server-side encryption.

      • If you set Create OSS Bucket to No, select an OSS bucket from the OSS Bucket drop-down list.

        Then, you can go to the OSS console and enable server-side encryption for the events to be delivered. For more information, see Configure server-side encryption.

    • SLS Logstore: If you select this option, events will be delivered to an existing Log Service project that you specify or a newly created Log Service project.
      • If you set Create Log Service Project to Yes, select a region from the Log Service Region drop-down list, and then enter a project name in the Log Service Project field.
      • If you set Create Log Service Project to No, select the region and project from the Log Service Region and Log Service Project drop-down lists respectively.
  10. Click Confirm.

Results

After a multi-account trail is created, operations logs will be stored in the specified OSS bucket or Log Service Logstore in the JSON format. You can view operations logs stored in the OSS bucket or Log Service Logstore by using the master account.

Note With the master account, you can only view the operations logs of the member accounts in the corresponding resource directory in the OSS or Log Service console. You cannot query these logs on the History Search page of the ActionTrail console or by calling the LookupEvents operation.
  • OSS bucket: Global events generated by member accounts are logged together with the events that occur in the home region of the trail. Non-global events generated for resources in each region are delivered to the corresponding storage path with the region specified. You can analyze the logs by using E-MapReduce or a third-party log analysis service.

    The OSS storage path is in the following format:

    oss://<bucket>/<Log file prefix>/AliyunLogs/Actiontrail/rd_id/accountid/regionid/yyyy/mm/dd/Log file
    OSS
  • Log Service Logstore: ActionTrail automatically creates a Logstore named actiontrail_Trail name as well as the corresponding index and chart.

    For more information, see ActionTrail access logs.

    日志服务