By default, ActionTrail records only events that are generated in the last 90 days for each Alibaba Cloud account. To meet the requirements of long-term storage and compliance backtracking, you can create a trail to deliver subsequent events to Simple Log Service or Object Storage Service (OSS). This way, you can view and analyze the details of events that are generated more than 90 days ago. This topic describes how a single-account trail works and the scenarios to which a single-account trail applies.
How a single-account trail works
After you create a single-account trail, the trail delivers events to an OSS bucket or a Simple Log Service Logstore. Events are stored in the JSON format. This facilitates subsequent query, analysis, or long-term storage of events. When you select a storage service for events, take note of the following rules:
If you want to query or analyze events, you can select Simple Log Service. When an event is generated, ActionTrail delivers the event to the specified Simple Log Service Logstore within 1 minute.
If you want to store or archive events for a long period of time, you can select OSS. When an event is generated, ActionTrail delivers the event to the specified OSS bucket within 10 minutes.
ActionTrail aggregates events based on specific rules before it delivers the events to the specified OSS bucket. In most cases, events that are generated every 5 minutes are aggregated into one file. If a large number of events are generated in a 5-minute period, the events may be aggregated into multiple files.
The following figure shows how a single-account trail works.
Scenarios
You can create multiple single-account trails to perform the following tasks:
Deliver events to different storage destinations based on event types. Then, you can grant users the permissions to audit the events in specific storage destinations.
Deliver events to storage destinations that are deployed in different regions. Then, you can check whether the audit data is compliant with related regulations in multiple regions.
Generate multiple replicas for an event to prevent data from being lost.
We recommend that you do not specify the same event delivery destination for different single-account trails. Otherwise, events may be repeatedly delivered, which wastes storage space.