By default, ActionTrail allows you to query the events that were recorded within your Alibaba Cloud account in the last 90 days. However, you may also need to analyze the events that were recorded in the last 90 days or retain events for 180 days or longer for your enterprise. In this case, you must ship the events that are recorded in the ActionTrail console to a specified data analysis service, or continuously collect events from Alibaba Cloud and save them to a specified storage service. You can rely on ActionTrail trails to satisfy these requirements. This topic shows you how to deliver events to a specified destination in different scenarios by using a single-account trail.

Prerequisites

  • Object Storage Service (OSS) is activated. For more information, see Activate OSS.
  • Log Service is activated.

    If Log Service is not activated, log on to the Log Service console and follow the on-screen instructions to activate the service.

Scenarios

You can create a trail in the ActionTrail console to deliver events in various scenarios. If you do not create a trail, you cannot query the events that occurred 90 days ago. You can create a trail to deliver events in the following scenarios:

  • Scenario 1: Retain event logs for 180 days or longer

    By default, ActionTrail records only the events that were generated in the last 90 days. However, Multi-Level Protection Scheme (MLPS) 2.0 requires that events must be retained for 180 days or longer. In this case, you can create a trail to continuously collect events and deliver them to OSS or Log Service. By default, events are permanently stored after they are delivered to an OSS bucket or a Log Service Logstore. To retain events only for 180 days, modify the lifecycle rule of the OSS bucket or change the data retention period of the Log Service Logstore.

  • Scenario 2: Analyze sensitive operations and configure alert rules for the operations

    You may need to detect sensitive operations at the earliest opportunity, such as the operations that generate orders or delete resources. In this case, you can create a trail in the ActionTrail console to deliver related events to a specified Log Service Logstore. Then, you can configure alert rules for the events in the Log Service console.

  • Scenario 3: Analyze events by using MaxCompute

    If Log Service does not meet your analysis requirements, we recommend that you use MaxCompute to analyze events. MaxCompute provides a variety of classic distributed computing models to help you perform big data analysis with ease. You can create a trail to deliver events to a specified Log Service Logstore, and configure the Logstore to ship the events to a specified MaxCompute table for analysis.

  • Scenario 4: Analyze and permanently store events in a cost-effective manner

    Before you use OSS, Log Service, and MaxCompute together to achieve real-time analysis and permanent storage of event logs, you must understand the features and billing policies of these services. You are charged for the use of Log Service, MaxCompute, and OSS in descending order. We recommend that you process events in the following way: Create a trail to deliver events to a specified Log Service Logstore for analysis. Change the data retention period of the Logstore in the Log Service console to meet the time span requirements of real-time analysis. Then, configure the Logstore to periodically ship event logs to MaxCompute or OSS for permanent storage.

Scenario 1: Retain event logs for 180 days or longer

  1. Log on to the ActionTrail console.
  2. In the left-side navigation pane, click Trails.
  3. In the top navigation bar, select the region where you want to create a trail.
  4. On the Trails page, click Create Trail.
  5. In the Trail Basic Settings step, set the parameters and click Next. The following table describes the parameters.
    Parameter Description
    Trail Name The name of the trail that you want to create. The name must be unique within your Alibaba Cloud account.
    Applied Regions The one or more regions from which the trail delivers events. For this example, select All Regions.
    Event Type The type of the events that the trail delivers. For this example, select All.
  6. In the Event Delivery Settings step, specify one or more delivery destinations and click Next.
    • Select Delivery to Log Service and then select Delivery to Current Account.
      • New Log Service Project: If you select this option, select a region from the Logstore Region drop-down list and set the Project Name parameter.
      • Existing Log Service Project: If you select this option, select a region from the Logstore Region drop-down list and a project name from the Project Name drop-down list.
    • Select Delivery to OSS and then select Delivery to Current Account.
      • New OSS Bucket: If you select this option, set the Bucket Name, Log File Prefix, and Server Encryption parameters.
      • Existing OSS Bucket: If you select this option, select a bucket name from the Bucket Name drop-down list and set the Log File Prefix parameter.
  7. In the Preview and Create step, confirm the trail information and click Submit.
  8. Click View Details. On the details page of the trail, perform one of the following operations based on the storage service to view events:
    • OSS: Click the bucket name to go to the OSS console and view the events.
    • Log Service: Click the name of the Log Service project or Logstore to go to the Log Service console and view the events.

Scenario 2: Analyze sensitive operations and configure alert rules for the operations

  1. Log on to the ActionTrail console.
  2. In the left-side navigation pane, click Trails.
  3. In the top navigation bar, select the region where you want to create a trail.
  4. On the Trails page, click Create Trail.
  5. In the Trail Basic Settings step, set the parameters and click Next. The following table describes the parameters.
    Parameter Description
    Trail Name The name of the trail that you want to create. The name must be unique within your Alibaba Cloud account.
    Applied Regions The one or more regions from which the trail delivers events. For this example, select All Regions.
    Event Type The type of the events that the trail delivers. For this example, select Write.
    Note Sensitive operations are often write events. To save costs, you can select Write for the Event Type parameter to reduce the size of events to be delivered.
  6. In the Event Delivery Settings step, select Delivery to Log Service, select Delivery to Current Account, set the parameters, and then click Next.
    • New Log Service Project: If you select this option, select a region from the Logstore Region drop-down list and set the Project Name parameter.
    • Existing Log Service Project: If you select this option, select a region from the Logstore Region drop-down list and a project name from the Project Name drop-down list.
  7. In the Preview and Create step, confirm the trail information and click Submit.
  8. Click View Details. On the details page of the trail, click the name of the Log Service project or Logstore to go to the Log Service console and view the analysis results of the events.
  9. In the Log Service console, configure an alert rule.
    For more information, see Create an alert rule.

Scenario 3: Analyze events by using MaxCompute

  1. Log on to the ActionTrail console.
  2. In the left-side navigation pane, click Trails.
  3. In the top navigation bar, select the region where you want to create a trail.
  4. On the Trails page, click Create Trail.
  5. In the Trail Basic Settings step, set the parameters and click Next. The following table describes the parameters.
    Parameter Description
    Trail Name The name of the trail that you want to create. The name must be unique within your Alibaba Cloud account.
    Applied Regions The one or more regions from which the trail delivers events. For this example, select All Regions.
    Event Type The type of the events that the trail delivers. For this example, select All.
  6. In the Event Delivery Settings step, select Delivery to Log Service, select Delivery to Current Account, set the parameters, and then click Next.
    • New Log Service Project: If you select this option, select a region from the Logstore Region drop-down list and set the Project Name parameter.
    • Existing Log Service Project: If you select this option, select a region from the Logstore Region drop-down list and a project name from the Project Name drop-down list.
  7. In the Preview and Create step, confirm the trail information and click Submit.
  8. Click View Details. On the details page of the trail, click the name of the Log Service project or Logstore to go to the Log Service console and view the analysis results of the events.
  9. In the Log Service console, ship the events to a MaxCompute table.
    Note After the events are shipped to the MaxCompute table, you can analyze the events.

Scenario 4: Analyze and permanently store events in a cost-effective manner

If you select New Log Service Project in the Event Delivery Settings step when you create a trail in the ActionTrail console, a Log Service Logstore whose name is prefixed with actiontrail_<trail_name> is created. By default, events are permanently stored in the Logstore. However, it is not cost-effective to store events in Log Service. We recommend that you change the data retention period of the Logstore and configure the Logstore to periodically ship events to MaxCompute or OSS for permanent storage. For example, you can change the data retention period of the Logstore to 180 days.

  1. Create a trail in the ActionTrail console to deliver events to a specified Log Service Logstore.
    For more information about how to create a trail, see Create a single-account trail.
  2. Change the storage period of the events in the Log Service console.
    1. Log on to the Log Service console.
    2. On the Projects tab, click the name of the project that you specified when you created the trail.
    3. Click the 1 icon to the left of the specified Logstore and then click the 2 icon.
    4. On the Logstore Attributes tab, click Modify in the upper-right corner and turn off Permanent Storage.
    5. Change the value of the Data Retention Period parameter and click Save in the upper-right corner.
  3. Configure the Logstore to periodically ship events to MaxCompute or OSS.
    For more information, see Ship log data from Log Service to OSS.