ActionTrail monitors the operations within your Alibaba Cloud account and records the events that are generated in the last 90 days. However, you may also need to analyze the last 90 days of events that are recorded in the ActionTrail console or retain event logs for 180 days or longer for your enterprise. In this case, you must transfer the last 90 days of events that are recorded in the ActionTrail console to a specified data analysis service, or continuously collect events from Alibaba Cloud and save them to a specified storage service. You can rely on ActionTrail trails to satisfy these requirements. This topic shows you how to deliver events to a specified destination in different scenarios by using a single-account trail.

Prerequisites

  • Object Storage Service (OSS) is activated. For more information, see Activate OSS.
  • Log Service is activated.

    If Log Service is not activated, log on to the Log Service console and follow the on-screen instructions to activate the service.

Scenarios

You can create a trail in the ActionTrail console to deliver events in the following scenarios:

  • Scenario 1: Retain event logs for 180 days or longer

    By default, ActionTrail records only the events that are generated in the last 90 days. However, MLPS 2.0 requires that event logs must be retained for 180 days or longer. In this case, you can create a trail to continuously collect events and deliver them to OSS or Log Service. By default, event logs are permanently saved after events are delivered to an OSS bucket or a Log Service Logstore. To retain event logs only for 180 days, modify the lifecycle rule of the OSS bucket or change the data retention period of the Log Service Logstore.

  • Scenario 2: Analyze sensitive operations and configure alert rules for the operations

    You may need to detect sensitive operations at the earliest opportunity, such as the operations that generate orders or delete resources. In this case, you can create a trail in the ActionTrail console to deliver related events to a specified Log Service Logstore. Then, you can configure alert rules for the events in the Log Service console.

  • Scenario 3: Analyze event logs by using MaxCompute

    If Log Service does not meet your analysis requirements, we recommend that you use MaxCompute to analyze event logs. MaxCompute provides a variety of classic distributed computing models to help you perform big data analysis with ease. You can create a trail to deliver events to a specified Log Service Logstore, and configure the Logstore to ship the event logs to a specified MaxCompute table for analysis.

  • Scenario 4: Analyze and permanently store event logs in a cost-effective manner

    Before you use OSS, Log Service, and MaxCompute together to achieve real-time analysis and permanent storage of event logs, you must understand the features and billing policies of these services. You are charged for the use of Log Service, MaxCompute, and OSS in descending order. We recommend that you process events in the following way: Create a trail to deliver events to a specified Log Service Logstore for analysis. Change the data retention period of the Logstore in the Log Service console to meet the time span requirements of real-time analysis. Then, configure the Logstore to periodically ship event logs to MaxCompute or OSS for permanent storage.

Scenario 1: Retain event logs for 180 days or longer

  1. Log on to the ActionTrail console.
  2. In the top navigation bar, select the region where you want to create a trail.
  3. In the left-side navigation pane, choose ActionTrail > Create Trail.
  4. In the Trail Basic Settings step, set the parameters and click Next. The following table describes the parameters.
    Parameter Description
    Trail Name The name of the trail that you want to create. The name must be unique to an Alibaba Cloud account in a region.
    Applied Regions The one or more regions from which the trail delivers events. For this example, select All Regions for Target Regions.
    Event Type The type of events that the trail delivers. For this example, select All for Event Type.
  5. In the Event Delivery Settings step, select the delivery method and click Next.
    • Delivery to OSS
      • New OSS Bucket: If you select this option, set the Bucket Name, Log File Prefix, and Server Encryption parameters.
      • Existing OSS Bucket: If you select this option, select a bucket name from the Bucket Name drop-down list and set the Log File Prefix parameter.
    • Delivery to Log Service
      • New Log Service Project: If you select this option, select a region from the Logstore Region drop-down list and set the Project Name parameter.
      • Existing Log Service Project: If you select this option, select a region from the Logstore Region drop-down list and a project name from the Project Name drop-down list.
  6. In the Preview and Create step, confirm the trail information and click Submit.
  7. Click View Details. On the details page of the trail, perform one of the following operations based on the storage service to view event logs:
    • OSS: Click the bucket name to go to the OSS console and view the event logs.
    • Log Service: Click the name of the Log Service project or Logstore to go to the Log Service console and view the event logs.

Scenario 2: Analyze sensitive operations and configure alert rules for the operations

  1. Log on to the ActionTrail console.
  2. In the top navigation bar, select the region where you want to create a trail.
  3. In the left-side navigation pane, choose ActionTrail > Create Trail.
  4. In the Trail Basic Settings step, set the parameters and click Next. The following table describes the parameters.
    Parameter Description
    Trail Name The name of the trail that you want to create. The name must be unique to an Alibaba Cloud account in a region.
    Applied Regions The one or more regions from which the trail delivers events. For this example, select All Regions for Target Regions.
    Event Type The type of events that the trail delivers. For this example, select Write for Event Type.
    Note Sensitive operations are often write events. To save costs, you can select Write for Event Type to reduce the size of events to be delivered.
  5. In the Event Delivery Settings step, select Delivery to Log Service, set the parameters, and then click Next.
    • New Log Service Project: If you select this option, select a region from the Logstore Region drop-down list and set the Project Name parameter.
    • Existing Log Service Project: If you select this option, select a region from the Logstore Region drop-down list and a project name from the Project Name drop-down list.
  6. In the Preview and Create step, confirm the trail information and click Submit.
  7. Click View Details. On the details page of the trail, click the name of the Log Service project or Logstore to go to the Log Service console and view the analysis results of the event logs.
  8. In the Log Service console, configure an alert rule.
    For more information, see Create an alert rule.

Scenario 3: Analyze event logs by using MaxCompute

  1. Log on to the ActionTrail console.
  2. In the top navigation bar, select the region where you want to create a trail.
  3. In the left-side navigation pane, choose ActionTrail > Create Trail.
  4. In the Trail Basic Settings step, set the parameters and click Next. The following table describes the parameters.
    Parameter Description
    Trail Name The name of the trail that you want to create. The name must be unique to an Alibaba Cloud account in a region.
    Applied Regions The one or more regions from which the trail delivers events. For this example, select All Regions for Target Regions.
    Event Type The type of events that the trail delivers. For this example, select All for Event Type.
  5. In the Event Delivery Settings step, select Delivery to Log Service, set the parameters, and then click Next.
    • New Log Service Project: If you select this option, select a region from the Logstore Region drop-down list and set the Project Name parameter.
    • Existing Log Service Project: If you select this option, select a region from the Logstore Region drop-down list and a project name from the Project Name drop-down list.
  6. In the Preview and Create step, confirm the trail information and click Submit.
  7. Click View Details. On the details page of the trail, click the name of the Log Service project or Logstore to go to the Log Service console and view the analysis results of the event logs.
  8. In the Log Service console, ship the event logs to a MaxCompute table.
    Note After the event logs are shipped to the MaxCompute table, you can analyze the event logs.

Scenario 4: Analyze and permanently store event logs in a cost-effective manner

If you select New Log Service Project in the Event Delivery Settings step when you create a trail in the ActionTrail console, a Log Service Logstore whose name is prefixed with actiontrail_{trail_name} is created. By default, event logs are permanently stored in the Logstore. However, it is not cost-effective to store event logs in Log Service. We recommend that you change the data retention period of the Logstore and configure the Logstore to periodically ship event logs to MaxCompute or OSS for permanent storage. For example, you can change the data retention period of the Logstore to 180 days.

  1. Create a trail in the ActionTrail console to deliver events to a specified Log Service Logstore.
    For more information about how to create a trail, see Create a single-account trail.
  2. Change the storage period of the event logs in the Log Service console.
    1. Log on to the Log Service console.
    2. In the Projects section, click the name of the project that you specified when you created the trail.
    3. Click the 1 icon to the left of the specified Logstore and then click the 2 icon.
    4. On the Logstore Attributes tab, click Modify in the upper-right corner and turn off Permanent Storage.
    5. Change the value of the Data Retention Period parameter and click Save in the upper-right corner.
      time
  3. Configure the Logstore to periodically ship event logs to MaxCompute or OSS.
    For more information, see Ship log data from Log Service to OSS.