ActionTrail helps you monitor the operations within your Alibaba Cloud account and records the event logs that are generated in the last 90 days. If you want to query and analyze event logs that are generated more than 90 days ago, you can create a trail in the ActionTrail console and deliver the event logs to Log Service. This topic describes how to query and analyze event logs in the Log Service console in different scenarios.

Prerequisites

A trail is created to deliver event logs to Log Service. For more information, see Create a single-account trail and Create a multi-account trail.

Scenario 1: Analyze whether your AccessKey pair has been disclosed

Your enterprise detects an unauthorized use of your AccessKey pair by an external IP address. You want to know whether the AccessKey pair has been disclosed. In this case, you can create a trail in the ActionTrail console to deliver the event logs to Log Service. Then, you can analyze and trace the use of the AccessKey pair in the Log Service console.

You can obtain the IP address from which the unauthorized access request is sent. If the IP address is not in the city where your enterprise resides, the AccessKey pair has been disclosed.

  1. Log on to the Log Service console.
  2. In the Projects section, click the name of the project that you specify when you create the trail.
  3. Click the name of the Logstore that you want to manage. On the page that appears, click 15 Minutes(Relative) to specify a time range for the query.
  4. Enter the following code in the search box:
    __topic__: actiontrail_audit_event and event.userIdentity.accessKeyId:<YourAccessKeyId> | SELECT count(1) as pv, city FROM (SELECT "event.sourceIpAddress" AS ip, ip_to_city("event.sourceIpAddress") as city FROM log) WHERE ip_to_domain(ip)! ='intranet' GROUP BY city ORDER BY pv DESC
    Note
    • Replace <YourAccessKeyId> with your AccessKey ID.
    • The preceding query statement returns the source IP address from which the unauthorized access request to use the AccessKey pair is sent and the number of times that the request is sent. If the IP address is not in the city where your enterprise resides, the AccessKey pair has been disclosed.
  5. Click Search & Analyze to view the query results.
  6. Optional:If the AccessKey pair has been disclosed, revoke the permissions to use the AccessKey pair from the relevant RAM user.
    For more information, see Remove permissions from a RAM user.

Scenario 2: Trace the deletion of your ECS instances

Your enterprise wants to trace high-risk operations that are performed on Alibaba Cloud resources, such as the deletion of your Elastic Compute Service (ECS) instances. In this case, you can create a trail in the ActionTrail console to deliver the event logs to Log Service. Then, you can obtain the information about the user who deleted your ECS instances.

  1. Log on to the Log Service console.
  2. In the Projects section, click the name of the project that you specify when you create the trail.
  3. Click the name of the Logstore that you want to manage. On the page that appears, click 15 Minutes(Relative) to specify a time range for the query.
  4. Enter the following code in the search box:
    __topic__: actiontrail_audit_event | SELECT serviceName, eventName, userName, count(1) as pv FROM (SELECT "event.eventName" as eventName, "event.serviceName" as serviceName, "event.userIdentity.userName" as userName FROM log) WHERE (serviceName = <TargetServiceName> and eventName = <TargetEventName>) GROUP BY serviceName, eventName, userName
    Note Replace <TargetServiceName> with ECS and <TargetEventName> with DeleteInstances to query the user who deleted the ECS instances.
  5. Click Search & Analyze to view the query results.

    The preceding query statement returns the information about the user who deleted the ECS instances and the number of delete operations. After you obtain the information about the unauthorized delete operations, you can use the following code to query the operation details for troubleshooting:

    __topic__: actiontrail_audit_event and event.serviceName:<TargetServiceName> and <TargetResourceId> and event.userIdentity.accessKeyId:<YourAccessKeyId>

Scenario 3: Generate data reports for your cloud resources

As your enterprise rapidly develops cloud-based business, your enterprise requires comprehensive data reports on the frequency of the use of core cloud resources. Your enterprise can use the reports to estimate the amount of resources to be purchased and prevent potential risks.

For example, your enterprise requires a data report on the ECS instances that you created in the last six months to analyze the year-over-year and month-over-month increase of ECS instances. Then, your enterprise can estimate the number of ECS instances to be purchased in the next six months. This data report helps your enterprise control costs.

  1. Log on to the Log Service console.
  2. In the Projects section, click the name of the project that you specify when you create the trail.
  3. Click the name of the Logstore that you want to manage. On the page that appears, click 15 Minutes(Relative) to specify a time range for the query.
  4. Enter the following code in the search box:
    __topic__: actiontrail_audit_event and event.serviceName:<TargetServiceName> and event.eventName:<TargetEventName> | select t, diff[1] as current, diff[2] as last_month, diff[3] as percentage from(select t, compare( pv , 2592000) as diff from (select count(1) as pv, date_format(from_unixtime(__time__), '%m') as t from log group by t) group by t order by t)
    Note Replace <TargetServiceName> with ECS and <TargetEventName> with CreateInstance to query the number of times that ECS instances are created each month and the month-over-month increase.
  5. Click Search & Analyze to view the query results.
  6. Click the 1 icon to view the results on a line chart.
    ecs

You can also use this method to generate data reports for specific high-risk operations. Then, you can analyze the patterns of these operations and the points in time at which the operations occur the most and least. This method helps you plan cloud resources and improve resource utilization.

Scenario 4: Create alert rules for your cloud services

Your enterprise wants alerts to be triggered when the number of access requests to an Alibaba Cloud resource in one day exceeds the average number of access requests in the last 60 days by a specified proportion. In this case, you can create alert rules by using the Dashboard module in the Log Service console to monitor the status of each cloud service in real time. You can also add custom charts to the Dashboard module for real-time monitoring. For more information, see Add an analysis chart to a dashboard.

  1. Log on to the Log Service console.
  2. In the Projects section, click the name of the project that you specify when you create the trail.
  3. Query the average number of access requests that are sent to each Alibaba Cloud service in the last 60 days and the number of access requests in the current day.
    1. Click the name of the Logstore that you want to manage. On the page that appears, click 15 Minutes(Relative) and set the time range for the query to 60 days.
    2. Enter the following code in the search box:
      __topic__: actiontrail_audit_event |select a.serviceName, a.avg_pv, b.today_pv from (select serviceName, avg(pv) as avg_pv from (select "event.serviceName" as serviceName, count(1) as pv, date_format(from_unixtime(__time__), '%m-%d') as day from log group by serviceName, day) group by serviceName) a join (select "event.serviceName" as serviceName, count(1) as today_pv from log where date_format(from_unixtime(__time__), '%Y-%m-%d')=current_date group by serviceName) b on a.serviceName = b.serviceName
    3. Click Search & Analyze to view the query results.
    4. Click 1 to view the results on a line chart.
      alarm
      Note You can add filter conditions to exclude Alibaba Cloud services or events that you do not want to view.
  4. Create an alert rule.
    1. Click Save as Alert in the upper-right corner.
    2. In the Create Alert panel, set the parameters as required. For more information, see Create an alert rule.
    3. Configure the conditions that trigger alerts.
      $0.today_pv > $0.avg_pv && ($0.today_pv - $0.avg_pv)/$0.avg_pv > 0.5
      $0 indicates the number of access requests to each Alibaba Cloud service in the current day and the average number of access requests in the last 60 days. The two numbers are raw data in the line chart that is queried by using the code in Step 3. 0.avg_pv indicates the average number of access requests to each Alibaba Cloud service in the last 60 days.
    4. Click OK.