This topic describes how to create a multi-account trail in the ActionTrail console. A multi-account trail can deliver the events under all member accounts in a resource directory to the specified Object Storage Service (OSS) bucket or Log Service Logstore.
Prerequisites
The resource directory feature is enabled. For more information, see Enable a resource directory.
Procedure
Results
After a multi-account trail is created, events are delivered to the specified OSS bucket or Log Service Logstore in the JSON format for query and analysis. You can view event logs stored in the OSS bucket or Log Service Logstore by using the master account.
LookupEvents
operation.
- OSS bucket: Global events generated by all member accounts are delivered together
with the events that are generated in the home region of the trail. Non-global events
generated for resources in each region are delivered to the corresponding storage
path with the region ID specified. You can analyze the event logs by using E-MapReduce
or a third-party log analysis service.
The OSS storage path is in the following format:
oss://<bucket>/<Log file prefix>/AliyunLogs/Actiontrail/rd_id/accountid/regionid/yyyy/mm/dd/Log file
- Log Service Logstore: ActionTrail automatically creates a Logstore named
actiontrail_Trail name
as well as the corresponding index and chart.For more information, see ActionTrail access logs.