Create a multi-account trail - Quick Start| Alibaba Cloud Documentation Center

This topic describes how to create a multi-account trail in the ActionTrail console. A multi-account trail can deliver the events under all member accounts in a resource directory to the specified Object Storage Service (OSS) bucket or Log Service Logstore.

Prerequisites

The resource directory feature is enabled. For more information, see Enable a resource directory.

Procedure

Log on to the ActionTrail console by using the master account.
In the top navigation bar, select the region where you want to create a multi-account trail.

Note The region that you select becomes the home region of the trail to be created.
In the left-side navigation pane, choose ActionTrail > Create Trail.

In the Trail Basic Settings step, set the parameters and click Next. The following table describes the parameters.


Parameter	Description
Trail Name	The name of the trail to be created. The name must be unique to an Alibaba Cloud account in a region.
Target Regions	The one or more regions from which the trail delivers events. All Regions: The trail delivers events from all regions to the specified delivery destination. Based on the industry compliance regulations, the events from all regions must be recorded. We recommend that you select this option. Selected Regions: The trail delivers events only from the one or more regions you specified in Regions to the specified delivery destination. Note The home region indicates the region where you create a trail. An applicable region indicates a region to which a trail is applied. If you want to deliver events only from a specified region, we recommend that you create a trail in that region.
Event Type	The type of events to be delivered. Write: the type of events that can add, delete, or modify cloud resources. For example, a CreateInstance event is generated when a subscription or pay-as-you-go ECS instance is created. If you need to export events only for custom analysis and focus on the events that affect the running of the cloud resources, select Write. Read: the type of events that can read information about cloud resources, but cannot add, delete, or modify cloud resources. For example, a DescribeInstances event is generated when the details of one or more ECS instances are queried. Read events often occur in abundance and occupy a large storage space. We recommend that you do not select this option. All: all read and write events. If you want to create a trail to deliver all events under your Alibaba Cloud account, select All.
Apply Trail to All Member Accounts	Specifies whether to apply the trail to all member accounts in the resource directory. Yes: If you select this option, the trail delivers the events of the master account and all member accounts in the resource directory to the specified OSS bucket or Log Service Logstore. This trail is available in all regions. For security purposes, we recommend that you select this option. No: If you select this option, the trail delivers only the events of the master account to the specified OSS bucket or Log Service Logstore. This trail is available only in the home region. Note This parameter cannot be modified once set. To modify the Apply Trail to All Member Accounts parameter, you must delete the multi-account trail and create a new one. After you create a multi-account trail, the setting of the Apply Trail to All Member Accounts parameter is displayed in the Source column on the Trails page. If you select Yes, Master Account is displayed in the Source column. If you select No, Current Account is displayed in the Source column.

In the Event Delivery Settings step, select the delivery method and click Next.

Note The events to be delivered are those generated after the multi-account trail takes effect. The events generated in the last 90 days are excluded. Later, ActionTrail will deliver events generated in the last 90 days to you at a time to meet your requirements to the greatest extent.

If you select Delivery to Log Service, set the parameters as described in the following table.


Parameter	Description
Logstore Region	The region where the Log Service project resides.
Project Name	The name of the Log Service project. The name must be unique to an Alibaba Cloud account in a region. If you select New Log Service Project, ActionTrail will create a project with the name that you specify and create a Logstore in the project. For more information about how to create a project in Log Service, see Quick start. If you select Existing Log Service Project, you must select an existing project in Log Service.

If you select Delivery to OSS, set the parameters as described in the following table.


Parameter	Description
Bucket Name	The name of the OSS bucket. The name must be unique to an Alibaba Cloud account in a region. If you select New OSS Bucket, ActionTrail will create an OSS bucket with the name that you specify. For more information about how to create a bucket in OSS, see Create buckets. If you select Existing OSS Bucket, you must select an existing bucket in OSS.
Log File Prefix	The prefix of the name of the log file where the events are stored.
Server Encryption	Specifies whether to encrypt objects in the OSS bucket. If you select New OSS Bucket, you must set this parameter. Valid values: AES256 KMS No Note For more information about the server-side encryption feature of OSS, see Server-side encryption.

In the Preview and Create step, confirm the trail information and click Submit.

Results

After a multi-account trail is created, events are delivered to the specified OSS bucket or Log Service Logstore in the JSON format for query and analysis. You can view event logs stored in the OSS bucket or Log Service Logstore by using the master account.

Note You can use the master account to view only the events of the member accounts in the resource directory in the OSS or Log Service console. You cannot query these events on the Query Event Details page of the ActionTrail console or by calling the LookupEvents operation.

OSS bucket: Global events generated by all member accounts are delivered together with the events that are generated in the home region of the trail. Non-global events generated for resources in each region are delivered to the corresponding storage path with the region ID specified. You can analyze the event logs by using E-MapReduce or a third-party log analysis service.
The OSS storage path is in the following format:
```
oss://<bucket>/<Log file prefix>/AliyunLogs/Actiontrail/rd_id/accountid/regionid/yyyy/mm/dd/Log file
```
Log Service Logstore: ActionTrail automatically creates a Logstore named actiontrail_Trail name as well as the corresponding index and chart.
For more information, see ActionTrail access logs.