ActionTrail provides the event alerting feature. ActionTrail sends alert notifications to the users or user groups that you specify as alert contacts by using the methods that you specify once it detects abnormal events in the cloud. This allows alert contacts to handle exceptions at the earliest opportunity. This topic describes how to enable and configure the event alerting feature.

Prerequisites

You are authorized to use the event alerting feature. To use this feature, submit a ticket.

Step 1: Create a trail

Create a trail that meets the following conditions:

  • The trail delivers the events that occur in all regions.
  • The trail delivers all types of events.
  • The trail delivers events to Log Service.

For more information, see Create a single-account trail and Create a multi-account trail.

Step 2: Enable the event alerting feature

You must enable the event alerting feature to inspect the events recorded by a specified trail.

  1. Log on to the ActionTrail console.
  2. In the left-side navigation pane, click Trails.
  3. On the Trails page, click the name of the trail for which you want to enable the event alerting feature.
  4. Click Enable next to Enable Advanced Features.
    Note If Yes is displayed next to Enable Advanced Features, the event alerting feature is enabled.

Step 3: Create users and a user group

Users and user groups are used as the recipients of alert notifications. In this example, create two users named Alice and Kumer, and create a user group named ActionTrailOM. Then, add the users Alice and Kumer to the ActionTrailOM user group.

  1. Log on to the ActionTrail console.
  2. In the left-side navigation pane, click Event Alerting.
  3. Create users.
    1. On the Event Alerting page, select User Management from the Alert Management drop-down list.
    2. In the User Management section, click Add Users.
    3. On the Add Users tab of the Create User dialog box, enter the user information and click OK.
      In this example, enter the following user information:
      # ID, Username, Enabled, Country code-phone number, Receive text message, Receive phone call
      1001,Kumer,true,86-1381111*****,true,true
      1002,Alice,true,86-1381111*****,true,true

      The following table describes the parameters that are used to configure user information.

      Parameter Description Example
      ID The unique identifier of the user.

      The ID must be 5 to 60 characters in length and can contain letters, digits, underscores (_), hyphens (-), and periods (.). It must start with a letter.

      1001 and 1002
      Username The username of the user.

      The username must be 1 to 20 characters in length and cannot contain the following special characters:

      " \ $ | ~ ?& < > { } ` '

      Kumer and Alice
      Enabled Specifies whether ActionTrail can send alert notifications to the user. Valid values:
      • true: ActionTrail can send alert notifications to the user.
      • false: ActionTrail cannot send alert notifications to the user.
      true
      Country code-phone number The phone number of the user. The country code can contain only digits and must be 1 to 4 characters in length. 86-1381111***** and 86-1381112*****
      Receive text message Specifies whether ActionTrail can send SMS messages to the phone number. Valid values:
      • true: ActionTrail can send SMS messages to the phone number.
      • false: ActionTrail cannot send SMS messages to the phone number.
      true
      Receive phone call Specifies whether ActionTrail can send voice notifications to the phone number.
      • true: ActionTrail can send voice notifications to the phone number.
      • false: ActionTrail cannot send voice notifications to the phone number.
      true
  4. Create a user group.
    1. Select User Group Management from the Alert Management drop-down list.
    2. In the User Groups section, click Create.
    3. In the Add User Group dialog box, set the parameters as required and click OK.

      The following table describes the required parameters and provides examples.

      Parameter Description Example
      ID The unique identifier of the user group.

      The ID must be 5 to 60 characters in length and can contain letters, digits, underscores (_), hyphens (-), and periods (.). It must start with a letter.

      group-01
      Group Name The name of the user group.

      The name must be 1 to 20 characters in length and cannot contain the following special characters:

      \ $ | ~ ?& < > { } ` ' "

      ActionTrailOM
      Available Members The users that you have created. Kumer and Alice
      Selected Members The users who are added to the user group. Kumer and Alice
      Enabled Specifies whether ActionTrail can send alert notifications to the user group. You can turn on or off the switch based on your business requirements.
      • If you turn on the switch, ActionTrail can send alert notifications to the user group.
      • If you turn off the switch, ActionTrail cannot send alert notifications to the user group.
      Turn on the switch.

Step 4: Create an alert template (Optional)

By default, ActionTrail uses the SLS actiontrail builtin content template to send alert notifications to the specified alert contacts. You can also create custom alert templates based on your business requirements.

  1. Log on to the ActionTrail console.
  2. In the left-side navigation pane, click Event Alerting.
  3. On the Event Alerting page, select Alert Template from the Alert Management drop-down list.
  4. In the Alert Template section, click Create.
  5. In the Add Content Template dialog box, set the ID and Name parameters.
  6. Configure each alert notification method.
    Notification method Parameter
    SMS The following parameters are available:
    • Language: the language of the alert notification.
    • Content: the content of the alert notification. You can use template variables to define the content of the alert notification. For more information, see Template variables.
    Voice The following parameters are available:
    • Language: the language of the alert notification.
    • Content: the content of the alert notification. You can use template variables to define the content of the alert notification. For more information, see Template variables.
    Email The following parameters are available:
    • Language: the language of the alert notification.
    • Subject: the title of the alert notification. You can use template variables to define the title of the alert notification.
    • Content: the content of the alert notification. You can use template variables to define the content of the alert notification. For more information, see Template variables.
    DingTalk The following parameters are available:
    • Title: the title of the alert notification. You can use template variables to define the title of the alert notification.
    • Content: the content of the alert notification. You can use template variables to define the content of the alert notification. For more information, see Template variables.
    Webhook-Custom The following parameters are available:
    • Sending Mode: the mode in which alert notifications are sent. Valid values: Single and Batch.
      • If you select Batch and set the Maximum number of items sent in a group parameter to N, an alert notification contains the information about the first N alerts in a merge set.
      • If you select Batch and the content you configured can be parsed into JSON data, the alert notification is sent in the JSON format. Otherwise, string arrays are sent.
      For example, if you customize the content as {"project": "${project}", "alert_name": "${alert_name}"}, the following notifications are sent for two alerts:
      • Single: sends two alert notifications. Content: {"project": "project-1", "alert_name": "alert-1"} and {"project": "project-2", "alert_name": "alert-2"}.
      • Batch: sends one alert notification. Content: [{"project": "project-1", "alert_name": "alert-1"}, { "project": "project-2", "alert_name": "alert-2"}].
    • Content: the content of the alert notification. You can use template variables to define the content of the alert notification. For more information, see Template variables.
    Note The default request header is Content-Type: application/json;charset=utf-8 when ActionTrail sends alert notifications. If a webhook receiver requires request headers in other formats, you can customize the request headers when you configure notification methods. For more information, see the "Webhook" section in the Notification methods topic.
    Notifications The following parameters are available:
    • Language: the language of the alert notification.
    • Content: the content of the alert notification. You can use template variables to define the content of the alert notification. For more information, see Template variables.
    Enterprise WeChat The following parameters are available:
    • Title: the title of the alert notification. You can use template variables to define the title of the alert notification.
    • Content: the content of the alert notification. You can use template variables to define the content of the alert notification. For more information, see Template variables.
    Lark The following parameters are available:
    • Title: the title of the alert notification. You can use template variables to define the title of the alert notification.
    • Content: the content of the alert notification. You can use template variables to define the content of the alert notification. For more information, see Template variables.
    Slack The following parameters are available:
    • Title: the title of the alert notification. You can use template variables to define the title of the alert notification.
    • Content: the content of the alert notification. You can use template variables to define the content of the alert notification. For more information, see Template variables.
  7. Click OK.

Step 5: Create an action policy (Optional)

Action policies are used to manage alert notification methods and the frequency at which alert notifications are sent. By default, ActionTrail uses the SLS actiontrail builtin action policy to send alert notifications to the specified alert contacts. You can also create custom action policies based on your business requirements. When you create a custom action policy, you can specify alert notification conditions, alert notification methods, and alert contacts.

  1. Log on to the ActionTrail console.
  2. In the left-side navigation pane, click Event Alerting.
  3. On the Event Alerting page, select Action Policy from the Alert Management drop-down list.
  4. In the Action Policy section, click Create.
  5. In the Add Action Policy dialog box, set the ID and Name parameters.
  6. On the Primary Action Policy tab, create an action policy.
    1. Click the Condition icon.
    2. Configure a condition to send an alert notification and click OK.
      Configuration item Description Example
      Condition Valid values:
      • All: The specified action policy is executed only if all alerts in a merge set meet the specified condition.
      • Any: The specified action policy is executed if one or more alerts in a merge set meet the specified condition.
      Any
      Conditional expressions Alerts that meet a conditional expression are processed based on the specified action policy. You can specify an object, an operator, and an object value for the conditional expression.
      • Object: Alibaba Cloud Account ID
      • Operator: Equal to
      • Object value: 154035569884****
      Mode
      You can add multiple conditions in standard mode or advanced mode. Valid values:
      • Standard Mode: If you specify multiple conditions, the conditions are associated by using the AND operator.
      • Advanced Mode: If you specify multiple conditions, you can use the AND or OR operator to associate the conditions. You can also group multiple conditions into one group by using parentheses. In addition, nested conditions are supported.
      Standard Mode
    3. Configure an action group.
      Set the required parameters for notification methods. Available notification methods include SMS message, voice call, email, DingTalk, webhook, and Alibaba Cloud Message Center. For more information, see Notification methods. ActionGroup
    4. Click the End icon for the Condition or Action Group dialog box to end the configuration.
      Note Click the Condition icon if you want to add more conditions and action groups.
  7. Click OK.

Step 6: Enable an alert rule

ActionTrail provides multiple built-in alert rules. You can enable alert rules based on your business requirements. For example, if you want an alert to be triggered when the configuration of a virtual private cloud (VPC) route changes, you can enable the VPC Network Route Change Alert rule.

Note To view the details of an alert rule, you can move the pointer over the more icon next to the name of the alert rule.
  1. Log on to the ActionTrail console.
  2. In the left-side navigation pane, click Event Alerting.
  3. On the Event Alerting page, click the Alert Rules/Incidents tab.
  4. Find the alert rule that you want to enable and click Enable in the Actions column.
    After the alert rule is enabled, the value in the Status column is changed to Enabled.

Step 7: Set alert parameters (Optional)

After you enable an alert rule, ActionTrail inspects events and triggers alerts based on the severity preset for the alert rule. You can also set alert parameters based on your business requirements.

  1. Log on to the ActionTrail console.
  2. In the left-side navigation pane, click Event Alerting.
  3. On the Event Alerting page, click the Alert Rules/Incidents tab.
  4. Find the alert rule that you want to modify and click Settings in the Actions column.
  5. In the Parameter Settings dialog box, set the parameters as required and click Save.
    Parameter Description Example
    Action Policy The action policy that defines the alert notification methods and the frequency at which alert notifications are sent. Website Logs_Action Policy
    Severity The severity of an event that meets the condition to trigger the alert rule. High
    Note For the Account Continuous Login Failure Alert rule, you can specify the maximum number of logon failures allowed. For the Alert for Unauthorized API calls rule, you can specify the maximum number of unauthorized API calls allowed.

Step 8: Create a whitelist (Optional)

If you want specific Alibaba Cloud accounts, RAM users, RAM roles, and IP addresses to be exempt from an alert rule, you can add them to a whitelist.

Note Only some alert rules support whitelist settings. You can check whether an alert rule supports whitelist settings in the ActionTrail console.
  1. Log on to the ActionTrail console.
  2. In the left-side navigation pane, click Event Alerting.
  3. On the Event Alerting page, click the Alert Rules/Incidents tab.
  4. Find the alert rule for which you want to create a whitelist and click Whitelist in the External Configuration column.
  5. In the Data Management dialog box, click Create.
  6. In the Add Data dialog box, add the whitelist information by following the on-screen instructions. For example, you can enter a value in the format of 154035569884**** in the aliuid field.
  7. Click OK.
    After a whitelist record is added, you can click the buttons in the Actions column to modify or delete the record.