By default, ActionTrail stores the events that occurred in the last 90 days within your Alibaba Cloud account. However, Multi-Level Protection Scheme (MLPS) 2.0 stipulates that events must be stored for more than 180 days to facilitate auditing. Therefore, you can create a trail and a historical event delivery task to store the required events for a long period. Otherwise, you cannot query the events that occurred 90 days ago.

Prerequisites

You are authorized to use the historical event delivery task feature. To use this feature, submit a ticket or ask the sales manager to add you to the whitelist.

Background information

A trail can deliver only the events that occur after the trail is created. Therefore, you must create a historical event delivery task to deliver the events that occurred before your trail is created in the last 90 days. This ensures that all the events required for auditing are stored.

A historical event delivery task applies only to the events that occurred in the time range from 90 days before the current time to 5 minutes after the trail that is associated with the task took effect. For example, you have created Trail A 40 days before you create a historical event delivery task that is associated with Trail A. In this case, the task delivers only the events that were generated in the last 50 days before Trail A was created.

Note
  • A historical event delivery task delivers only the historical events that are tracked by the associated single-account trail to the Log Service Logstore that you specify.
  • Only one historical event delivery task can be running at a time within an Alibaba Cloud account.

Step 1: Create a single-account trail to deliver events to Log Service

  1. Log on to the ActionTrail console.
  2. In the left-side navigation pane, click Trails.
  3. In the top navigation bar, select the region where you want to create a single-account trail.
    Note The region that you select becomes the home region of the trail that you want to create.
  4. On the Trails page, click Create Trail.
  5. In the Trail Basic Settings step, enter a trail name in the Trail Name field, set the Applied Regions parameter to All Regions and the Event Type parameter to All, and then click Next.
  6. In the Event Delivery Settings step, select Delivery to Log Service, select Delivery to Current Account, and then set the parameters as required.
    Parameter Description
    Logstore Region The region where the Log Service project resides.
    Project Name The name of the Log Service project. The name must be unique to an Alibaba Cloud account in a region.
    • If you select New Log Service Project, ActionTrail creates a project with the name that you specify and creates a Logstore in the project.
    • If you select Existing Log Service Project, you must select an existing project in Log Service.

      For more information about how to create a project in Log Service, see Quick start.

  7. Click Next.
  8. In the Preview and Create step, confirm the trail information and click Submit.

Step 2: Create a historical event delivery task

  1. Log on to the ActionTrail console.
  2. In the left-side navigation pane, click Historical Event Delivery Tasks.
  3. In the top navigation bar, select the region where you want to create a historical event delivery task.
    Note This region must be the same as the region where the created single-account trail resides.
  4. On the Historical Event Delivery Tasks page, click Create Task.
  5. On the Create Task page, select the created single-account trail.
    Note After you select a trail, the system automatically fills in the region from which the trail delivers events, the region where the Log Service project resides, the name of the Log Service project, and the information about the Log Service Logstore.
  6. Click Confirm.

Step 3: Query the required events (Optional)

  1. Log on to the ActionTrail console.
  2. In the left-side navigation pane, click Trails.
  3. In the top navigation bar, select the region where the created single-account trail and historical event delivery task reside.
  4. On the Trails page, click Log Analysis in the Log Service column of the created trail.
  5. In the upper-right corner of the page that appears, click 15 Minutes(Relative) to specify a time range for the query.
  6. Click Search & Analyze to query historical events.