After you enable the insight event feature for a trail, ActionTrail generates insight events based on the identified unusual API calls. Then, ActionTrail delivers the insight events to the Log Service Logstore or Object Storage Service (OSS) bucket specified for the trail. You can log on to the Log Service or OSS console to query and analyze insight events that were generated more than 90 days ago.

Prerequisites

  • The permissions to manage insight events are granted to you after you request the permissions by submitting a ticket.
  • A single-account trail that meets the following conditions is created.
    • The trail delivers the events that are generated in all regions.
    • The trail delivers all types of events.
    For more information, see Create a single-account trail.
  • The insight event feature is enabled for a trail. For more information, see the "Step 1: Enable the insight event feature for a trail" section of the Query insight events in the ActionTrail console topic.

Query insight events in the Log Service console

The insight events and management events that are recorded by a trail are delivered to the same Log Service Logstore specified for the trail. You can run the * and event.eventType: ActionTrailInsight SQL statement to query and analyze insight events in the Log Service console.

  1. Log on to the ActionTrail console.
  2. In the left-side navigation pane, click Insight.
  3. On the Insight page, click the more icon, and then click the name of the trail for which the insight event feature is enabled.
    Enter SLS
  4. In the upper-right corner of the page that appears, click 15 Minutes(Relative) to specify a time range for the query.
  5. Enter * and event.eventType: ActionTrailInsight in the search box, and click Search & Analyze in the upper-right corner to query insight events.
    Query insight events in the Log Service console
    Note For information about the fields of an insight event log, see Insight event log reference.

Query insight events in the OSS console

The insight events and managements events that are recorded by a trail are delivered to different paths in the OSS bucket specified for the trail. The paths where insight events are stored are in the following format:

oss://<bucket>/<Log file prefix>/AliyunLogs/Actiontrail-Insight/<region>/<YYYY>/<MM>/<DD>/<Log file>
  1. Log on to the ActionTrail console.
  2. In the left-side navigation pane, click Insight.
  3. On the Insight page, click the more icon, and then click the name of the trail for which the iinsight event feature is enabled.
    Query Insight events
  4. In the left-side navigation pane, click Files.
  5. Click AliyunLogs and then Actiontrail-Insight to query insight events by region and date.
    Log file path in the OSS bucket