This topic describes how to create a single-account trail in the ActionTrail console. A single-account trail can continuously deliver operations logs to the specified Object Storage Service (OSS) bucket or Log Service Logstore for analysis. If no trail is created, you can only view the operations logs of the last 90 days in the ActionTrail console.

Procedure

  1. Log on to the ActionTrail console.
  2. In the top navigation bar, select the region where you want to create a single-account trail.
    Note The region that you select becomes the home region of the trail to be created.
  3. In the left-side navigation pane, choose ActionTrail > Trails.
  4. Click Create Trail. On the page that appears, enter a name in the Trail Name field.
  5. Set Apply Trail to All Regions to Yes or No as needed.
    • If you select Yes, the single-account trail will be available in all regions.
      Note We recommend that you select this option unless otherwise specified to avoid event omission.
    • If you select No, select a target region from the Region drop-down list.
  6. Set Event Type to Write, Read, or All.
    • Write: the type of event that can affect the running of cloud resources, which requires special attention.
    • Read: the type of event that does not affect the running of cloud resources. Generally, this type of event occurs in abundance and occupies a large amount of storage space.
    • All: all events related to resource behaviors.
  7. Turn on the Enable Logging switch.
    Note After the switch is turned on, you must select at least one service to which events are delivered.
  8. Set Deliver Events To to OSS bucket or SLS Logstore.
    Note Currently, the events to be delivered are those generated after the single-account trail takes effect, excluding the existing events generated in the last 90 days. In the future, ActionTrail will deliver events generated in the last 90 days to you at a time to meet your requirements to the greatest extent.
    • OSS bucket: If you select this option, events will be delivered to an existing OSS bucket that you specify or a newly created OSS bucket.
      • If you set Create OSS Bucket to Yes, enter the bucket name and log file prefix in the OSS Bucket and Log File Prefix fields respectively.

        Then, set Server Encryption. Supported encryption methods for the events to be delivered include AES256 and KMS. For more information about the server-side encryption feature of OSS, see Server-side encryption.

      • If you set Create OSS Bucket to No, select an OSS bucket from the OSS Bucket drop-down list.

        Then, you can go to the OSS console and enable server-side encryption for the events to be delivered. For more information, see Configure server-side encryption.

    • SLS Logstore: If you select this option, events will be delivered to an existing Log Service project that you specify or a newly created Log Service project.
      • If you set Create Log Service Project to Yes, select a region from the Log Service Region drop-down list, and then enter a project name in the Log Service Project field.
      • If you set Create Log Service Project to No, select the region and project from the Log Service Region and Log Service Project drop-down lists respectively.
  9. Click Confirm.

Result

After a single-account trail is created, events will be logged to the specified OSS bucket or Log Service Logstore in the JSON format for query and analysis. You can view operations logs stored in the OSS bucket or Log Service Logstore.

  • OSS bucket: You can analyze the logs by using E-MapReduce or a third-party log analysis service.

    The OSS storage path is in the following format:

    
    oss://<bucket>/<Log file prefix>/AliyunLogs/Actiontrail/<region>/<YYYY>/<MM>/<DD>/<Log file>
  • Log Service Logstore: ActionTrail automatically creates a Logstore named actiontrail_Single-account trail name as well as the corresponding index and chart.

    For more information, see ActionTrail access logs.

    日志服务