This topic describes how to create a trail in the ActionTrail console. You can create trails to store the logs of events for a longer period of time so that you can analyze these events later.

Background information

When you create a trail, you must specify the regions that the trail applies to, the types of events to be captured in the trail, and the destination to which the events will be delivered. Multiple trails are supported. You can create up to five trails in each region by using your Alibaba Cloud account.

Note We recommend that you do not set the same event delivery destination for different trails. Otherwise, events might be repeatedly delivered and certain storage space might be wasted.

The advantages of using multiple trails are as follows:

  • You can create multiple trails to deliver different types of events to different storage objects. Then, you can grant permissions to enterprise roles accordingly so that different roles can perform audits on different types of events.
  • You can create multiple trails for different regions of the same country or even different countries to deliver events to storage objects deployed in the corresponding regions. Then, you are able to manage the audit data for multiple regions in a compliant manner.
  • With multiple trails created, backups can be generated for an event to prevent audit data from being lost.

ActionTrail applies the following rules to global events to avoid repeated logging:

  • You can view all the global events in the ActionTrail console, regardless of the region that you specify.
  • Assume that you have created a trail to deliver events to a specific Object Storage Service (OSS) bucket. By default, global events are logged in the same file as the events that occur in the home region of the trail.

Procedure

  1. Log on to the ActionTrail console.
  2. In the top navigation bar, select the region where you want to create a trail.
    Note The region that you select becomes the home region of the trail to be created.
  3. In the left-side navigation pane, choose ActionTrail > Trails.
  4. Click Create Trail. On the page that appears, enter a name in the Trail Name field.
  5. Set Apply Trail to All Regions to Yes or No as needed.
    • If you select Yes, the trail will be available in all regions.
      Note We recommend that you select this option unless otherwise specified to avoid event omission.
    • If you select No, you must select one or more target regions from the Apply Trail to All Regions drop-down list.
  6. Set Event Type to Write, Read, or All.
    • Write: the type of event that can affect the running of cloud resources, which requires special attention.
    • Read: the type of event that does not affect the running of cloud resources. Generally, this type of event occurs in abundance and occupies a large amount of storage space.
    • All: all events related to resource behaviors.
  7. Turn on the Enable Logging switch.
    Note After you enable logging, you must select at least one service to which events are delivered.
  8. Set Deliver Events To to OSS bucket or SLS Logstore or select both options.
    Note Currently, the events to be delivered are those generated after the trail takes effect, excluding the existing events generated in the last 90 days. In the future, ActionTrail will deliver events generated in the last 90 days to you at a time to meet your requirements to the greatest extent.
    • OSS bucket: If you select this option, events will be delivered to an existing OSS bucket that you specify or a newly-created OSS bucket.
      • To deliver events to a new OSS bucket, set Create OSS Bucket to Yes and enter the bucket name and log file prefix in the OSS Bucket and Log File Prefix fields respectively.

        Then, set Server Encryption. Supported encryption methods for the events to be delivered include AES256 and KMS. For more information about the server-side encryption feature of OSS, see Server-side encryption.

      • To deliver events to an existing OSS bucket, set Create OSS Bucket to No and select an OSS bucket from the OSS Bucket drop-down list.

        Then, you can go to the OSS console and enable server-side encryption for the events to be delivered. For more information, see Configure server-side encryption.

    • SLS Logstore: If you select this option, events will be delivered to an existing Log Service project that you specify or a newly-created Log Service project.
      • To deliver events to a new Log Service project, set Create Log Service Project to Yes, select a region from the Log Service Region drop-down list, and then enter a project name in the Log Service Project field.
      • To deliver events to an existing Log Service project, set Create Log Service Project to No and select a Log Service project from the Log Service Project drop-down list.
  9. Click Confirm.

Result

After a trail is created, events will be logged to an OSS bucket or a Log Service Logstore in the JSON format to facilitate queries and analysis.

  • OSS bucket: If you specify or create an OSS bucket, events are logged to the OSS bucket in a compressed JSON file. The maximum file size is 2 KB. You can analyze the logs by using E-MapReduce or a third-party log analysis service.

    The OSS storage path is in the following format:

    oss://<bucket>/<Log file prefix>/AliyunLogs/Actiontrail/<region>/<YYYY>/<MM>/<DD>/<Log file>
  • Log Service Logstore: ActionTrail automatically creates a Logstore named actiontrail_Trail name as well as the corresponding index and chart. Events are logged to the Logstore in the JSON format.

    For more information, see ActionTrail access log.

    Logstoredictionary