At present, ActionTrail is in connection with Log Service. Operation log data collected by ActionTrail is delivered to Log Service in real time. This document introduces the log fields and collection procedures of ActionTrail logs.

Prerequisites

  1. Enable Log Service
  2. Enable ActionTrail service.

Procedure

  1. Log on to the ActionTrail console.
  2. Click Trail list in the left-side navigation pane to go to the Trail list page.
  3. Click Create Trail in the upper-right corner to go to the Create Trail page.
  4. Configure trail parameters.
    1. Enter Trail name.
    2. Deliver audit events to an OSS Bucket (optional ).

      For more information, see Create trail.

    3. Select an region in Log Service Region.
    4. Enter Log Service Project

      The project is used to store ActionTrail logs. You can enter an existing project name under the selected region or enter a new project name to deliver the logs to the new project.

    5. Enable logging.
      Click Enable logging. After you enable this feature, operation logs of cloud resource recorded by your ActionTrail is delivered to Log Service.
      Figure 1. Configure trail parameters.


  5. Click Submit to complete the configuration. 
    You have created a trail and you can view the created trail in Trail List.
    Note If you configure ActionTrail log collection for the first time, please authorize ActionTrail to upon prompts on the page. The authorization enables ActionTrail to distribute ActionTrail logs to your Logstore. Click Submit again after the authorization is complete to end the configuration.
    Figure 2. Trail List


Limits

  • Only one trail can be created for an account.

    Trail helps you deliver audit events to an OSS bucket or Log Service Logstore specified by you. Currently, only one trail can be created for an account in all regions. This trail delivers audit events across all regions to both or either of the OSS bucket and Logstore.

  • If you have created a trail, you can handle the trail in only the region where the trail was created.

    If you have created a trail, you can view, modify, or delete the trail in only the region where the trail was created. For example, if you need to configure a trail of Log Service when you have created a trail of OSS, add Log Service configuration to your created trail of OSS.

  • The exclusive Logstoree does not support writing additional data.

    The exclusive Logstore is used to store only operation logs of Action Trail. Therefore, this Logstore does not support writing other data. Other functions, such as query, statistics, alarms, and streaming consumption, have no restrictions.

  • Pay-As-You-Go.

    The ActionTrail log collection feature uses the billing method of Log Service. Log Service supports Pay-As-You-Go billing method, and provides a certain amount of free quota. For more information, see Billing method.

Query and analysis

To query and analyze collected log data after you complete trail configuration, click Log Analysis and Log Report under Log Service list in the Trail List page.
  • Log Analysis: Enter the log query and analysis page.

    Log Service provides log query and analysis. In this page, you can query and analyze collected ActionTrail logs in real time.

    By defining query syntax and analysis syntax, Log Service provides log queries in a variety of complex scenarios. For information about query and analysis syntax, see Query syntax and Analysis syntax.

    To monitor important log data at intervals and set alarm notifications for abnormal conditions, save the current query conditions as quick queries and alarms on the query page.  For detailed procedures, see Set alarms.

  • Log Report: Enter the dashboard page.

    Log Service shows an overall view of real-time dynamics, such as event types and event sources, by a built-in dashboard exclusive to ActionTrail.

    You can modify the exclusive dashboard, create a custom dashboard, and add custom analysis charts in a variety of scenarios to your dashboard. For more information about dashboards, see Dashboard.

Default configuration

When the configuration is completed, Log Service creates an exclusive project and an exclusive Logstore for you. Operation logs of cloud resource collected by ActionTrail is delivered to the Logstore in real time. In addition, Log Service also creates a dashboard for you to view cloud resource operations in real time. For information about default configurations such as the project and  Logstore, see the following table.

Table 1. Default configuration
Default configuration item Configuration content
Project A project that you select or customize when you create the trail.
Logstore By default, Logstore is created. The Logstore name is actiontrail_Trail name.

All logs of ActionTrail are saved in this Logstore.

Region A region that you select when you create the trail.
Shard By default, two shards are created and the Auto Split Shard feature is enabled.
Log storage time By default, logs are saved permanently.

You can customize the log storage time to a value in the range of 1 to 3000 days.  For detailed procedures, see Manage a Logstore .

Dashboard By default, a dashboard is created:
  • Chinese environment: actiontrail_Trail name_audit_center_cn
  • English environment: actiontrail_Trail name_audit_center_en

Log field

Field name Name Example
__topic__ Log topic. This field is fixed atactiontrail_audit_event
event Event body, which is in the JSON format. The content of the event body varies with the event. event example
event.eventId The ID of the event, which uniquely indicates the event. 07F1234-3E1D-4BFF-AC6C-12345678
event.eventName Event name. CreateVSwitch
event.eventSource The source of the event. http://account.aliyun.com:443/login/login_aliyun.htm
event.eventType Event type. ApiCallApicall
event.eventVersionEvent. eventversion The version of the data format of ActionTrail, which is currently fixed to 1. 1
event.acsRegion The region where the event is located. cn-hangzhou
event.requestId The request ID of the cloud service operation. 07F1234-3E1D-4BFF-AC6C-12345678
event.apiVersion The version of the related API. 2017-12-04
event.errorMessage The error message of an event failure. unknown confidential
event.serviceName The event-related service name. Ecs
event.sourceIpAddress The Source IP associated with the event. 1.2.3.4
event.userAgent The event-related client agent. Mozilla/5.0 (...)
event.requestParameters.HostId The host ID in the request-related parameter. ecs.cn-hangzhou.aliyuncs.com
event.requestParameters.Name The name in the request-related parameter. ecs-test
event.requestParameters.Region The domain in the request-related parameter. cn-hangzhou
event.userIdentity.accessKeyId The AccessKey ID used by the request. 25 ************
event.userIdentity.accountId The ID of the account requested. 123456
event.userIdentity.principalId The voucher ID of the account requested. 123456
event.userIdentity.type The type of account requested. root-account
event.userIdentity.userName The name of account requested. root

event example

{
  "acsRegion": "cn-hangzhou",
  "additionalEventData": {
    "isMFAChecked": "false",
    "loginAccount": "test1234@aliyun.com"
  },
  "eventId": "7be1e173-1234-44a1-b135-1234",
  "eventName": "ConsoleSignin",
  "eventSource": "http://account.aliyun.com:443/login/login_aliyun.htm",
  "eventTime": "2018-07-12T06:14:50Z",
  "eventType": "ConsoleSignin",
  "eventVersion": "1",
  "requestId": "7be1e173-1234-44a1-b135-1234",
  "serviceName": "AasCustomer",
  "sourceIpAddress": "42.120.75.137",
  "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36",
  "userIdentity": {
    "accessKeyId": "25****************",
    "accountId": "1234",
    "principalId": "1234",
    "type": "root-account",
    "userName": "root"
  }
}