This topic describes how to configure alert rules to monitor the use of AccessKey pairs after you use ActionTrail to deliver event logs to a specified Log Service Logstore.


  • An Alibaba Cloud account is created. To create an Alibaba Cloud account, visit the account registration page.
  • Log Service is activated.

    If Log Service is not activated, log on to the Log Service console and activate the service as prompted.

Background information

After you activate ActionTrail, you can query event logs recorded in the last 90 days based on your AccessKey ID. For more information, see Query historical events in the ActionTrail console. You can also deliver event logs to Log Service to store the event logs for a longer period of time.

Create a trail

  1. Log on to the ActionTrail console.
  2. In the top navigation bar, select the region where you want to create a single-account trail.
    Note The region that you select becomes the home region of the trail that you want to create.
  3. In the left-side navigation pane, choose ActionTrail > Create Trail.
  4. In the Trail Basic Settings step, configure the parameters and click Next. The following table describes the parameters.
    Parameter Description
    Trail Name The name of the trail that you want to create. The name must be unique to an Alibaba Cloud account in a region.
    Target Regions The one or more regions from which the trail delivers events. Select All Regions.
    Event Type The type of events that the trail delivers. Select All.
  5. In the Event Delivery Settings step, select Delivery to Log Service.
  6. Select New Log Service Project, select a region from theLogstore Region drop-down list, and then specify Project Name.
  7. Click Next.
  8. In the Preview and Create step, confirm the trail information and click Submit.

Configure Log Service

  1. Log on to the ActionTrail console and choose ActionTrail > Trails.
  2. On the Trails page, find the trail for which you want to configure an alert rule and click Log Analysis in the Log Service column. The details page of the specified Log Service Logstore appears.
    Note You can also log on to the Log Service console to configure Log Service.
  3. In the upper-right corner of the page that appears, click 15 Minutes(Relative) to specify a time range for the query.
  4. Enter event.userIdentity.accessKeyId: "LTAI********eB7Z" | select count(1) as use_ak_LTAI********eB7Z in the search box and click Search & Analyze.
  5. Click Save Search or Save as Alert.
    • Save Search: Click Save Search in the upper-right corner. The Saved Search Details panel appears. Specify Saved Search Name and click OK.
      Note After you save the query, you can select it in the Log Service console to initiate the search.

      For more information, see Saved search.

    • Save as Alert: Click Save as Alert in the upper-right corner. The Alert Rule panel appears. Configure the parameters and click OK.

      For more information, see Create an alert rule.

      Note After you configure the alert rule, you can receive an alert notification when the alert is triggered. For example, Log Service checks the use of your AccessKey ID every 5 minutes based on the alert rule shown in the preceding figure. If your AccessKey ID is used in the last 5 minutes, Log Service generates an alert.


You can view and manage the saved query and alerts in the Log Service console.