This topic describes how to create a multi-account trail in the ActionTrail console. A multi-account trail delivers the events of all members in a resource directory to a Log Service Logstore or an Object Storage Service (OSS) bucket.
Prerequisites
A resource directory is enabled. For more information, see Enable a resource directory.
Procedure
What to do next
After you create a multi-account trail, the trail delivers events to the OSS bucket or Log Service Logstore that you specify in the JSON format for query and analysis. You can view the events that are stored in the OSS bucket or Log Service Logstore by using the management account.
LookupEvents
operation.
- Query events in the Log Service console: ActionTrail automatically creates a Logstore
named in the format of
actiontrail_<Trail name>
. To query and analyze events in the Log Service console, go to the Trails page of the ActionTrail console first. Find the trail that you created, move the pointer over theicon in the Storage Service column, and then click the name of the Logstore.
- Query events in the OSS console: Global events that are generated within members are
delivered together with the events that are generated in the home region of the trail.
Non-global events that are generated for the resources in a specific region are delivered
to the corresponding storage paths with the specific region ID. You can analyze the
events by using E-MapReduce (EMR) or a third-party log analysis service.
To query and analyze events in the OSS console, go to the Trails page of the ActionTrail console first. Find the trail that you created, move the pointer over the
icon in the Storage Service column, and then click the name of the OSS bucket. On the bucket overview page, click Files in the left-side navigation pane. For more information about the storage paths in OSS, see What is the storage path of an event that is delivered to an OSS bucket?