A single-account trail can deliver events to a specified Object Storage Service (OSS)
bucket or Log Service Logstore for analysis. By default, ActionTrail records the events
that are generated within your Alibaba Cloud account in the last 90 days. You can
query these events in the ActionTrail console. To query the events that are generated
more than 90 days ago, you must create a trail to record these events. This topic
describes how to create a single-account trail in the ActionTrail console.
Background information
If you create a trail by using your Alibaba Cloud account, ActionTrail delivers events
related to the Alibaba Cloud account and its RAM users to a specified OSS bucket or
Log Service Logstore. If you create a trail as a RAM user, you must authorize the
RAM user to create and manage single-account trails. For more information, see Grant permissions to a RAM user.
ActionTrail allows you to create multiple single-account trails. After you create
a single-account trail to deliver events to a specified OSS bucket, global events
are recorded in the same directory as the events that are generated in the home region
in which the trail is created. This can prevent repeated recording of global events.
In the top navigation bar, select the region in which you want to create a single-account
trail.
Note The region that you select becomes the home region of the trail that you want to create.
On the Trails page, click Create Trail.
In the Trail Basic Settings step, configure the parameters and click Next. The following table describes the parameters.
Parameter
Description
Trail Name
The name of the trail. The name is used to name the Log Service Logstore.
Note The name of the trail must be unique.
Log Event
The category of the events that you want to deliver. Valid values:
Management Event: By default, Management Event is selected. You can select the type of management
events that you want to deliver. Valid values:
All Events: read and write events. Auditing-related regulations and standards stipulate that
all events must be recorded. We recommend that you select All Events.
Write: the events that record the operations to create, delete, or modify cloud resources.
Example: the events that are generated when you call the CreateInstance opteration
to create a subscription or pay-as-you-go Elastic Compute Service (ECS) instance.
If you want to export events only for analysis and focus only on the events that affect
cloud resources, select Write.
Read: the events that record the operations to read information about cloud resources,
rather than to create, delete, or modify cloud resources. Example: the events that
are generated when you call the DescribeInstances operation to query the details of
one or more ECS instances. In most cases, a large number of read events are generated,
and these events occupy large storage space. Auditing-related regulations and standards
stipulate that all events must be recorded. We recommend that you specify that the
trail delivers both read and write events. This helps you track the usage of AccessKey
pairs and access to cloud resources.
Insight Event: Select Insight Event based on your business requirements. After Insight Event is
selected, All Events is selected for Event Type in the Management Event section. ActionTrail
delivers events that are generated for exceptional calls from specific IP addresses.
For more information about Insight events, see Query insight events.
Note By default, when you create a trail in the ActionTrail console, the trail delivers
events in all regions. To create a trail that delivers events in specified regions,
call the CreateTrail operation. Configure the TrailRegion parameter based on your business requirements when you call this operation.
In the Event Delivery Settings step, configure event delivery settings and click Next.
You can create a trail to deliver events to a Log Service Logstore, an OSS bucket,
or both. For more information about how to select a storage service, see Deliver events to specified Alibaba Cloud services.
Note After the single-account trail takes effect, the events that are generated are delivered.
The events that are generated in the last 90 days are not included. To meet your business
requirements to the greatest extent possible, you can create a historical event delivery
task to deliver the events that are generated in the last 90 days to the delivery
destination that you specify for the trail at a time. For more information, see Create a historical event delivery task.
Select Delivery to Log Service
If you select Delivery to Current Account, configure the parameters that are described in the following table.
Parameter
Description
Logstore Region
The region in which the Log Service project resides.
Project Name
The name of the Log Service project. The project name must be unique within the current
Alibaba Cloud account.
If you select New Log Service Project, you must enter a project name. ActionTrail creates a project with the name that
you enter.
If you select Existing Log Service Project, you must select an existing project in Log Service.
For more information about how to create a project in Log Service, see Getting Started.
Note After you create a trail to deliver events to Log Service, a Logstore whose name is
in the actiontrail_<Trail name> format is automatically created and optimally configured for subsequent auditing.
Indexes and a dashboard are created for the Logstore to facilitate event queries.
You cannot manually write data to the Logstore. This ensures data accuracy. You do
not need to create a Logstore in advance.
If you select Delivery to Another Account, configure the Log Service Project ARN and RAM Role ARN of Destination Account parameters.
To deliver events to a different account, you must create a RAM role by using the
destination account, grant ActionTrail the permissions to deliver events to the destination
account, and then create a Log Service project before you create the trail. For more
information, see Aggregate events across Alibaba Cloud accounts.
Select Delivery to OSS
If you select Delivery to Current Account, configure the parameters that are described in the following table.
Parameter
Description
Bucket Name
The name of the OSS bucket. The bucket name must be unique within the current Alibaba
Cloud account.
If you select New OSS Bucket, you must enter an OSS bucket name. ActionTrail creates an OSS bucket with the name
that you enter.
If you select Existing OSS Bucket, you must select an existing bucket from the Bucket Name drop-down list.
For more information about how to create a bucket in OSS, see Create buckets.
Notice Before you create a bucket in a region within the Chinese mainland, you must complete
real-name registration on the Real-name Registration page.
Log File Prefix
The prefix of the names of the log files in which the delivered events are stored.
The prefix helps you find the events in subsequent operations.
Server Encryption
Specifies whether to encrypt log files and the method that is used to encrypt the
log files. If you select New OSS Bucket, you must configure the parameter. Valid values:
Fully Managed by OSS
KMS
No
Note For more information about the server-side encryption feature of OSS, see Server-side encryption.
If you select Delivery to Another Account, configure the RAM Role ARN of OSS Bucket, Bucket Name, and Log File Prefix parameters.
To deliver events to a different account, you must create a RAM role by using the
destination account, grant ActionTrail the permissions to deliver events to the destination
account, and then create an OSS bucket before you create the trail. For more information,
see Aggregate events across Alibaba Cloud accounts.
In the Preview and Create step, confirm the trail information and click Submit.
You can click View Details to view the details of the trail.
Result
After you create a single-account trail, the trail delivers events to the OSS bucket
or Log Service Logstore that you specify in the JSON format for query and analysis.
You can view the events that are stored in the OSS bucket or Log Service Logstore.
Query events in the Log Service console: ActionTrail automatically creates a Logstore
whose name is in the actiontrail_<Trail name> format. To query events that are stored in a Log Service Logstore, go to the Trails page of the ActionTrail console, find the trail that you created, move the pointer
over the icon in the Storage Service column, and then click the name of the Logstore.
Query events in the OSS console: You can analyze the events that are delivered to
OSS by using E-MapReduce (EMR) or a third-party log analysis service.
To query events that are stored in an OSS bucket, go to the Trails page of the ActionTrail console, find the trail that you created, move the pointer
over the icon in the Storage Service column, and then click the name of the OSS bucket. On the page that appears, click
Files in the left-side navigation pane. For more information about the storage paths in
OSS, see What is the storage path of an event that is delivered to an OSS bucket?