Create a single-account trail

A single-account trail can continuously deliver events to the specified Object Storage Service (OSS) bucket or Log Service Logstore for analysis. By default, ActionTrail records the events that were generated within your Alibaba Cloud account in the last 90 days. You can query these events in the ActionTrail console. To query the events that were generated more than 90 days ago, you must create a trail first to record these events. This topic describes how to create a single-account trail in the ActionTrail console.

1. Log on to the ActionTrail console.
2. In the left-side navigation pane, click Trails.
3. In the top navigation bar, select the region in which you want to create a single-account trail.
   Note The region that you select becomes the home region of the trail that you want to create.
4. On the Trails page, click Create Trail.
5. In the Trail Basic Settings step, set the parameters and click Next. The following table describes the parameters.

   Parameter	Description
   Trail Name	The name of the trail that you want to create. The name must be unique within your Alibaba Cloud account. The trail name is used to name the Logstore that is used to store the events to be delivered.
   Log Event	The category of event that you want to deliver. Valid values: Management Event: By default, Management Event is selected. You can select the type of user-initiated event that you want to deliver. Valid values: All Events: all read and write events. All events must be recorded for auditing, as stipulated in the auditing-related regulations and standards. We recommend that you select All Events. Write: the events that record the operations to create, delete, or modify cloud resources. For example, a CreateInstance event is generated when a subscription or pay-as-you-go Elastic Compute Service (ECS) instance is created. If you need to export events only for analysis and focus only on the events that affect the O&M of cloud resources, select Write. Read: the events that record the operations to read information about cloud resources, rather than to create, delete, or modify cloud resources. For example, a DescribeInstances event is generated when the details of one or more ECS instances are queried. Read events are often generated in abundance and occupy large storage space. However, all events must be recorded for auditing, as stipulated in the auditing-related regulations and standards. We recommend that you configure the trail to deliver both read and write events. This helps you track the use of AccessKey pairs and access to cloud resources. Insight Event: Select or clear Insight Event as needed. If you select Insight Event, ActionTrail synchronously delivers insight events that are generated due to operations from unusual IP addresses. Note By default, when you create a trail in the ActionTrail console, the system assumes that the trail delivers events in all regions. To create a trail that delivers events in specific regions, call the CreateTrail operation. Set the TrailRegion parameter as needed when you call this operation. If you select Insight Event, the Event Type parameter is automatically set to All Events.

6. In the Event Delivery Settings step, specify one or more delivery destinations and click Next.
   You can create a trail to deliver events to Log Service, OSS, or both. For more information about how to select a storage service, see Deliver events to specified Alibaba Cloud services.

   Note The events generated after the single-account trail takes effect are delivered. The events generated in the last 90 days are excluded. To meet your requirements to the greatest extent possible, you can create a historical event delivery task to deliver the events generated in the last 90 days to the delivery destination that you specify for the trail at a time. For more information, see Create a historical event delivery task.

   • Select Delivery to Log Service
     • If you select Delivery to Current Account, set the parameters that are described in the following table.

       Parameter	Description
       Logstore Region	The region in which the Log Service project resides.
       Project Name	The name of the Log Service project. The project name must be unique within an Alibaba Cloud account. If you select New Log Service Project, ActionTrail creates a project with the name that you specify and creates a Logstore in the project. If you select Existing Log Service Project, you must select an existing project from the Project Name drop-down list. For more information about how to create a project in Log Service, see Getting Started. Note After you create a trail to deliver events to Log Service, a Logstore named in the actiontrail_<Trail name> format is created. This Logstore is automatically configured for subsequent auditing. To be specific, indexes and a dashboard are created for the Logstore to facilitate event queries. In addition, you are not allowed to manually write data to the Logstore. This ensures data integrity. You do not need to create a Logstore in advance.

     • If you select Delivery to Another Account, set the Log Service Project ARN and RAM Role ARN of Destination Account parameters.

       To deliver events to another account, you must create a RAM role by using the destination account, grant ActionTrail the permissions to deliver events to the destination account, and then create a Log Service project before you create the trail. For more information, see Aggregate events across Alibaba Cloud accounts.

   • Select Delivery to OSS
     • If you select Delivery to Current Account, set the parameters that are described in the following table.

       Parameter	Description
       Bucket Name	The name of the OSS bucket. The bucket name must be unique within the Alibaba Cloud account. If you select New OSS Bucket, ActionTrail creates an OSS bucket with the name that you specify. If you select Existing OSS Bucket, you must select an existing bucket from the Bucket Name drop-down list. For more information about how to create a bucket in OSS, see Create buckets. Notice You must complete real-name registration on the Real-name Registration page before you create a bucket in a region within the Chinese mainland.
       Log File Prefix	The prefix of the names of the log files in which the delivered events are stored. The prefix helps you find the events in subsequent operations.
       Server Encryption	Specifies whether and how to encrypt objects in the OSS bucket. If you select New OSS Bucket, you must set the parameter. Valid values: Fully Managed by OSS KMS No Note For more information about the server-side encryption feature of OSS, see Server-side encryption.

     • If you select Delivery to Another Account, set the RAM Role ARN of OSS Bucket, Bucket Name, and Log File Prefix parameters.

       To deliver events to another account, you must create a RAM role by using the destination account, grant ActionTrail the permissions to deliver events to the destination account, and then create an OSS bucket before you create the trail. For more information, see Aggregate events across Alibaba Cloud accounts.

7. In the Preview and Create step, confirm the trail information and click Submit.
   You can click View Details to view the details of the trail.