By default, ActionTrail records the events that are generated within your Alibaba Cloud account in the last 90 days. You can query the events but cannot download them in the ActionTrail console. If you want to query events that are generated more than 180 days ago for audit or you need to download events to your on-premises device for analysis, you must create a trail to deliver events to a Simple Log Service Logstore or an Object Storage Service (OSS) bucket and then download the events to your on-premises device as files.
Background information
This topic describes how to download the events that are delivered by a single-account trail in the Simple Log Service console. To do this, perform the following steps:
Create a trail in the ActionTrail console to continuously deliver events to a Simple Log Service Logstore.
Optional. Create a data backfill task in the ActionTrail console to deliver the events that are generated in ActionTrail in the last 90 days to the Simple Log Service Logstore that is specified in the trail at a time.
Download events in the Simple Log Service console. You can query specific events in the Simple Log Service console and download the events. Multiple methods are provided for you to download the events.
For example, you can execute the following SQL statement to query the aggregation information about all write events among management events:
NoteIf you specify a long query time range, we recommend that you use the
LIMIT Nclause to limit the number of returned events toN. For example, if you use theLIMIT 20clause, the system returns 20 events.* AND "event.eventCategory": Management AND "event.eventRW": Write | SELECT"event.serviceName"AS servieName,"event.eventName"AS eventName,"event.eventRw"AS eventRw,"event.sourceIpAddress"AS sourceIpAddress,"event.resourceName"AS resourceName,"event.resourceType"AS resourceType,"event.userIdentity.userName"AS userName,"event.userIdentity.type"AS userType,"event.userIdentity.accessKeyId"AS accessKeyId,"event.acsRegion"AS eventRegion,COUNT("event.eventId")AS n, date_trunc('hour', __time__) AS time GROUP BY time, servieName, eventName, eventRw, sourceIpAddress, resourceType, resourceName, accessKeyId, userType, userName, eventRegion ORDER BY time DESC LIMIT 20The following figure shows the query results. Each value in the n column indicates the number of times that events are aggregated.
Step 1: Create a trail to deliver events to a Simple Log Service Logstore
Log on to the ActionTrail console.
In the left-side navigation pane, click Trails.
In the top navigation bar, select the region where you want to create a single-account trail.
NoteThe region that you select becomes the home region of the trail that you want to create.
On the Trails page, click Create Trail.
On the Create Trail page, configure the parameters.
In the Basic Information section, configure the basic information about the trail.
NoteBy default, the trail delivers events in all regions. We recommend that you set the Management Event parameter to All. This way, the trail delivers all types of events that occur in all regions. For more information, see Create a single-account trail.
In the Event Delivery section, configure parameters to deliver events to Simple Log Service within the current Alibaba Cloud account.
Parameter
Description
Logstore Region
The region where the Logstore resides.
Project Name
The name of the project.
NoteThe project name is shared by all Alibaba Cloud users and must be unique.
If you select New Log Service Project, the system automatically creates a project. You must specify a name for the project. The system also automatically creates a Logstore for the project.
If you select Existing Log Service Project, you must select an existing project from the Project Name drop-down list.
For more information about how to create a project in Simple Log Service, see Getting Started.
Click Confirm.
Step 2: (Optional) Create a data backfill task
A trail can deliver only the events that are generated after the trail is created. If you want to download the events that are generated in the last 90 days, you must create a data backfill task to deliver the events.
To create a data backfill task, submit a ticket to obtain permissions to use the backfill feature.
In the left-side navigation pane, click Backfill.
In the top navigation bar, select a region where you want to create a data backfill task.
NoteThe region must be the same as the region where the created single-account trail resides.
On the Backfill page, click Create Task.
On the Create Task page, select the single-account trail for which you want to create a data backfill task.
NoteAfter you select the trail, the following information is automatically entered: the region from which the trail delivers events, the region where the Simple Log Service project resides, the name of the Simple Log Service project, and the information about the Simple Log Service Logstore.
Click Confirm.
After you create a data backfill task, you can view Delivery Status of the task on the Backfill page to check whether events are delivered.
Step 3: Download events in the Simple Log Service console
You can query events that are generated within a specific time range in the Simple Log Service console and download the events. If your query returns multiple events, Simple Log Service allows you to download them to a single file for subsequent use.
In the ActionTrail console, go to the Logstore that is specified in the trail.
In the left-side navigation pane, click Trails.
In the top navigation bar, select the region of the single-account trail and data backfill task.
On the Trails page, find the trail and move the pointer over SLS or SLS & OSS in the Storage Service column. Then, click the name of the Simple Log Service Logstore.
In the Simple Log Service console, click 15 Minutes in the upper-right corner. In the time picker that appears, specify a time range to query events. For example, you can select Today.
Enter a query statement and click Search & Analyze.
For more information about how to configure a query statement, see How can I use SQL statements to query ActionTrail events delivered to Simple Log Service?
Download events.
Method 1: Download event statistics that are categorized by field.
On the Graph tab, click the
icon and then click Download Log. Method 2: Download an event code file.
On the Raw Logs tab, click the
icon.
In the Log Download dialog box, select a download method and click OK.
Download: Download events to a file in the comma-separated values (CSV) format.
Download with Cloud Shell: Download all events as prompted.
NoteThe Cloud Shell server resides in the China (Shanghai) region. If you download logs from a Logstore that does not reside in the China (Shanghai) region, you are charged for the traffic of data transfer over the Internet. For more information about pricing, see Pricing.
Download All Logs Using Command Line Tool: Download all events as prompted.
NoteIf you want to download events by using a command line tool, you must specify your actual AccessKey ID and AccessKey secret in the command. If you want to use an Alibaba Cloud account to download events, log on to the User Management console and obtain the AccessKey pair of the Alibaba Cloud account. If you want to use a Resource Access Management (RAM) user to download events, log on to the RAM console to create a RAM user and obtain the AccessKey pair of the RAM user.
If the host on which the command line tool is installed resides in the same region as the current Simple Log Service project, we recommend that you click Switch to Internal Endpoint. An internal network provides a higher download speed, and no fees are generated for Internet traffic.
References
For more information about how to download event details, see Download logs.