ActionTrail is a service that monitors and records the actions of your Alibaba Cloud account. ActionTrail records these actions as events. You can create a trail to deliver events to a specified Log Service Logstore or Object Storage Service (OSS) bucket. Then, you can create a historical event delivery task to deliver the events that occurred in the last 90 days to the Log Service Logstore specified for the associated trail. This way, events can be stored for a long period. You can use the advanced event query feature to query the events that occurred in multiple regions 90 days ago in the ActionTrail console.

Prerequisites

  • An Alibaba Cloud account is created. To create an Alibaba Cloud account, visit the Create Your Alibaba Cloud Account page.
  • You are authorized to use the historical event delivery task feature and the insight event feature. To use these two features, submit a ticket.

Step 1: Create a trail

This section describes how to create a single-account trail to deliver events to a specified Log Service Logstore.

You can also create a multi-account trail or create a trail to deliver events to a specified OSS bucket. For more information, see Create a single-account trail and Create a multi-account trail.

  1. Log on to the ActionTrail console.
  2. In the left-side navigation pane, click Trails.
  3. In the top navigation bar, select the region where you want to create a single-account trail.
    Note The region that you select becomes the home region of the trail that you want to create.
  4. On the Trails page, click Create Trail.
  5. In the Trail Basic Settings step, enter a trail name in the Trail Name field, set the Event Type parameter for management events to All Events, select Insight Event, and then click Next.
  6. In the Event Delivery Settings step, select Delivery to Log Service, select Delivery to Current Account, and then set the parameters as required.
    Parameter Description
    Logstore Region The region where the Log Service project resides.
    Project Name The name of the Log Service project. The project name must be unique within an Alibaba Cloud account.
    • If you select New Log Service Project, ActionTrail creates a project with the name that you specify and creates a Logstore in the project.
    • If you select Existing Log Service Project, you must select an existing project in Log Service.

      For more information about how to create a project in Log Service, see Getting Started.

  7. Click Next.
  8. In the Preview and Create step, confirm the trail configurations and click Submit.

Step 2: Create a historical event delivery task

A trail can deliver only the events that occur after the trail is created. Therefore, you must create a historical event delivery task to deliver the events that occurred in the last 90 days before your trail is created. This ensures that all the events required for auditing are stored.

For more information about historical event delivery tasks, see Create a historical event delivery task.

  1. In the left-side navigation pane, click Historical Event Delivery Tasks.
  2. In the top navigation bar, select the region where you want to create a historical event delivery task.
    Note This region must be the same as the region where the associated single-account trail resides.
  3. On the Historical Event Delivery Tasks page, click Create Task.
  4. On the Create Task page, select the associated trail.
    Note After you select a trail, the system automatically fills in the region from which the trail delivers events, the region where the Log Service project resides, the name of the Log Service project, and the information about the Log Service Logstore.
  5. Click Confirm.
    After you create a historical event delivery task, you can view the associated trail, the scope of the historical events that can be delivered, the delivery status, the time when the task was created, and the time when the task was completed on the Historical Event Delivery Tasks page.

Step 3: Perform advanced event queries

ActionTrail provides a variety of event query methods, such as event details query, event summary query, and advanced event query. This section describes how to perform advanced event queries in the ActionTrail console.

For more information about the event details query and event summary query features, see Event details query and Event summary query.

  1. In the left-side navigation pane, click Trails.
  2. On the Trails page, click the name of the trail that you want to set as the default trail for the advanced event query feature.
  3. Click Enable next to Enable Advanced Features.
  4. In the left-side navigation pane, click Advanced Event Query.
  5. In the top navigation bar, select the region where the events for which you want to perform advanced event queries occurred.
  6. On the Advanced Event Query page, click the Custom Events tab, and query and view related events.
    Note By default, if you do not set filter conditions, all events are queried.
    1. Specify filter conditions.
    2. Click Query.
    3. Click the plus sign (+) to the left of the event you want to query to view the event details.
    4. Optional. Click Event Detail to view the event log.
    1. Click Switch to the simple mode.
    2. Specify filter conditions.
    3. Click Query.
    4. Click the plus sign (+) to the left of the event you want to query to view the event details.
    5. Optional. Click Event Detail to view the event log.

What to do next

After you create a trail to deliver events to a specified Log Service Logstore or OSS bucket, you can query or analyze these events in the Log Service or OSS console. For more information, see the following topics: