ActionTrail monitors and records the actions of your Alibaba Cloud account. ActionTrail records the actions as events. If this is the first time that you use ActionTrail, you can create a trail to deliver subsequent events to a specified Log Service Logstore or Object Storage Service (OSS) bucket. Then, you can create a historical event delivery task to deliver the events that occurred in the last 90 days to the Log Service Logstore. This way, the events can be stored for a long period. You can also query the events that occurred in multiple regions 90 days ago in the ActionTrail console.

Prerequisites

  • Log Service is activated.

    The first time you use Log Service, log on to the Log Service console and activate Log Service as prompted. For more information, see What is Log Service?.

  • You are authorized to use the feature that creates historical event delivery tasks and the insight event feature. To use the two features, submit a ticket.

Step 1: Create a trail

This section describes how to create your first single-account trail to deliver events to a specified Log Service Logstore.

You can also create a multi-account trail or create a trail to deliver events to a specified OSS bucket. For more information, see Create a single-account trail and Create a multi-account trail.

  1. Log on to the ActionTrail console.
  2. In the left-side navigation pane, click Trail.
  3. In the top navigation bar, select the region where you want to create a single-account trail.
    Note The region that you select becomes the home region of the trail that you want to create.
  4. On the Trail page, click Create Trail.
  5. In the Trail Basic Settings step, enter a trail name in the Trail Name field, set the Event Type parameter for management events to All Events, and then click Next.
  6. In the Event Delivery Settings step, select Delivery to Log Service, select Delivery to Current Account, and then set the parameters as required.
    ParameterDescription
    Logstore RegionThe region where the Log Service project resides.
    Project NameThe name of the Log Service project. The project name must be unique within an Alibaba Cloud account.
    • If you select New Log Service Project, ActionTrail creates a project with the name that you specify and creates a Logstore in the project.
    • If you select Existing Log Service Project, you must select an existing project in Log Service.

      For more information about how to create a project in Log Service, see Getting Started.

  7. Click Next.
  8. In the Preview and Create step, confirm the trail configurations and click Submit.

Step 2: Create a historical event delivery task

A trail can deliver only the events that occur after the trail is created. If you want to deliver the events that occurred in the last 90 days, you must create a historical event delivery task.

Note To use the feature that creates historical event delivery tasks, submit a ticket.

For more information about historical event delivery tasks, see Create a historical event delivery task.

  1. In the left-side navigation pane, click Historical Event Delivery Tasks.
  2. In the top navigation bar, select the region where you want to create a historical event delivery task.
    Note The region that you select must be the same as the region where the associated single-account trail is created.
  3. On the Historical Event Delivery Tasks page, click Create Task.
  4. On the Create Task page, select the associated single-account trail.
    Note After you select the trail, the system automatically fills in the region from which the trail delivers events, the region where the Log Service project resides, the name of the Log Service project, and the information about the Log Service Logstore.
  5. Click Confirm.
    After you create the historical event delivery task, you can view the associated single-account trail, the time range of the historical events that can be delivered, the delivery status, the time when the task is created, and the time when the task is complete on the Historical Event Delivery Tasks page.

Step 3: Perform advanced event queries

ActionTrail provides multiple event query methods, such as event details query, event summary query, and advanced event query methods. This section describes how to perform advanced event queries in the ActionTrail console.

For more information about the event details query and event summary query methods, see Event details query and Event summary query.

  1. In the left-side navigation pane, click Trail.
  2. On the Trail page, click the name of the trail for which you want to enable the advanced event query feature.
  3. Click Enable next to Enable Advanced Features.
  4. In the left-side navigation pane, click Advanced Query.
  5. On the Advanced Query page, click the Custom Events tab, and query and view related events.
    Note By default, if you do not set filter conditions, all events are queried.
    1. Specify filter conditions.
    2. Click Query.
    3. Click the plus sign (+) to the left of the event you want to query to view the event details.
    4. Optional. Click Event Detail to view the event log.
    1. Click Switch to the simple mode.
    2. Specify filter conditions.
    3. Click Query.
    4. Click the plus sign (+) to the left of the event you want to query to view the event details.
    5. Optional. Click Event Detail to view the event log.

What to do next

After you create a trail to deliver events to a specified Log Service Logstore or OSS bucket, you can query or analyze the events in the Log Service or OSS console. For more information, see the following topics: