After you enable the insight event feature for a trail, ActionTrail generates insight events based on the identified unusual API calls. Then, ActionTrail delivers the insight events to the Log Service Logstore or Object Storage Service (OSS) bucket specified for the trail. You can log on to the Log Service or OSS console to query and analyze insight events that were generated more than 90 days ago.

Prerequisites

  • The permissions to manage insight events are granted to you after you request the permissions by submitting a ticket.
  • A single-account trail that meets the following conditions is created:
    • The trail delivers events from all regions.
    • The trail delivers all types of events.
    For more information, see Create a single-account trail.
  • The insight event feature is enabled for the trail. For more information, see the "Step 1: Enable the insight event feature for a trail" section of the Query insight events in the ActionTrail console topic.

Query insight events in the Log Service console

The insight events and management events that are recorded by a trail are delivered to the same Log Service Logstore specified for the trail. You can run the * and event.eventType: ActionTrailInsight SQL statement to query and analyze insight events in the Log Service console.

  1. Log on to the ActionTrail console.
  2. In the left-side navigation pane, click Insight.
  3. In the top navigation bar, select the region in which the insight events that you want to query are generated from the drop-down list.
  4. On the Insight page, click the more icon, find the trail that you want to manage, move the pointer over the Exclamation point icon icon in the Storage Service column, and then click the name of the Logstore.
    sls
  5. In the Log Service console, click 15 Minutes(Relative) in the upper-right corner. In the time picker that appears, specify a time range to query.
  6. Enter * and event.eventType: ActionTrailInsight in the search box, and click Search & Analyze in the upper-right corner to query insight events.

Query insight events in the OSS console

The insight events and managements events that are recorded by a trail are delivered to different paths in the OSS bucket specified for the trail. The paths where insight events are stored are in the following format: 

oss://<Bucket name>/<Log file name prefix>/AliyunLogs/Actiontrail-Insight/<Region ID>/<YYYY>/<MM>/<DD>/<Log file name>
  1. On the Insight page, click the more icon, find the trail that you want to manage, move the pointer over the Exclamation point icon icon in the Storage Service column, and then click the name of the OSS bucket.
    oss
  2. In the left-side navigation pane of the OSS console, click Files.
  3. Click AliyunLogs and then Actiontrail-Insight. Then, query insight events by region and date.
    Log file path in the OSS bucket