After you enable the insight event feature for a trail, ActionTrail generates insight events based on the identified unusual API calls. Then, ActionTrail delivers the insight events to the Log Service Logstore or Object Storage Service (OSS) bucket specified for the trail. You can log on to the Log Service or OSS console to query and analyze insight events that were generated more than 90 days ago.
Prerequisites
- The permissions to manage insight events are granted to you after you request the permissions by submitting a ticket.
- A single-account trail that meets the following conditions is created:
- The trail delivers events from all regions.
- The trail delivers all types of events.
- The insight event feature is enabled for the trail. For more information, see the "Step 1: Enable the insight event feature for a trail" section of the Query insight events in the ActionTrail console topic.
Query insight events in the Log Service console
The insight events and management events that are recorded by a trail are delivered
to the same Log Service Logstore specified for the trail. You can run the * and event.eventType: ActionTrailInsight
SQL statement to query and analyze insight events in the Log Service console.
Query insight events in the OSS console
The insight events and managements events that are recorded by a trail are delivered to different paths in the OSS bucket specified for the trail. The paths where insight events are stored are in the following format:
oss://<Bucket name>/<Log file name prefix>/AliyunLogs/Actiontrail-Insight/<Region ID>/<YYYY>/<MM>/<DD>/<Log file name>