By default, ActionTrail records the events that were generated within your Alibaba Cloud account in the last 90 days. You can query these events in the ActionTrail console. To query the events that were generated more than 90 days ago, you must create a trail first to record these events. This topic describes how a single-account trail works and the scenarios to which it can be applied.

How a single-account trail works

After you create a single-account trail, the trail delivers events to the Object Storage Service (OSS) bucket or Log Service Logstore that you specify in the JSON format for query, analysis, or long-term storage. Take note of the following rules when you select a storage service for events:

  • If you want to query or analyze events, you can configure ActionTrail to deliver events to Log Service. When an event is generated, ActionTrail delivers the event to the specified Log Service Logstore within 1 minute.
  • If you want to store or archive events for a long period of time, you can configure ActionTrail to deliver events to OSS. When an event is generated, ActionTrail delivers the event to the specified OSS bucket within 10 minutes.

    ActionTrail aggregates events based on specific rules before it delivers the events to a specified OSS bucket. In most cases, events generated every 5 minutes are aggregated into one file. If large numbers of events are generated in a 5-minute period, these events may be aggregated into multiple files.

The following figure shows how a single-account trail works.

Single-account trail

Scenarios

You can create multiple single-account trails to achieve the following goals:

  • Deliver events to different storage objects based on event types. Then, you can grant enterprise roles the permissions to audit the events in specific storage objects.
  • Deliver events to the storage objects that are deployed in the regions of one or more countries. Then, you can check whether the audit data is compliant with related regulations in multiple regions.
  • Generate backups for an event to prevent the data from being lost.
Note We recommend that you do not set the same event delivery destination for different single-account trails. Otherwise, events might be repeatedly delivered, which wastes the storage space.