All Products
Search
Document Center

ActionTrail:Deliver events to specified Alibaba Cloud services

Last Updated:Oct 12, 2023

By default, ActionTrail allows you to query the events that are recorded within your Alibaba Cloud account in the last 90 days. You may also need to analyze the events that are recorded in the last 90 days or retain events for 180 days or longer for your enterprise. In this case, you must deliver the events that are recorded in the ActionTrail console to a data analysis service, or continuously collect events from Alibaba Cloud and save the events to a storage service. You can use ActionTrail trails to meet the preceding requirements. This topic describes how to deliver events to a specified destination in different scenarios by using a single-account trail.

Prerequisites

  • Object Storage Service (OSS) is activated. For more information, see Activate OSS.

  • Simple Log Service is activated.

    If Simple Log Service is not activated, log on to the Simple Log Service console and follow the on-screen instructions to activate the service.

Scenarios

You can create a trail in the ActionTrail console to deliver events in various scenarios. If you do not create a trail, you cannot query the events that are generated more than 90 days ago. You can create a trail to deliver events in the following scenarios:

  • Scenario 1: Retain events for 180 days or longer

    By default, ActionTrail records only the events that are generated in the last 90 days. Multi-Level Protection Scheme (MLPS) 2.0 requires events to be retained for 180 days or longer. In this case, you can create a trail to continuously collect events and deliver the events to OSS or Simple Log Service. By default, events are permanently stored after they are delivered to an OSS bucket or a Simple Log Service Logstore. If you want to retain events for only 180 days, see Modify the lifecycle rule of the OSS bucket or Change the data retention period of the Simple Log Service Logstore.

  • Scenario 2: Analyze sensitive operations and configure alert rules for the operations

    If you want to detect sensitive operations at the earliest opportunity, such as the operations that are performed to generate orders or delete resources, you can create a trail in the ActionTrail console to deliver the related events to a specified Simple Log Service Logstore. Then, you can configure alert rules for the events in the Simple Log Service console.

  • Scenario 3: Analyze events by using MaxCompute

    If Simple Log Service does not meet your analysis requirements, we recommend that you use MaxCompute to analyze events. MaxCompute provides various classic distributed computing models to help you perform big data analysis in an efficient manner. You can create a trail to deliver events to a specified Simple Log Service Logstore. Then, you can configure the Logstore to import the events to MaxCompute for analysis.

  • Scenario 4: Analyze and permanently store events in a cost-effective manner

    Before you use OSS, Simple Log Service, and MaxCompute to perform real-time analysis and ensure permanent storage of events, make sure that you are familiar with the features and billing policies of the services. Simple Log Service, MaxCompute, and OSS are paid services, which are listed in descending order of price. We recommend that you process events in the following manner: Create a trail to deliver events to a specified Simple Log Service Logstore for analysis. Change the data retention period of the Logstore in the Simple Log Service console to meet the retention requirements of real-time analysis. Then, configure the Logstore to import events to MaxCompute or OSS for permanent storage at regular intervals.

Scenario 1: Retain events for 180 days or longer

  1. Log on to the ActionTrail console.

  2. In the left-side navigation pane, click Trails.

  3. In the top navigation bar, select the region where you want to create a trail.

  4. On the Trails page, click Create Trail.

  5. On the Create Trail page, configure the parameters.

    • In the Basic Information section, configure the basic information about the trail.

      Parameter

      Description

      Trail Name

      The name of the trail. The name must be unique within your Alibaba Cloud account.

      Log Events

      The type of events that you want to deliver. Set the Management Event parameter to All.

    • In the Event Delivery section, specify a delivery method.

      • Select Delivery to Log Service, and then select Delivery to Current Account.

        • New Log Service Project: If you select this option, select a region from the Logstore Region drop-down list and configure the Project Name parameter.

        • Existing Log Service Project: If you select this option, select a region from the Logstore Region drop-down list and a project name from the Project Name drop-down list.

      • Select Delivery to OSS and then select Delivery to Current Account.

        • New OSS Bucket: If you select this option, configure the Bucket Name, Log File Prefix, Enable Server-side Encryption, and Enable Retention Policy parameters.

        • Existing OSS Bucket: If you select this option, configure the Bucket Name parameter.

  6. Click Confirm.

    You can perform one of the following operations based on the storage service to view events:

    • OSS: Click the bucket name to go to the OSS console and view the events.

    • Simple Log Service: Click the name of the Simple Log Service project or Logstore to go to the Simple Log Service console and view the events.

Scenario 2: Analyze sensitive operations and configure alert rules for the operations

  1. Log on to the ActionTrail console.

  2. In the left-side navigation pane, click Trails.

  3. In the top navigation bar, select the region where you want to create a trail.

  4. On the Trails page, click Create Trail.

  5. On the Create Trail page, configure the parameters.

    • In the Basic Information section, configure the basic information about the trail.

      Parameter

      Description

      Trail Name

      The name of the trail. The name must be unique within your Alibaba Cloud account.

      Log Events

      The type of events that you want to deliver. Set the Management Event parameter to Write.

      Note

      In most cases, write events are considered as sensitive operations. To reduce the size of events that you want to deliver and save costs, you can set the Management Event parameter to Write.

    • In the Event Delivery section, configure parameters to deliver events to Simple Log Service within the current account.

      • New Project: If you select this option, select a region from the Logstore Region drop-down list and configure the Project Name parameter.

      • Existing Log Service Project: If you select this option, select a region from the Logstore Region drop-down list and a project name from the Project Name drop-down list.

  6. Click Confirm.

    On the details page of the trail, click the name of the Simple Log Service project or Logstore to go to the Simple Log Service console and view the analysis results of the events.

  7. In the Simple Log Service console, configure an alert rule.

    For more information, see Configure an alert rule.

Scenario 3: Analyze events by using MaxCompute

  1. Log on to the ActionTrail console.

  2. In the left-side navigation pane, click Trails.

  3. In the top navigation bar, select the region where you want to create a trail.

  4. On the Trails page, click Create Trail.

  5. On the Create Trail page, configure the parameters.

    • In the Basic Information section, configure the basic information about the trail.

      Parameter

      Description

      Trail Name

      The name of the trail. The name must be unique within your Alibaba Cloud account.

      Log Events

      The type of events that you want to deliver. Set the Management Event parameter to All.

    • In the Event Delivery section, configure parameters to deliver events to Simple Log Service within the current account.

      • New Log Service Project: If you select this option, select a region from the Logstore Region drop-down list and configure the Project Name parameter.

      • Existing Log Service Project: If you select this option, select a region from the Logstore Region drop-down list and a project name from the Project Name drop-down list.

  6. Click Confirm.

    On the details page of the trail, click the name of the Simple Log Service project or Logstore to go to the Simple Log Service console and view the analysis results of the events.

  7. In the Simple Log Service console, deliver the events to MaxCompute.

    For more information, see Ship logs to MaxCompute (old version).

    Note

    After you deliver the events to MaxCompute, you can analyze the events.

Scenario 4: Analyze and permanently store events in a cost-effective manner

If you select New Log Service Project when you create a trail in the ActionTrail console, a Simple Log Service Logstore whose name is prefixed with actiontrail_<trail_name> is created. The storage that is provided by Simple Log Service for events is not cost-effective. We recommend that you change the data retention period of the Logstore and configure the Logstore to deliver events to MaxCompute or OSS for permanent storage at regular intervals. For example, you can change the data retention period of the Logstore to 180 days.

  1. Create a trail in the ActionTrail console to deliver events to a specified Simple Log Service Logstore.

    For more information about how to create a trail, see Create a single-account trail.

  2. Change the storage period of the events in the Simple Log Service console.

    1. Log on to the Simple Log Service console.

    2. In the Projects section, click the name of the project that you specified when you created the trail.

    3. Click the 1 icon to the left of the specified Logstore and then click the 2 icon.

    4. In the upper-right corner of the Logstore Attributes tab, click Modify. Then, set the Data Retention Period parameter to Specified Days, instead of Permanently Storage.

    5. Configure the Data Retention Period parameter and click Save.

  3. Deliver events to MaxCompute or OSS in the Simple Log Service console.