All Products
Search

This Product

    ActionTrail:Create a multi-account trail

    Document Center

    ActionTrail:Create a multi-account trail

    Last Updated:Feb 14, 2026

    This topic guides you through creating a multi-account trail in the ActionTrail console. A multi-account trail captures and delivers events from all member accounts in your resource directory to a centralized destination, such as a Simple Log Service (SLS) Logstore or an Object Storage Service (OSS) bucket.

    Prerequisites

    • Your organization must have a resource directory enabled. For more information, see Enable a resource directory.

    • You must be logged on to the console with the management account of your resource directory or a delegated administrator account for ActionTrail. Member accounts cannot create multi-account trails.

    Background information

    Procedure

    1. Log on to the ActionTrail console.

    2. In the left-side navigation pane, click Trails.

    3. From the region selector in the top navigation bar, choose the region where you want to create the trail.

      Note

      The region you select is the trail's home region. The trail's configuration is stored in this region.

    4. On the Trails page, click Create Trail.

      By default the Quickly Create Trail page opens. To configure all parameters, click Create Trail at the top of the page.

    5. On the Quickly Create Trail or Create Trail page, configure the settings for your trail.

      • Basic Information

        Parameter

        Description

        Trail Name

        Name of the trail and the Logstore (if you deliver to SLS). The trail name must be unique.

        Trail Event Type

        Choose the types of events to deliver:

        • Management Event (default): All (read and write), Write (create, delete, modify), or Read (read-only). For auditing purpose, we recommend All.

        • Insights Event (optional): ActionTrail analyzes management events and generates insights (such as unusual API error rates, IP addresses, AccessKey pair call rates, permission changes, password changes, and trail concealment). When enabled, All is selected for Management Event. For more information, see Insights event overview.

        • Data Event (optional): ActionTrail logs read/write events on data within supported cloud services.

        Note

        A trail created in the console delivers events in all regions by default. To limit regions, use the CreateTrail API operation and set TrailRegion.

        Apply Trail to All Members

        This is the key setting for a multi-account trail.

        • Select Yes to create a multi-account trail. This will capture events from the management account and all member accounts in your resource directory.

        • Select No to create a standard single-account trail.

        Note

        • This setting cannot be changed after the trail is created.

      • Management Event Delivery Settings

        You can deliver events to SLS, OSS, MaxCompute, or a combination. See Deliver events to specified Alibaba Cloud services to choose a storage service.

        Note

        The trail delivers only events generated after it takes effect. Events from the last 90 days are not included. Use a data backfill task to deliver those events to the same destination.

        • Delivery to Simple Log Service: Configure destination account, project (new or existing), region, and project name. If you set Destination Account to Delivery to Another Account, set Project ARN and RAM Role ARN of Destination Account.

        • Delivery to OSS: Configure destination account, OSS bucket (new or existing), bucket name, object prefix, and encryption. If you set Destination Account to Delivery to Another Account, set RAM Role ARN of OSS Bucket, Bucket Name, and object prefix.

        • Delivery to MaxCompute: Configure MaxCompute Region and Project Quota. If you set Destination Account to Delivery to Another Account, set Project ARN and RAM Role ARN of MaxCompute.

    6. Click Confirm.

    What to do next

    After you create the trail, events are delivered in JSON format to the SLS Logstore, OSS bucket, or MaxCompute table you specified. You can query them as follows:

    Note

    Member account events are only available in the destination storage service (SLS, OSS, or MaxCompute). You cannot query them directly from the management account's Event Query page in the ActionTrail console.

    • SLS: ActionTrail creates a Logstore named actiontrail_<Trail name>. On the Trails page, hover over Storage Service and click the Logstore name.

    • OSS: Use E-MapReduce (EMR) or a third-party log analysis service. Or on the Trails page, hover over Storage Service, click the bucket name, then go to Object Management > Objects. For OSS storage paths, see What is the storage path of an event that is delivered to an OSS bucket?

      Global events originating from any member account are delivered to the trail's home region. Regional events, however, are delivered to a path in the destination OSS bucket that is specific to the region where the event occurred.

    • MaxCompute: ActionTrail creates a table named actiontrail_<Trail name>. On the Trails page, hover over Storage Service and click the MaxCompute project name. Use DataWorks to query the table.

    References