A single-account trail can deliver events to an Object Storage Service (OSS) bucket or a Logstore in Simple Log Service for analysis. By default, ActionTrail records the events that are generated within your Alibaba Cloud account in the last 90 days. You can query these events in the ActionTrail console. To query the events that are generated more than 90 days ago, you must create a trail to record these events. This topic describes how to create a single-account trail in the ActionTrail console.
If you create a trail by using your Alibaba Cloud account, ActionTrail delivers events related to the Alibaba Cloud account and its RAM users to a bucket or a Logstore. If you create a trail as a RAM user, you must authorize the RAM user to create and manage single-account trails. For more information, see Grant permissions to a RAM user.
ActionTrail allows you to create multiple single-account trails. After you create a single-account trail to deliver events to an OSS bucket, global events are recorded in the same directory as the events that are generated in the region in which the trail is created. This helps prevent the repeated recording of global events.
Log on to the ActionTrail console.
In the left-side navigation pane, click Trails.
In the top navigation bar, select the region where you want to create a single-account trail.Note
The region that you select becomes the home region of the trail that you want to create.
On the Trails page, click Create Trail.
On the Create Trail page, configure the parameters.
The name of the trail, which is also the name of the Logstore.Note
The name of the trail must be unique.
The category of the events that you want to deliver. Valid values:
Management Event: By default, Management Event is selected. You can select the type of management events that you want to deliver. Valid values:
All: read and write events. Auditing-related regulations and standards stipulate that all events must be recorded. We recommend that you select All.
Write: the events that record the operations to create, delete, or modify cloud resources. Example: the events that are generated when you call the CreateInstance opteration to create a subscription or pay-as-you-go Elastic Compute Service (ECS) instance. If you want to export events only for analysis and focus only on the events that affect cloud resources, select Write.
Read: the events that record the operations to read information about cloud resources, rather than the operations to create, delete, or modify cloud resources. For example, a DescribeInstances event is generated when the details of one or more ECS instances are queried. In most cases, a large number of read events are generated, and these events occupy a large storage space. However, auditing-related regulations and standards stipulate that all events must be recorded. We recommend that you configure the trail to deliver both read and write events. This helps you track the use of AccessKey pairs and access to cloud resources.
Insights Event: Select or clear Insights Event based on your business requirements. After you select Insights Event, All is selected for Management Event. ActionTrail analyzes management events, identifies unusual activities that are associated with API call rates, API error rates, IP addresses, AccessKey pair call rates, permission changes, password changes, and trail concealment, and then generates Insights events. For more information about Insights events, see Overview of Insights events.
By default, when you create a trail in the ActionTrail console, the trail delivers events in all regions. To create a trail that delivers events in specific regions, call the CreateTrail operation. Set TrailRegion based on your business requirements when you call this operation.
You can create a trail to deliver events to a Logstore, a bucket, or both. For more information about how to select a storage service, see Deliver events to specified Alibaba Cloud services.Note
The trail delivers only the events that are generated after the single-account trail takes effect. The events that are generated in the last 90 days are not included. You can create a data backfill task to deliver the events that are generated in the last 90 days to the delivery destination that you specify for the trail at a time. For more information, see Create a data backfill task.
Select Delivery to Log Service
If you select Delivery to Current Account, configure the parameters.
The project to which you want to deliver events.
The region where the Logstore resides.
The name of the project.Note
The project name is shared by all Alibaba Cloud users and must be unique.
If you select New Log Service Project, the system automatically creates a project. You must specify a name for the project. The system also automatically creates a Logstore for the project.
If you select Existing Log Service Project, you must select an existing project from the Project Name drop-down list.
For more information about how to create a project in Log Service, see Getting Started.Note
After you create a trail to deliver events to Simple Log Service, a Logstore whose name is in the
actiontrail_<Trail name>format is automatically created and optimally configured for subsequent auditing. Indexes and a dashboard are created for the Logstore to facilitate event queries. You cannot manually write data to the Logstore. This ensures data accuracy. You do not need to create a Logstore in advance.
If you select Delivery to Another Account, configure Log Service Project ARN and RAM Role ARN of Destination Account.
To deliver events to a different account, you must create a RAM role by using the destination account, grant ActionTrail the permissions to deliver events to the destination account, and then create a project before you create the trail. For more information, see Aggregate events across Alibaba Cloud accounts.
Select Delivery to OSS
If you select Delivery to Current Account, configure the parameters.
The bucket to which you want to deliver events.
New OSS Bucket
Existing OSS Bucket
The name of the OSS bucket. The bucket name must be unique within the current Alibaba Cloud account.
If you select New OSS Bucket, you must enter an OSS bucket name. ActionTrail creates an OSS bucket with the name that you enter.
If you select Existing OSS Bucket, you must select an existing bucket from the Bucket Name drop-down list.
For more information about how to create a bucket in OSS, see Create a bucket.
You must complete real-name registration on the Real-name Registration page before you create a bucket in a region within the Chinese mainland.
Log File Prefix
The prefix of the names of the log files in which the delivered events are stored. The prefix helps you find the events in subsequent operations.
Specifies whether and how to encrypt the log files in the OSS bucket. If you select New OSS Bucket, you must configure the parameter. Valid values:
Fully Managed by OSS: The keys managed by OSS are used to encrypt objects in the bucket. OSS uses data keys to encrypt objects. In addition, OSS uses regularly rotated master keys to encrypt data keys.
KMS: Key Management Service (KMS) is used to encrypt data. Before you can use KMS keys, you must activate KMS. For more information, see Purchase and enable a KMS instance.
Disable: Disable server-side encryption.
OSS supports WORM-compliant storage. After a retention policy is configured for a bucket, objects stored inside the bucket cannot be deleted or modified during the retention period. Valid values:
Specifies whether to enable retention policies.
If you select Delivery to Another Account, configure RAM Role ARN of OSS Bucket, Bucket Name, and Log File Prefix.
To deliver events to a different account, you must create a RAM role by using the destination account, grant ActionTrail the permissions to deliver events to the destination account, and then create an OSS bucket before you create the trail. For more information, see Aggregate events across Alibaba Cloud accounts.
What to do next
After you create a single-account trail, the trail delivers events to the bucket or Logstore that you specify in the JSON format for query and analysis. You can view the events that are stored in the bucket or Logstore.
Query events in the Simple Log Service console: ActionTrail automatically creates a Logstore whose name is in the
actiontrail_<Trail name>format. On the Trails page, move the pointer over SLS or SLS & OSS in the Storage Service column and click the name of the Logstore.
Query events in the OSS console: You can analyze the events that are delivered to OSS by using E-MapReduce (EMR) or a third-party log analysis service.
Alternatively, on the Trails page, move the pointer over OSS or SLS & OSS in the Storage Service column and click the name of the OSS bucket. Then choose What is the storage path of an event that is delivered to an OSS bucket?. For more information about storage paths in OSS, see