ActionTrail provides the event alerting feature. You can use the feature to monitor your cloud resources in real time and respond to exceptions in your cloud resources at the earliest opportunity. If the system identifies potential security threats or non-compliant events based on an alert rule, the system notifies the users and user groups that are specified in the rule by using multiple notification methods. This way, the users and user groups can handle the threats or events at the earliest opportunity to ensure the security and integrity of cloud resources. This topic describes how to enable the event alerting feature and configure alert rules.
Step 1: Create a trail
Create a trail that meets the following conditions:
The trail delivers events from all regions.
The trail delivers all types of events.
The trail delivers events to Simple Log Service.
For more information, see Create a single-account trail and Create a multi-account trail.
When you create a trail, you can create a data backfill task to deliver events that are generated within the last 90 days. For more information, see Create a data backfill task.
Step 2: Enable the advanced event query feature for the trail
Before you can use the event alerting feature to detect events for a trail, you must enable the advanced event query feature.
Log on to the ActionTrail console.
In the left-side navigation pane, click Trails.
On the Trails page, find the trail for which you want to enable the advanced event query feature and turn on the switch in the Advanced Event Query column.
NoteYou can enable the advanced event query feature for only one trail within an Alibaba Cloud account or Resource Access Management (RAM) user.
If you configure an alert rule for a trail, the alert rule configuration still takes effect after you disable the advanced event query feature for the trail. If you want to modify the configuration of an alert rule or disable an alert rule, you must re-enable the advanced event query feature.
Step 3: Create users and a user group
You can specify users and user groups as contacts of alert notifications. In this example, two users named Alice and Kumer and a user group named ActionTrailOM are created. Users Alice and Kumer are added to the ActionTrailOM user group.
Log on to the ActionTrail console.
In the left-side navigation pane, click Alerts.
Create a user.
On the Alert Center page, choose .
In the User Management section, click Create.
In the Create User dialog box, configure the parameters and click OK.
In this example, the following user information is specified:
# ID, Username, Phone Number, Receive Text Message, Receive Phone Call, Email, Enabled test01,Kumer,true,86-1381111*****,true,true,a***@example.net test02,Alice,true,86-1381111*****,true,true,a***@example.netThe following table describes the parameters.
Parameter
Description
Example
ID
The ID of the user. The ID must be unique.
The ID must be 5 to 60 characters in length, and can contain letters, digits, underscores (_), hyphens (-), and periods (.). The ID must start with a letter.
test01 and test02
Username
The name of the user.
The name must be 1 to 20 characters in length and cannot contain the following special characters:
" \ $ | ~ ? & <> {} ''.Kumer and Alice
Phone Number
The country code and mobile phone number of the user. The country code must be 1 to 4 characters in length and can contain only digits.
86-1381111***** and 86-1381112*****
Receive Text Message
Specifies whether ActionTrail can send text messages to the mobile phone number. Valid values:
true
false
true
Receive Phone Call
Specifies whether ActionTrail can send voice notifications to the mobile phone number.
true
false
true
Email
The email address of the user.
a***@example.net
Enabled
Specifies whether ActionTrail can send alert notifications to the user. Valid values:
If you turn on the switch, ActionTrail can send alert notifications to the user.
If you turn off the switch, ActionTrail cannot send alert notifications to the user.
true
Create a user group.
Choose Alert Management > User Group Management.
In the User Groups section, click Create.
In the Add User Group dialog box, configure the parameters and click OK.
The following table describes the parameters and provides sample parameter values.
Parameter
Description
Example
ID
The ID of the user group. The ID must be unique.
The ID must be 5 to 60 characters in length, and can contain letters, digits, underscores (_), hyphens (-), and periods (.). The ID must start with a letter.
group-01
Group Name
The name of the user group.
The name can be up to 20 characters in length and cannot contain the following special characters:
\ $ | ~ ? & <> {} ''".ActionTrailOM
Available Members
The users that you created.
Kumer and Alice
Selected Members
The users that are added to the user group after the user group is created.
Kumer and Alice
Enabled
Specifies whether ActionTrail can send alert notifications to the user group. Valid values:
If you turn on the switch, ActionTrail can send alert notifications to the user group.
If you turn off the switch, ActionTrail cannot send alert notifications to the user group.
Turned on
Step 4: (Optional) Create an alert template
By default, ActionTrail uses the SLS actiontrail builtin content template to send alert notifications to the specified alert contacts. You can also create custom alert templates based on your business requirements.
Log on to the ActionTrail console.
In the left-side navigation pane, click Alerts.
On the Alert Center page, choose .
Click Create.
In the Add Content Template dialog box, configure ID and Name.
Specify the notification content for each alert notification method.
Tab
Parameter
SMS
You can set the following parameters:
Language: the language of an alert notification. Valid values: Chinese and English.
Content: the content of an alert notification. You can directly enter content or use template variables to specify the content of an alert notification. For more information, see Variables in new alert templates.
Voice
You can set the following parameters:
Language: the language of an alert notification. Valid values: Chinese and English.
Content: the content of an alert notification. You can directly enter content or use template variables to specify the content of an alert notification. For more information, see Variables in new alert templates.
Email
You can set the following parameters:
Language: the language of an alert notification. Valid values: Chinese and English.
Subject: the subject of an alert notification. You can enter a subject or use template variables to specify the subject of an alert notification.
Content: the content of an alert notification. You can directly enter content or use template variables to specify the content of an alert notification. For more information, see Variables in new alert templates.
DingTalk
You can set the following parameters:
Title: the title of an alert notification. You can enter a title or use template variables to specify the title of an alert notification.
Content: the content of an alert notification. You can directly enter content or use template variables to specify the content of an alert notification. For more information, see Variables in new alert templates.
Webhook-Custom
You can set the following parameters:
Sending Mode: the method by which alert notifications are sent. Valid values: Single and Batch.
For example, you add the following template variables to the Content parameter:
{ "project": "{{project}}", "alert_name": "{{alert_name}}"}. If two alerts are triggered, two alert notifications are sent by using one of the following methods:Single: Simple Log Service sends the two alert notifications in sequence. Content:
{ "project": "project-1", "alert_name": "alert-1"}and{ "project": "project-2", "alert_name": "alert-2"}.Batch: Simple Log Service sends one message that includes the two alert notifications. Content:
[{ "project": "project-1", "alert_name": "alert-1"}, { "project": "project-2", "alert_name": "alert-2"}].If you select Batch and set the Maximum number of items sent in a group parameter to N, an alert notification for the first N alerts in a merged set is sent.
If you select Batch and the content that you specify can be parsed into JSON data, an alert notification is sent in the JSON format. If the content cannot be parsed into JSON data, an alert notification is sent as an array that contains strings.
Content: the content of an alert notification. You can directly enter content or use template variables to specify the content of an alert notification. For more information, see Variables in new alert templates.
NoteWhen Simple Log Service sends alert notifications, the request header Content-Type: application/json;charset=utf-8 is used by default. If a webhook receiver requires a request header in a different format, you can customize the request header when you configure the notification method. For more information, see Webhook-Custom.
Notifications
You can set the following parameters:
Language: the language of an alert notification. Valid values: Chinese and English.
Content: the content of an alert notification. You can directly enter content or use template variables to specify the content of an alert notification. For more information, see Variables in new alert templates.
Enterprise WeChat
You can set the following parameters:
Title: the title of an alert notification. You can enter a title or use template variables to specify the title of an alert notification.
Content: the content of an alert notification. You can directly enter content or use template variables to specify the content of an alert notification. For more information, see Variables in new alert templates.
Lark
You can set the following parameters:
Title: the title of an alert notification. You can enter a title or use template variables to specify the title of an alert notification.
Content: the content of an alert notification. You can directly enter content or use template variables to specify the content of an alert notification. For more information, see Variables in new alert templates.
Slack
You can set the following parameters:
Title: the title of an alert notification. You can enter a title or use template variables to specify the title of an alert notification.
Content: the content of an alert notification. You can directly enter content or use template variables to specify the content of an alert notification. For more information, see Variables in new alert templates.
EventBridge
You can set the following parameters:
Subject: the subject of an alert notification. You can enter a subject or use template variables to specify the subject of an alert notification.
Content: the content of an alert notification. You can directly enter content or use template variables to specify the content of an alert notification. For more information, see Variables in new alert templates.
Function Compute
You can set the following parameters:
Sending Mode: the method by which alert notifications are sent. Valid values: Single and Batch.
For example, you add the following template variables to the Content parameter:
{ "project": "{{project}}", "alert_name": "{{alert_name}}"}. If two alerts are triggered, two alert notifications are sent by using one of the following methods:Single: Simple Log Service sends the two alert notifications in sequence. Content:
{ "project": "project-1", "alert_name": "alert-1"}and{ "project": "project-2", "alert_name": "alert-2"}.Batch: Simple Log Service sends one message that includes the two alert notifications. Content:
[{ "project": "project-1", "alert_name": "alert-1"}, { "project": "project-2", "alert_name": "alert-2"}].If you select Batch and set the Maximum number of items sent in a group parameter to N, an alert notification for the first N alerts in a merged set is sent.
If you select Batch and the content that you specify can be parsed into JSON data, an alert notification is sent in the JSON format. If the content cannot be parsed into JSON data, an alert notification is sent as an array that contains strings.
Content: the content of an alert notification. You can directly enter content or use template variables to specify the content of an alert notification. For more information, see Variables in new alert templates.
Click Confirm.
Step 5: (Optional) Create an action policy
You can use action policies to manage the alert notification methods and the frequency at which alert notifications are sent. By default, ActionTrail uses the SLS actiontrail builtin action policy to send alert notifications to the specified alert contacts. You can also create custom action policies based on your business requirements. When you create a custom action policy, you can specify alert notification conditions, alert notification methods, and alert contacts.
Log on to the ActionTrail console.
In the left-side navigation pane, click Alerts.
On the Alert Center page, choose .
Click Create.
In the Add Action Policy dialog box, configure the ID and Name parameters.
On the Primary Action Policy tab, create an action policy.
Click the
icon. Configure the conditions to trigger alert notifications and click Confirm.
Parameter
Description
Example
Condition
Valid values:
All: The action policy is executed only if all alerts in an alert set meet the specified condition.
Any: The action policy is executed if one or more of the alerts in an alert set meet the specified condition.
All
Conditional expression
Alerts that meet a conditional expression are processed based on the action policy. You can specify an object, an operator, and an object value for the conditional expression.
Object: Alibaba Cloud Account ID
Operator: Equal to
Object value: 154035569884****
Mode
You can add multiple conditions in standard mode or advanced mode. Valid values:
Standard Mode: If you specify multiple conditions, the conditions are associated by using the AND operator.
Advanced Mode: If you specify multiple conditions, you can use the AND or OR operator to associate the conditions. You can also group multiple conditions into one group by using parentheses. In addition, nested conditions are supported.
Standard Mode
Configure an action group.
Configure notification parameters. Supported notification methods include text messages, voice calls, emails, DingTalk, webhooks, and Message Center. For more information, see Notification methods.
Click the
icon for the Condition or Action Group dialog box to end the configuration. NoteIf you want to add more conditions and action groups, click the
icon.
Click Confirm.
Step 6: (Optional) Configure alert rule parameters
If you use a built-in alert rule, you must configure the parameters of the alert rule and select an action policy that you created before you can enable the alert rule. This helps ensure that the alert rule meets your business requirements
You can also create custom alert rules based on your business requirements. For more information, see Create a custom alert rule.
Log on to the ActionTrail console.
In the left-side navigation pane, click Alerts.
On the Alert Center page, click the Alert Rules/Incidents tab.
Find the alert rule that you want to manage and click Settings in the Actions column.
In the Parameter Settings dialog box, configure the parameters and click Save and Enable.
Parameter
Description
Example
Action Policy
The action policy that specifies the alert notification methods and the frequency of alert notifications.
Action Policy for Website Logs
Severity
The severity level of an alert that is triggered by the alert rule.
High
NoteFor the Account Continuous Login Failure Alert rule, you can specify the maximum number of logon failures that are allowed. For the Alert for Unauthorized API calls rule, you can specify the maximum number of unauthorized API calls that are allowed.
Step 7: Enable an alert rule
ActionTrail provides multiple built-in alert rules and allows you to create custom alert rules. You can enable alert rules based on your business requirements. For example, if you want to trigger an alert when the configuration of a virtual private cloud (VPC) route changes, you can enable the VPC Network Route Change Alert rule.
After you create a custom alert rule, it is automatically enabled. You do not need to perform the following steps to enable the rule.
To view the details of an alert rule, move the pointer over the
icon next to the name of the alert rule.
Log on to the ActionTrail console.
In the left-side navigation pane, click Alerts.
On the Alert Center page, click the Alert Rules/Incidents tab.
Find the alert rule that you want to enable and click Enable in the Actions column.
After the alert rule is enabled, the value in the Status column changes to Enabled.
Step 8: (Optional) Create a whitelist
If you want to exempt specific Alibaba Cloud accounts, RAM users, RAM roles, and IP addresses from an alert rule, you can add them to a whitelist.
Not all alert rules support whitelist settings. You can check whether an alert rule supports whitelist settings in the ActionTrail console.
Log on to the ActionTrail console.
In the left-side navigation pane, click Alerts.
On the Alert Center page, click the Alert Rules/Incidents tab.
Find the alert rule for which you want to create a whitelist and click Whitelist in the External Configuration column.
In the Data Management dialog box, click Add.
In the Add Data dialog box, add whitelist items by following the on-screen instructions. Example: 154035569884****.
Click OK.
After you add a whitelist item, you can click a button in the Actions column to modify or delete the item.
References
You can configure alert monitoring rules in Simple Log Service. For more information, see Configure an alert monitoring rule in Simple Log Service.
For more information about built-in alert rules, see Built-in alert monitoring rules.
For more information about the possible issues of alert rules, see FAQ about alert monitoring rules.
For more information about alert notification methods, see FAQ about alert notification methods.
For more information about alert notifications, see FAQ about alert notifications.
If you do not receive alert notifications, you can troubleshoot the issue in the Alert History section. For more information, see Troubleshooting for the issue that alert notifications are not received.
When you configure a custom webhook as a notification method, you may encounter specific issues. For more information, see FAQ about custom webhooks.
What do I do if the advanced event query and event alerting features of ActionTrail are unavailable?