All Products
Search

This Product

    Simple Log Service:Create a trail

    Document Center

    Simple Log Service:Create a trail

    Last Updated:Apr 12, 2024

    By default, ActionTrail records the events that were generated within your Alibaba Cloud account in the last 90 days. You can query these events in the ActionTrail console. To query the events that were generated more than 90 days ago, you must create a trail first to record these events. This topic describes how to create a trail in the ActionTrail console and deliver ActionTrail events to Simple Log Service.

    Procedure

    1. Log on to the ActionTrail console.

    2. In the left-side navigation pane, click Trails.

    3. On the Trails page, click Create Trail and configure the parameters.

      1. Configure the basic information for a trail. The following table describes the parameters.

        Parameter

        Description

        Trail Name

        The name of the trail, which is also the name of the Logstore.

        Note

        The name of the trail must be unique.

        Trail Configuration

        The events that you want to deliver. Valid values:

        • Management Event: By default, Management Event is selected. You can select the type of management events that you want to deliver. Valid values:

          • All: read and write events. Auditing-related regulations and standards stipulate that all events must be recorded. We recommend that you select All.

          • Write: the events that record the operations to create, delete, or modify cloud resources. Example: the events that are generated when you call the CreateInstance operation to create a subscription or pay-as-you-go Elastic Compute Service (ECS) instance. If you want to export events only for analysis and focus only on the events that affect cloud resources, select Write.

          • Read: the events that record the operations to read information about cloud resources, rather than to create, delete, or modify cloud resources. Example: the events that are generated when you call the DescribeInstances operation to query the details of one or more ECS instances. In most cases, a large number of read events are generated, and these events occupy a large amount of storage space. However, auditing-related regulations and standards stipulate that all events must be recorded. We recommend that you configure the trail to deliver both read and write events. This helps you track the use of AccessKey pairs and access to cloud resources.

        • Insights Event: Select or clear Insights Event based on your business requirements. After you select Insights Event, All is selected for Management Event. ActionTrail analyzes management events, identifies unusual activities that are associated with API call rates, API error rates, IP addresses, AccessKey pair call rates, permission changes, password changes, and trail concealment, and then generates Insights events. For more information about Insights events, see Overview of Insights events.

        Note

        By default, when you create a trail in the ActionTrail console, the trail delivers events in all regions. To create a trail that delivers events in specific regions, call the CreateTrail operation and configure the TrailRegion parameter based on your business requirements.

      2. Configure event delivery information.

        1. Create the service-linked role AliyunServiceRoleForActionTrail.

          The first time you enable the event delivery feature, you must complete the authorization by using your Alibaba Cloud account.

          Warning

          Do not revoke permissions from the AliyunServiceRoleForActionTrail role or delete the role. Otherwise, ActionTrail events cannot be delivered to Simple Log Service.

        2. Select Delivery to Simple Log Service.

        3. Select the account to which you want to delivery events.

        4. Configure the following parameters based on the account that you select.

          • Delivery to Current Account

            Parameter

            Description

            Project

            Select New Project or Existing Project based on your business requirements.

            Logstore Region

            Select the region where the project resides.

            Project Name

            Specify the name of the Simple Log Service project.

          • Delivery to Another Account

            To deliver events to another account, you must create a Resource Access Management (RAM) role by using the destination account and grant ActionTrail the permissions to deliver events to the destination account. For more information, see Deliver the events of multiple Alibaba Cloud accounts to one account. The following table describes the parameters.

            Parameter

            Description

            Project ARN

            Enter the region where the project resides, the ID of the destination Alibaba Cloud account, and the name of the project.

            RAM Role ARN of Destination Account

            Enter the ID of the destination Alibaba Cloud account and the name of the RAM role.

        5. Click Confirm.

    What to do next

    After you deliver ActionTrail events to Simple Log Service, you can query, analyze, download, ship, and transform the logs. You can also configure alerts for the logs. For more information, see Common operations on logs of Alibaba Cloud services.