ActionTrail lets you track and record the operations performed on your Alibaba Cloud account for the last 90 days. To analyze data over a longer period, you can create a trail to deliver events to MaxCompute for querying and analysis. This topic describes how to configure and use this feature.
Procedure
Activate MaxCompute and DataWorks. For more information, see Activate MaxCompute and DataWorks.
Before you deliver ActionTrail events as a Resource Access Management (RAM) user, you must grant the RAM user permissions to manage single-account trails. For more information, see Grant permissions to a RAM user.
Log on to the ActionTrail console.
In the navigation pane on the left, click Trails. In the top-left corner, select a region.
A trail is a configuration for delivering ActionTrail events. Trails are classified as single-account trails, multi-account trails, or trails for the Inner-ActionTrail feature based on their creator, applicable scope, and the content they deliver. For more information, see Overview of trails.
On the Trails page, click Create Trail.
On the Quickly Create Trail page, click Create Trail in the message box below the title.
When you create a trail, ActionTrail automatically creates a service-linked role named AliyunServiceRoleForActionTrail and adds it as the Admin role to the MaxCompute project to which events are delivered. For more information, see ActionTrail service-linked role and Role planning.
Configure the following parameters and click Confirm.
In the Basic Information section, enter a custom Trail Name and select a Trail Event Type.
Single-account trails are suitable for individual users, and multi-account trails are suitable for enterprise users.
Trail names must be unique within an Alibaba Cloud account.
In the Management Event Delivery Settings section, select Delivery to MaxCompute.
Set Destination Account to Delivery to Current Account, and configure the following parameters.
Parameter
Description
MaxCompute Region
The region where the destination MaxCompute project is located.
ActionTrail delivers audit logs to the actiontrail_<Alibaba Cloud account ID> project in the specified MaxCompute region. Because MaxCompute project names must be unique within an Alibaba Cloud account, if a project named actiontrail_<Alibaba Cloud account ID> already exists in the account, events are delivered to that existing project by default.
Project Quota
The quota for MaxCompute.
When you create a trail to deliver events to MaxCompute for the first time, you must select a quota for MaxCompute. If no quota is available in the current region, select a different MaxCompute region.
Set Destination Account to Delivery to Another Account, and configure Project ARN and RAM Role ARN of MaxCompute.
To deliver events to another account, you must first create a RAM role in the destination account to grant ActionTrail the necessary permissions. You must also create a MaxCompute project in advance. For more information, see Deliver events from multiple Alibaba Cloud accounts to the same account.
After a trail is created, events are stored in JSON format in the
actiontrail_<trail name>table of theactiontrail_<Alibaba Cloud account ID>project in MaxCompute. Writing ActionTrail event data to the specified MaxCompute table incurs storage fees. For more information, see Storage fees.
References
Connect to MaxCompute to query and analyze the operation audit event data stored in the
actiontrail_<trail_name>table. For more information, see Select a connection tool.You are charged for running SQL commands in MaxCompute. For more information, see Billable items and billing methods.
To update trail parameters, see Update a single-account trail and Update a multi-account trail.
To delete a trail, see Delete a single-account trail and Delete a multi-account trail.
To stop delivering operation events to the specified destination while retaining the existing parameter settings, see Disable a single-account trail and Disable a multi-account trail.