DocsICP FilingConsole
官方文档
首页

Create a single-account trail

更新时间:
复制 MD 格式
产品详情
我的收藏

You can create a single-account trail to deliver events to Object Storage Service (OSS), Simple Log Service (SLS), or MaxCompute for analysis. By default, ActionTrail stores events for the last 90 days for each Alibaba Cloud account. To retain events for more than 90 days, you must create a trail. This topic describes how to create a single-account trail on the ActionTrail console.

Background

When you use an Alibaba Cloud account to deliver events, the trail includes events for the account and all of its RAM users. If you use a RAM user, you must first grant the RAM user permissions to manage single-account trails. For more information, see Grant permissions to a RAM user.

To prevent duplicate records, ActionTrail delivers global events to the same directory as home region events when you create a single-account trail for an OSS bucket. The home region is the region where you create the trail.

Procedure

  1. Log on to the ActionTrail console.

  2. In the left-side navigation pane, click Trails.

  3. In the top navigation bar, select the region where you want to create the single-account trail.

    Note

    This region becomes the home region of the trail.

  4. On the Trails page, click Create Trail. By default, the Quick Create Trail page opens. To configure all parameters, click the Create Trail tab at the top of the page.

    The Quick Create Trail option creates a trail that tracks all management events (including read events and write events) and delivers event logs to Simple Log Service (SLS). This option does not support tracking data events or Insights events, nor does it support delivery to Object Storage Service (OSS) or MaxCompute. To customize the event types or delivery destinations, use the Create Trail tab.

  5. On the Quick Create Trail or Create Trail page, configure the trail parameters.

    • Basic Information

      Parameter

      Description

      Trail Name

      The name of the trail. This name is also used to name the Logstore if you deliver events to SLS.

      Note

      The trail name must be unique.

      Trail Event Type

      Specifies the event types to deliver. Valid values:

      • Management Event: Selected by default. Select an event type. Valid values:

        • All Events: Includes both read and write events. Auditing regulations and standards emphasize complete event records. We recommend that you select All Events.

        • Write event: Events that create, delete, or modify cloud resources, such as CreateInstance, which creates a subscription or pay-as-you-go ECS instance. If you only need to export events for custom analysis and focus on events that affect resources, select Write event.

        • Read: Events that only read resource information and do not create, delete, or modify cloud configurations, such as DescribeInstances, which queries details of one or more ECS instances. Read events generate a large volume of data and consume significant storage space. However, auditing standards emphasize complete event records. We recommend delivering read events to maintain a complete record of AccessKey usage and resource access.

      • Insights Event: Select this option. When you select Insights events, all management events are automatically selected. ActionTrail analyzes management events to identify risky API calls, API errors, IP-based requests, AccessKey-based calls, permission changes, password changes, and trail concealment activities, and then generates Insights events. For more information, see Overview of Insights events.

      • Data Event: Read and write events for data in cloud services. You can select one of the following options:

        • Turn off data events: Data events are not recorded.

        • All resources: All data events are recorded.

        • Specified resources: Only data events for specified resources are recorded.

      Note

      By default, trails created on the ActionTrail console deliver events from all regions. To create a trail for specific regions, call the CreateTrail API operation and set the TrailRegion parameter.

    • Delivery to Another Account

      You can deliver events to Simple Log Service (SLS), Object Storage Service (OSS), or MaxCompute. You can also deliver events to these services simultaneously. For information about how to choose a storage service, see Deliver events to specified Alibaba Cloud services.

      Note

      The trail delivers only new events that are generated after it is enabled. It does not deliver existing events from the past 90 days. To deliver these past events to your specified destination, you can create a data backfill task. For more information, see Create a data backfill task.

      • Select Delivery to Log Service

        • Select Delivery to Current Account and configure the following parameters.

          Parameter

          Description

          Project

          Specifies how to select a Project for event delivery to SLS.

          • New Log Service Project

          • Existing Log Service Project

          Logstore Region

          The region where the Project resides.

          Project Name

          The name of the Project in SLS.

          Note

          Project names are globally unique across all Alibaba Cloud accounts.

          • If you select New Log Service Project, a Project is created on the ActionTrail console. Enter a name for the Project.

          • If you select Existing Log Service Project, select the name of an existing Project in SLS.

            For information about how to create a Project on the SLS console, see Collect and analyze ECS text logs by using Logtail.

            Note

            After successful delivery, ActionTrail automatically creates a Logstore named actiontrail_{trail_name}. This Logstore is configured with optimal settings for auditing, including indexes and dashboards for queries. ActionTrail disables write permissions for users to ensure data accuracy. You do not need to create the Logstore in advance.

        • Select Delivery to Another Account and set the Log Service Project ARN and RAM Role ARN of Destination Account.

          To deliver events to another account, you must first create a RAM role in the destination account to grant ActionTrail permission to deliver events. You must also create a Project in advance. For more information, see Deliver events from multiple Alibaba Cloud accounts to a specific account.

      • Select Delivery to OSS

        • Select Delivery to Current Account and configure the following parameters.

          Parameter

          Description

          OSS Bucket

          Specifies how to select a bucket for event delivery to OSS.

          • New OSS Bucket

          • Existing OSS Bucket

          Bucket Name

          The name of the bucket in OSS. Bucket names must be unique within an Alibaba Cloud account.

          • If you select New OSS Bucket, a bucket is created on the ActionTrail console. Enter a name for the bucket.

          • If you select Existing OSS Bucket, select the name of an existing bucket in OSS.

            For information about how to create a bucket on the OSS console, see Create buckets.

          Log File Prefix

          The prefix for the log files stored as objects. A prefix helps you locate events more easily.

          Server Encryption

          Specifies whether to encrypt the log files in the bucket. This parameter is required when you select New OSS Bucket. Valid values:

          • Fully Managed by OSS: Encrypts data with keys managed by OSS. OSS uses a different key for each object and encrypts these keys with a regularly rotated master key for added protection.

          • KMS: Encrypts data by using Key Management Service (KMS). Before you use this method, you must activate KMS. For more information, see Purchase and enable a KMS instance.

          • Disable: Disables server-side encryption.

          Enable Retention Policy

          OSS supports the WORM (Write Once, Read Many) feature. You can enable a compliance retention policy to store data in an immutable state for a specified retention period. Valid values:

          • Disable (default)

          • Enable

        • Select Delivery to Another Account and set the RAM Role ARN of OSS Bucket, Bucket Name, and Log File Prefix.

          To deliver events to another account, you must first create a RAM role in the destination account to grant ActionTrail permission to deliver events. You must also create an OSS bucket in advance. For more information, see Deliver events from multiple Alibaba Cloud accounts to a specific account.

      • Select Deliver to MaxCompute

        • Select Delivery to Current Account and configure the following parameters.

          Parameter

          Description

          MaxCompute Region

          The region of the destination MaxCompute project.

          Note

          ActionTrail delivers audit logs to the actiontrail_{Alibaba_Cloud_Account_ID} project in the specified MaxCompute region. Because MaxCompute project names are unique to an account, if a project with this name already exists, ActionTrail delivers the logs to that project by default.

          Project Quota

          The quota for the MaxCompute project.

          Note

          When you create a trail to deliver events to MaxCompute for the first time, you must select a quota. If no quota is available in the current region, select a different MaxCompute region.

        • Select Delivery to Another Account and set the Project ARN and RAM Role ARN of MaxCompute.

          To deliver events to another account, you must first create a RAM role in the destination account to grant ActionTrail permission to deliver events. You must also create a MaxCompute project in advance. For more information, see Deliver events from multiple Alibaba Cloud accounts to a specific account.

  6. Click RAM Role ARN of Destination Account.

Results

After you create the single-account trail, it saves events in JSON format to the specified SLS Logstore, OSS bucket, or MaxCompute table for you to query and analyze. You can view the events in the following services:

  • Simple Log Service (SLS): ActionTrail automatically creates a Logstore named actiontrail_{trail_name}. On the Trails page, you can hover over the trail in the Storage Service column and click the SLS Logstore name.

  • Object Storage Service (OSS): You can use E-MapReduce or grant permissions to a third-party log analysis service to analyze the events.

    Alternatively, on the Trails page, hover over the trail in the Storage Service column, click the OSS bucket name, and then choose Object Management > Objects. For more information about OSS storage paths, see What is the storage path of an event that is delivered to an OSS bucket?.

  • MaxCompute: ActionTrail automatically creates a table named actiontrail_{trail_name}. On the Trails page, hover over the trail in the Storage service column and click the MaxCompute project name. You can use DataWorks to query the log data stored in the actiontrail_{trail_name} table.

FAQ

Does home region affect log storage?

No. The home region identifies where a trail was created, but it does not determine the physical storage location of the logs. When events are delivered to Simple Log Service (SLS), the logs are stored in the region of the destination Project, not the home region.

For data events, you can specify the delivery regions. ActionTrail automatically creates an SLS Logstore in each specified region to store that region's logs. For management events, events from all regions are delivered by default.

Related documents

Previous:Single-account trail overviewNext:Update a single-account trail