Enable event alerting to detect anomalous events-ActionTrail(ActionTrail)-阿里云帮助中心

Prerequisites

Simple Log Service is activated. To activate it for the first time, log on to the console and follow the prompts. What is Simple Log Service?

Important

Simple Log Service incurs fees based on log storage volume, SMS notifications, and other usage. Billing of Simple Log Service.

Step 1: Create a trail

Create a trail that meets the following requirements:

Event type: Select management events or data events.
Read/write type: Select All events.
Destination: Deliver events to SLS.

Create a single-account trail | Create a multi-account trail

Note

You can also deliver events from the last 90 days to the trail to expand the search scope. Create a data backfill task.

Step 2: Select a trail

Select the trail to monitor and manage on the Alert Rules tab of the Alerting and Monitoring System page.

Log on to the ActionTrail console .
In the navigation pane on the left, click Event Alerting .
On the Alerting and Monitoring System page, click the drop-down arrow next to the trail name and select the target trail.

Step 3: Create users and user groups

Users and user groups specify the recipients of alert notifications. For example, create users Alice and Kumer, create a user group ActionTrail O&M Group, and add both users to the group.

Log on to the ActionTrail console.
In the navigation pane on the left, click Event Alerting.

Create a user.

On the Alert Center page, choose Notification Objects > Users.
In the Users section, click Create.

In the Add User dialog box, configure the following parameters and click Confirm.

Parameters:

Parameter	Description	Example
Identifier	Unique identifier for the user. Must not duplicate another user's identifier. Must be 5-60 characters, start with a letter, and can contain letters, digits, underscores (_), hyphens (-), and periods (.).	test01, test02
Name	The name of the user. The name must be 1 to 20 characters in length and cannot contain the following special characters: "\$\|~?&<>{}`'.	Kumer, Alice
Mobile number	Mobile number of the user. Country code must be 1-4 digits.	86-1381111***, 86-1381112***
Receive SMS	Whether to send SMS notifications to this number. Valid values: true: Yes. false: No.	true
Receive calls	Whether to send voice notifications to this number. true: Yes. false: No.	true
Email Address	Email address of the user.	a***@example.net
Enabled	Whether to send alert notifications to this user. Valid values: true: Yes. false: No.	true

Create a user group.

On the Notification Objects tab, click User Group Management.
On the User Group Management tab, click Create.

In the Add User Group dialog box, configure the following parameters and click Confirm.

Parameters:

Parameter	Description	Example
Identifier	Unique identifier for the user group. Must not duplicate another user group's identifier. Must be 5-60 characters, start with a letter, and can contain letters, digits, underscores (_), hyphens (-), and periods (.).	group-01
Group Name	The name of the user group. The name must be no more than 20 characters in length and cannot contain the following special characters: \$\|~?&<>{}`'".	ActionTrail O&M Group
Members to Add	The users that you have created.	Kumer, Alice
Added Members	The users that have been added to the user group.	Kumer, Alice
Enabled	Whether to send alert notifications to this user group. Valid values: Enabled: Yes. Disabled: No.	Enabled

Step 4 (Optional): Create a content template

ActionTrail uses the built-in SLS ActionTrail content template by default. Create custom templates if needed.

Log on to the ActionTrail console.
In the left-side navigation pane, click Event Alerting.
On the Alert Center page, choose Notification Policy > Alert Template.
Click Create.
In the Add Alert Template dialog box, set Identifier and Name.

Specify the notification content for each alert notification method.

Notification method	Description
SMS	You can configure the following parameters: Language: The notification language. Valid values: Chinese and English. Send Content: The notification content. You can use template variables to customize the content. For more information, see alert template variables (new).
Voice	You can configure the following parameters: Language: The notification language. Valid values: Chinese (recommended) and English. Send Content: The notification content. You can use template variables to customize the content. For more information, see alert template variables (new).
Email	You can configure the following parameters: Language: The notification language. Valid values: Chinese and English. Subject: The subject of the alert message. You can also use a template variable to define the subject. Send Content: The notification content. You can use template variables to customize the content. For more information, see alert template variables (new).
DingTalk	You can configure the following parameters: Language: The notification language. Valid values: Chinese and English. Disable View Details: Disables the default link for viewing alert details or managing alert rules without logging on. For more information, see View alert details without logging on. Title: The title of the alert message. You can also use a template variable to define the title. Send Content: The notification content. You can use template variables to customize the content. For more information, see alert template variables (new).
Webhook-Custom	You can configure the following parameters: Sending Mode: The method used to send notifications. Valid values: single and batch. For example, you enter `{ "project": "{{project}}", "alert_name": "{{alert_name}}"}` in the Content field, and two alerts are triggered. Single: Two alert notifications are separately sent. The content is `{ "project": "project-1", "alert_name": "alert-1"}` and `{ "project": "project-2", "alert_name": "alert-2"}`. Batch: Two alert notifications are sent at a time. The content is `[{ "project": "project-1", "alert_name": "alert-1"}, { "project": "project-2", "alert_name": "alert-2"}]`. If you select Batch and set the Maximum number of items sent in a group parameter to N, an alert notification for the first N alerts in a merge set is sent. If you select Batch and the content that you specify can be parsed into JSON data, an alert notification is sent in the JSON format. If the content cannot be parsed into JSON data, an alert notification is sent as an array that contains strings. Maximum Number of Items Sent per Group: The maximum number of alerts to send per group. Valid values: Unlimited and Custom. Send Content: The notification content. You can use template variables to customize the content. For more information, see alert template variables (new). Note By default, alert notifications are sent with the Content-Type: application/json;charset=utf-8 request header. If your webhook endpoint requires a different request header format, you can define a custom request header when you configure the notification channel. For more information, see webhook-custom.
Notifications	You can configure the following parameters: Language: The notification language. Valid values: Chinese and English. Send Content: The notification content. You can use template variables to customize the content. For more information, see alert template variables (new).
WeCom	You can configure the following parameters: Language: The notification language. Valid values: Chinese and English. Title: The title of the alert message. You can also use a template variable to define the title. Send Content: The notification content. You can use template variables to customize the content. For more information, see alert template variables (new).
Lark	You can configure the following parameters: Language: The notification language. Valid values: Chinese and English. Disable View Details: Disables the default link for viewing alert details or managing alert rules without logging on. For more information, see View alert details without logging on. Title: The title of the alert message. You can also use a template variable to define the title. Send Content: The notification content. You can use template variables to customize the content. For more information, see alert template variables (new).
Slack	You can configure the following parameters: Language: The notification language. Valid values: Chinese and English. Title: The title of the alert message. You can also use a template variable to define the title. Send Content: The notification content. You can use template variables to customize the content. For more information, see alert template variables (new).
EventBridge	You can configure the following parameters: Subject: The subject of the alert message. You can also use a template variable to define the subject. Send Content: The notification content. You can use template variables to customize the content. For more information, see alert template variables (new).
Function Compute	You can configure the following parameters: Sending Mode: The method used to send notifications. Valid values: single and batch. For example, you enter `{ "project": "{{project}}", "alert_name": "{{alert_name}}"}` in the Content field, and two alerts are triggered. Single: Two alert notifications are separately sent. The content is `{ "project": "project-1", "alert_name": "alert-1"}` and `{ "project": "project-2", "alert_name": "alert-2"}`. Batch: Two alert notifications are sent at a time. The content is `[{ "project": "project-1", "alert_name": "alert-1"}, { "project": "project-2", "alert_name": "alert-2"}]`. If you select Batch and set the Maximum number of items sent in a group parameter to N, an alert notification for the first N alerts in a merge set is sent. If you select Batch and the content that you specify can be parsed into JSON data, an alert notification is sent in the JSON format. If the content cannot be parsed into JSON data, an alert notification is sent as an array that contains strings. Maximum Number of Items Sent per Group: The maximum number of alerts to send per group. Valid values: Unlimited and Custom. Send Content: The notification content. You can use template variables to customize the content. For more information, see alert template variables (new).

Click Confirm.

Step 5 (Optional): Create an action policy

Action policies control the channels and frequency of alert notifications. Built-in alert rules use the SLS ActionTrail action policy by default. Create a custom action policy to specify alert conditions, notification channels, and recipients.

Log on to the ActionTrail console.
In the left-side navigation pane, click Event Alerting.
On the Alert Center page, choose Notification Policy > Action Policy.
Click Create.
In the Add Action Policy dialog box, enter an ID and a Name.

On the Primary Action Policy tab, create the action policy.

Click the icon.

Configure the conditions for triggering alerts, and then click Confirm.

Parameter	Description	Example
Condition	Valid values: All: The system runs the action group only if every alert in the set meets all conditions. Any: The system runs the action group if at least one alert in the set meets all conditions.	All
Conditional expression	Alerts that match a conditional expression are processed based on the action policy. You can specify an object, an operator, and an object value for the conditional expression.	Object: Alibaba Cloud Account ID Operator: Equal to Object value: 154035569884****
Mode	You can add multiple conditions in standard mode or advanced mode. Valid values: Standard Mode: All conditions are joined by the AND operator. Advanced Mode: Conditions can be joined by AND or OR operators. You can use parentheses to group conditions and create nested logic.	Standard Mode

Configure an action group.

Configure the notification method and its parameters. Supported notification methods include SMS, voice call, email, DingTalk, webhook, and Message Center. For more information, see notification methods. In the Action Group section, set Channel to Widget and Recipient Type to Default Recipient. Select a Recipient and a Content Template, and set Send Time to Any Time. To add more notification methods, click + Add Channel Tracking.
Click the icon in the Condition or Action Group dialog box to complete the Primary Action Policy configuration.

Note
If you want to add more conditions and action groups, click the icon.
(Optional) If you need to add a Condition node or Action Group node after you have added an End node, follow these steps:
1. Delete a node: Hover over the target node, right-click, and then click Delete Node.
2. Add a node
  - Click the icon to add a Condition node.
  - Click the icon to add an Action Group node.
  - Click the icon to add an End node.
Click Confirm.

Step 6: Enable an alert rule

ActionTrail supports template-based and custom alert rules. For example, to trigger an alert when a VPC route configuration changes, use the VPC Network Route Change template. The following steps create an alert rule from a template: