ActionTrail retains only events from the last 90 days by default for each Alibaba Cloud account. To keep events longer for compliance or auditing purposes, create a trail that delivers events to Simple Log Service or Object Storage Service (OSS) for query, analysis, and long-term archival.
How it works
After you create a single-account trail, events are delivered in JSON format to an OSS bucket or a Simple Log Service Logstore for query, analysis, or long-term storage. Consider the following when you choose a storage service:
-
To query or analyze events, deliver them to Simple Log Service (SLS). Events are typically delivered to your SLS Logstore within 1 minute.
-
To store or archive events long-term, select OSS. ActionTrail delivers each event to the specified OSS bucket within 10 minutes of generation.
ActionTrail aggregates events before delivering them to the OSS bucket. Events generated within each 5-minute window are typically aggregated into one file. If a high volume of events occurs in that period, they may be split across multiple files.
The following figure shows how a single-account trail works.
Scenarios
You can create multiple single-account trails for the following purposes:
-
Deliver data to different buckets and grant permissions by enterprise role, so each role audits a specific set of events.
-
Deliver events from different regions to local buckets to manage audit data across regions in a compliant manner.
-
Create multiple replicas of events to prevent data loss.
Do not specify the same delivery destination for different single-account trails. Otherwise, events may be delivered repeatedly, wasting storage space.