A single-account trail delivers events to Object Storage Service (OSS), Simple Log Service (SLS), or MaxCompute for analysis. ActionTrail keeps events from the last 90 days by default; you can query them in the ActionTrail console. To retain or query events older than 90 days, create a trail. This topic explains how to create a single-account trail in the ActionTrail console.
Background information
Account-level trail: If you use your Alibaba Cloud account to create a trail, ActionTrail delivers events for that account and its RAM users to OSS, SLS, or MaxCompute.
RAM user: If you create a trail as a RAM user, the RAM user must have permission to create and manage single-account trails. See Grant permissions to a RAM user.
Multiple trails: You can create more than one single-account trail.
Console scope: A trail created in the console delivers events in all regions by default. To deliver events in specific regions only, use the CreateTrail API operation and set
TrailRegion.OSS and global events: When a trail delivers to an OSS bucket, global events are stored in the same directory as events in the trail's region to avoid duplicate global events.
Procedure
Step 1: Open the ActionTrail console
Log on to the ActionTrail console.
Step 2: Go to Trails
In the left-side navigation pane, click Trails.
Step 3: Select a region
In the top navigation bar, select the region where you want to create the trail.
The region you select is the trail's home region.
Step 4: Start creation
On the Trails page, click Create Trail. By default the Quickly Create Trail page opens. To configure all parameters, click Create Trail at the top of the page.
Step 5: Configure parameters
On the Quickly Create Trail or Create Trail page, configure the following parameters.
Basic information
Parameter | Description |
Trail Name | Name of the trail and the Logstore (if you deliver to SLS). The trail name must be unique. |
Trail event type
Choose the types of events to deliver:
Management Event (default): All (read and write), Write (create, delete, modify), or Read (read-only). For auditing purpose, we recommend All.
Insights Event (optional): ActionTrail analyzes management events and generates insights (such as unusual API error rates, IP addresses, AccessKey pair call rates, permission changes, password changes, and trail concealment). When enabled, All is selected for Management Event. For more information, see Insights event overview.
Data Event (optional): ActionTrail logs read/write events on data within supported cloud services.
A trail created in the console delivers events in all regions by default. To limit regions, use the CreateTrail API operation and set TrailRegion.
Management event delivery settings
You can deliver events to SLS, OSS, MaxCompute, or a combination. See Deliver events to specified Alibaba Cloud services to choose a storage service.
The trail delivers only events generated after it takes effect. Events from the last 90 days are not included. Use a data backfill task to deliver those events to the same destination.
Delivery to Log Service: Configure destination account, project (new or existing), region, and project name. If you set Destination Account to Delivery to Another Account, set Project ARN and RAM Role ARN of Destination Account.
Delivery to OSS: Configure destination account, OSS bucket (new or existing), bucket name, object prefix, and encryption. If you set Destination Account to Delivery to Another Account, set RAM Role ARN of OSS Bucket, Bucket Name, and object prefix.
Delivery to MaxCompute: Configure MaxCompute Region and Project Quota. If you set Destination Account to Delivery to Another Account, set Project ARN and RAM Role ARN of MaxCompute.
Step 6: Confirm
Click Confirm.
What to do next
After you create the trail, events are delivered in JSON format to the SLS Logstore, OSS bucket, or MaxCompute table you specified. You can query them as follows:
SLS: ActionTrail creates a Logstore named
actiontrail_<Trail name>. On the Trails page, hover over Storage Service and click the Logstore name.OSS: Use E-MapReduce (EMR) or a third-party log analysis service. Or on the Trails page, hover over Storage Service, click the bucket name, then go to Object Management > Objects. For OSS storage paths, see What is the storage path of an event that is delivered to an OSS bucket?
MaxCompute: ActionTrail creates a table named
actiontrail_<Trail name>. On the Trails page, hover over Storage Service and click the MaxCompute project name. Use DataWorks to query the table.