Analyze and store ActionTrail events - ActionTrail - Alibaba Cloud Documentation Center

By default, ActionTrail retains event history for 90 days. For long-term storage, real-time alerting, or advanced analytics, you must create a trail to deliver events to a supported Alibaba Cloud service. This topic outlines common event delivery solutions for different use cases.

Prerequisites

Before you create a trail, ensure the destination services you plan to use are activated.

Object Storage Service (OSS): See Activate OSS.
Simple Log Service (SLS): Log on to the SLS console and follow the prompts to activate the service.
MaxCompute: See Activate MaxCompute.

Solutions for common use cases

Choose a solution based on your requirements for data retention, analysis, and alerting.

Use case 1: Long-term event retention

To meet compliance requirements which may require retaining audit logs for 180 days or longer, you must deliver events to a durable storage service.

Solution: Create a trail that delivers events to OSS or SLS. By default, data in these services is stored indefinitely.
- To create a trail, see Create a single-account trail.
Lifecycle management: If you need to enforce a specific retention period (such as 180 days), you can configure lifecycle rules.
- For OSS, see Configure lifecycle rules for an OSS bucket.
- For SLS, see Modify the data retention period for a Logstore.

Use case 2: Real-time alerting on sensitive operations

To detect and respond to sensitive operations in near real-time, such as creating billable resources or deleting critical infrastructure, you can use the alerting capabilities of SLS.

Solution:
1. Create a trail that delivers events to SLS. When configuring the trail, you can choose to log only Write management events to reduce noise and cost.
2. In the SLS console, configure alert rules based on specific event patterns. For example, create an alert for any Delete event. For instructions, see Configure an alert rule.

Use case 3: Big data analytics

For complex, large-scale analysis of event data, you can leverage the distributed computing capabilities of MaxCompute.

Solution:
1. Create a trail that delivers events to SLS.
2. In the SLS console, configure a data shipping job to automatically load the event data from your Logstore into MaxCompute. For instructions, see Ship data to MaxCompute.

Cost-optimization strategy

To balance real-time analysis capabilities with cost-effective long-term storage, we recommend a tiered approach. SLS is optimized for real-time query and alerting, while OSS offers lower-cost archival storage.

Create a trail that delivers events to SLS. This provides you with immediate access to events for real-time analysis and alerting.
Modify the Logstore's retention period. Set a shorter retention period in SLS (such as 30 or 90 days) to minimize hot storage costs.
1. Log on to the SLS console.
2. In the Projects section, click the target project.
3. Find the target Logstore and click the icon to its left and then click the icon.
4. On the Logstore Attributes section, click Modify at the bottom of the page.
5. Change the value of the Data Retention Period parameter to Specified Days, specify a retention period, and click Save.
Configure data shipping to OSS. Set up a data shipping job in SLS to automatically and periodically export log data from your Logstore to an OSS bucket for long-term, low-cost archival.
For more information, see Create an OSS data shipping job (new version).