By default, ActionTrail stores only events that are generated within the last 90 days within your Alibaba Cloud account. If you want to query events that are generated 90 days ago, you can create trails and data backfill tasks to deliver events to Simple Log Service for long-term storage. For example, Multi-Level Protection Scheme (MLPS) 2.0 requires events to be stored for 180 days or longer. If you do not deliver events that are generated 90 days ago for long-term storage, you cannot query the events. This topic describes how to store events for a long period of time.
Prerequisites
Simple Log Service is activated.
The first time you use Simple Log Service, log on to the Simple Log Service console and activate Simple Log Service as prompted. For more information, see What is Simple Log Service?
The permissions to use the backfill feature are obtained. To obtain the permissions, submit a ticket.
Background information
You can create a trail to deliver only events that are generated after the trail is created. To store events that are generated within the last 90 days, you must create a data backfill task to deliver events that are generated before the trail is created.
The start time of the time range supported for a data backfill task is 90 days before the current time. The end time is 5 minutes after the trail that is associated with the data backfill task takes effect. For example, you create a data backfill task, and the associated trail is created 40 days ago. The data backfill task delivers events that are generated 50 days before the trail is created.
You can create data backfill tasks only for single-account trails, and historical events can be delivered only to Simple Log Service.
Only one data backfill task can run at a time within an Alibaba Cloud account.
Step 1: Create a single-account trail to deliver events to Simple Log Service
Log on to the ActionTrail console.
In the left-side navigation pane, click Trails.
In the top navigation bar, select the region where you want to create a single-account trail.
NoteThe region that you select becomes the home region of the trail that you want to create.
On the Trails page, click Create Trail.
On the Create Trail page, configure the parameters.
In the Basic Information section, configure the basic information about the trail.
NoteBy default, the trail delivers events in all regions. We recommend that you set the Management Event parameter to All. This way, the trail delivers all types of events that occur in all regions. For more information, see Create a single-account trail.
In the Event Delivery section, configure parameters to deliver events to Simple Log Service within the current Alibaba Cloud account.
Parameter
Description
Logstore Region
The region where the Logstore resides.
Project Name
The name of the project.
NoteThe project name is shared by all Alibaba Cloud users and must be unique.
If you select New Log Service Project, the system automatically creates a project. You must specify a name for the project. The system also automatically creates a Logstore for the project.
If you select Existing Log Service Project, you must select an existing project from the Project Name drop-down list.
For more information about how to create a project in Simple Log Service, see Getting Started.
Click Confirm.
Step 2: Create a data backfill task
In the left-side navigation pane, click Backfill.
In the top navigation bar, select a region where you want to create a data backfill task.
NoteThe region must be the same as the region where the created single-account trail resides.
On the Backfill page, click Create Task.
On the Create Task page, select the single-account trail for which you want to create a data backfill task.
NoteAfter you select the trail, the following information is automatically entered: the region from which the trail delivers events, the region where the Simple Log Service project resides, the name of the Simple Log Service project, and the information about the Simple Log Service Logstore.
Click Confirm.
After you create a data backfill task, you can view Delivery Status of the task on the Backfill page to check whether events are delivered.
Step 3: (Optional) Query events
In the left-side navigation pane, click Trails.
In the top navigation bar, select the region of your single-account trail and data backfill task.
On the Trails page, find your trail and move the pointer over SLS or SLS & OSS in the Storage Service column. Then, click the name of the Simple Log Service Logstore.
In the upper-right corner of the page that appears, click Last 15 Minutes and specify a time range for the query.
Enter an SQL statement and click Search & Analyze to query the details of the event.
References
For more information about how to query and analyze event details, see Query and analyze logs.
For more information about the SQL statements that can be used to query and analyze events, see How can I use SQL statements to query ActionTrail events delivered to Simple Log Service?
When you query and analyze events, errors may occur. For more information, see FAQ about query and analysis.