ActionTrail helps you monitor the operations within your Alibaba Cloud account and records the events that are generated in the last 90 days. If you want to query and analyze events that are generated more than 90 days ago, you can create a trail in the ActionTrail console and deliver the events to Simple Log Service. This topic describes how to query and analyze events in the Simple Log Service console in different scenarios.
Prerequisites
A trail is created and configured to deliver events to a Logstore in Simple Log Service. For more information, see Create a single-account trail and Create a multi-account trail.
Scenario 1: Analyze whether your AccessKey pair is disclosed
Your enterprise detects an unauthorized use of your AccessKey pair from an external IP address. You want to know whether the AccessKey pair is disclosed. In this case, you can create a trail in the ActionTrail console to deliver events to Simple Log Service. Then, you can analyze and trace the use of the AccessKey pair in the Simple Log Service console.
You can obtain the source IP address of the unauthorized access request. If the IP address is not in the city where your enterprise resides, the AccessKey pair is disclosed.
Log on to the Simple Log Service console.
In the Projects section, click the name of the project that you specified when you created the trail.
Click the name of the Logstore and then click Last 15 Minutes to specify a time range for the query.
Enter the following query statement in the search box:
__topic__: actiontrail_audit_event and event.userIdentity.accessKeyId:<YourAccessKeyId> | SELECT count(1) as pv, city FROM (SELECT "event.sourceIpAddress" AS ip, ip_to_city("event.sourceIpAddress") as city FROM log) WHERE ip_to_domain(ip)!='intranet' GROUP BY city ORDER BY pv DESC
NoteReplace <YourAccessKeyId> with your AccessKey ID.
The preceding query statement returns the source IP address of unauthorized access requests that use the AccessKey pair and the frequency of such requests. If the IP address is not in the city where your enterprise resides, the AccessKey pair is disclosed.
Click Search & Analyze to view the query results.
Optional. If the AccessKey pair is disclosed, modify the permissions of the RAM user to solve the problem.
For more information, see Revoke permissions from a RAM user.
Scenario 2: Trace the deletion of your ECS instances
Your enterprise wants to trace high-risk operations that are performed on Alibaba Cloud resources, such as the deletion of your Elastic Compute Service (ECS) instances. In this case, you can create a trail in the ActionTrail console to deliver events to Simple Log Service. Then, you can obtain information about users who delete your ECS instances.
Log on to the Simple Log Service console.
In the Projects section, click the name of the project that you specified when you created a trail.
Click the name of the Logstore and then click Last 15 Minutes to specify a time range for the query.
Enter the following query statement in the search box:
__topic__: actiontrail_audit_event | SELECT serviceName, eventName, userName, count(1) as pv FROM (SELECT "event.eventName" as eventName, "event.serviceName" as serviceName, "event.userIdentity.userName" as userName FROM log) WHERE (serviceName = <TargetServiceName> and eventName = <TargetEventName>) GROUP BY serviceName, eventName, userName
NoteReplace
<TargetServiceName>
and<TargetEventName>
with ECS and DeleteInstances. This way, you can obtain information about the users who delete ECS instances.Click Search & Analyze to view the query results.
The preceding query statement returns information about users who deleted the ECS instances and the number of delete operations. After you obtain the information about the unauthorized delete operations, you can use the following query statement to query the operation details:
__topic__: actiontrail_audit_event and event.serviceName:<TargetServiceName> and <TargetResourceId> and event.userIdentity.accessKeyId:<YourAccessKeyId>
Scenario 3: Generate data reports for your cloud resources
As your enterprise rapidly develops cloud-based business, your enterprise requires comprehensive data reports on the frequency of the use of core cloud resources. Your enterprise can use the data reports to estimate the amount of resources to be purchased and prevent potential risks.
For example, your enterprise requires a data report on the ECS instances that you created in the last six months to analyze the year-over-year and month-over-month increase of ECS instances. Then, your enterprise can estimate the number of ECS instances to be purchased in the next six months. This data report helps your enterprise control costs.
Log on to the Simple Log Service console.
In the Projects section, click the name of the project that you specified when you created a trail.
Click the name of the Logstore and then click Last 15 Minutes to specify a time range for the query.
Enter the following query statement in the search box:
__topic__: actiontrail_audit_event and event.serviceName:<TargetServiceName> and event.eventName:<TargetEventName> | select t, diff[1] as current, diff[2] as last_month, diff[3] as percentage from(select t, compare( pv , 2592000) as diff from (select count(1) as pv, date_format(from_unixtime(__time__), '%m') as t from log group by t) group by t order by t)
NoteReplace
<TargetServiceName>
and<TargetEventName>
with ECS and CreateInstance. This way, you can obtain information about the number of ECS instances created each month and the monthly increase rate.Click Search & Analyze to view the query results.
Click the Graph tab.
Click the Common Settings tab on the right and choose .
You can also use this method to generate data reports for specific high-risk operations. Then, you can analyze the patterns of these operations and the peak and off-peak times for these operations. This method helps you optimize cloud resources and improve resource utilization.
Scenario 4: Create alert rules for your cloud services
Your enterprise wants to receive alert notifications when the number of daily access requests to an Alibaba Cloud resource exceeds the average number of access requests in the last 60 days by a specified proportion. In this case, you can create alert rules by using the Dashboard module in the Simple Log Service console to monitor the status of each cloud service in real time. You can also add custom charts to the Dashboard module for real-time monitoring. For more information, see Add a chart to a dashboard.
Log on to the Simple Log Service console.
In the Projects tab, click the name of the project that you specified when you created a trail.
Query the average number of access requests that are sent to each Alibaba Cloud service in the last 60 days and the number of access requests on the current day.
Click the name of your Logstore and then click Last 15 Minutes.
In the Time Range section, click Custom and specify a 60-day time range.
Enter the following query statement in the search box:
__topic__: actiontrail_audit_event |select a.serviceName, a.avg_pv, b.today_pv from (select serviceName, avg(pv) as avg_pv from (select "event.serviceName" as serviceName, count(1) as pv, date_format(from_unixtime(__time__), '%m-%d') as day from log group by serviceName, day) group by serviceName) a join (select "event.serviceName" as serviceName, count(1) as today_pv from log where date_format(from_unixtime(__time__), '%Y-%m-%d')=current_date group by serviceName) b on a.serviceName = b.serviceName
Click Search & Analyze to view the query results.
Click the Graph tab.
Click the Common Settings tab on the right and choose .
NoteYou can add filter conditions to exclude Alibaba Cloud services or events that you do not want to view.
Create an alert rule.
Click the icon in the upper-right corner.
In the Alert Monitoring Rule panel, configure the parameters.
For more information, see Configure an alert rule.
Configure the conditions that trigger alerts.
$0.today_pv > $0.avg_pv && ($0.today_pv - $0.avg_pv)/$0.avg_pv > 0.5
$0
indicates the original chart data that is associated with the query statement. You can specify the average number of access requests that are sent to each Alibaba Cloud service in the last 60 days and the number of access requests on the current day.$0.avg_pv
indicates the average number of access requests in the last 60 days.Click OK.