ActionTrail provides the alerting feature. You can use the feature to monitor your cloud resources in real time and respond to exceptions in your cloud resources at the earliest opportunity. If the system identifies potential security threats or non-compliant events based on an alert rule, the system notifies the users and user groups that are specified in the rule by using multiple notification methods. This way, the users and user groups can handle the threats or events at the earliest opportunity to ensure the security and integrity of cloud resources. This topic describes how to enable the alerting feature and configure alert rules.
Step 1: Create a trail
Create a trail that meets the following conditions:
The trail delivers events from all regions.
The trail delivers all types of events.
The trail delivers events to Simple Log Service.
For more information, see Create a single-account trail and Create a multi-account trail.
When you create a trail, you can create a data backfill task to deliver events that are generated within the last 90 days. For more information, see Create a data backfill task.
Step 2: Enable the advanced event query feature for the trail
Before you can use the alerting feature to detect events for a trail, you must enable the advanced event query feature.
Log on to the ActionTrail console.
In the left-side navigation pane, click Trails.
On the Trails page, find the trail for which you want to enable the advanced event query feature and turn on the switch in the Advanced Event Query column.
NoteYou can enable the advanced event query feature for only one trail within an Alibaba Cloud account or Resource Access Management (RAM) user.
If you configure an alert rule for a trail, the alert rule configuration still takes effect after you disable the advanced event query feature for the trail. If you want to modify the configuration of an alert rule or disable an alert rule, you must re-enable the advanced event query feature.
Step 3: Create users and a user group
You can specify users and user groups as contacts of alert notifications. In this example, two users named Alice and Kumer and a user group named ActionTrailOM are created. Users Alice and Kumer are added to the ActionTrailOM user group.
Log on to the ActionTrail console.
In the left-side navigation pane, click Alerts.
Create a user.
On the Alert Center page, choose .
On the User Management tab, click Create.
In the Create User dialog box, configure the parameters and click OK.
In this example, the following user information is entered:
# ID, Username, Phone Number, Receive Text Message, Receive Phone Call, Email, Enabled test01,Kumer,true,86-1381111*****,true,true,a***@example.net test02,Alice,true,86-1381111*****,true,true,a***@example.netThe following table describes the parameters.
Parameter
Description
Example
ID
The ID of the user. The ID must be unique.
The ID must be 5 to 60 characters in length, and can contain letters, digits, underscores (_), hyphens (-), and periods (.). The ID must start with a letter.
test01 and test02
Username
The name of the user.
The name must be 1 to 20 characters in length and cannot contain the following special characters:
" \ $ | ~ ? & <> {} ''.Kumer and Alice
Phone Number
The country code and mobile phone number of the user. The country code must be 1 to 4 characters in length and can contain only digits.
86-1381111***** and 86-1381112*****
Receive Text Message
Specifies whether ActionTrail can send text messages to the mobile phone number. Valid values:
true
false
true
Receive Phone Call
Specifies whether ActionTrail can send voice notifications to the mobile phone number. Valid values:
true
false
true
Email
The email address of the user.
a***@example.net
Enabled
Specifies whether ActionTrail can send alert notifications to the user. Valid values:
true
false
true
Create a user group.
On the Notification Objects tab, click User Group Management.
On the User Group Management tab, click Create.
In the Add User Group dialog box, configure the parameters and click OK.
The following table describes the parameters and provides sample parameter values.
Parameter
Description
Example
ID
The ID of the user group. The ID must be unique.
The ID must be 5 to 60 characters in length, and can contain letters, digits, underscores (_), hyphens (-), and periods (.). The ID must start with a letter.
group-01
Group Name
The name of the RAM user group.
The name can be up to 20 characters in length and cannot contain the following special characters:
\$|~?&<>{}''".ActionTrailOM
Available Members
The users that you created.
Kumer and Alice
Selected Members
The users that are added to the user group after the user group is created.
Kumer and Alice
Enabled
Specifies whether ActionTrail can send alert notifications to the user group. Valid values:
If you turn on the switch, ActionTrail can send alert notifications to the user group.
If you turn off the switch, ActionTrail cannot send alert notifications to the user group.
Turned on
Step 4: (Optional) Create an alert template
By default, ActionTrail uses the SLS actiontrail builtin content template to send alert notifications to the specified alert contacts. You can also create custom alert templates based on your business requirements.
Log on to the ActionTrail console.
In the left-side navigation pane, click Alerts.
On the Alert Center page, choose .
Click Create.
In the Add Content Template dialog box, configure ID and Name.
Specify the notification content for each alert notification method.
Notification method
Description
SMS
You can configure the following parameters:
Language: the language of an alert notification. Valid values: Chinese and English.
Content: the content of an alert notification. You can enter content or use template variables to specify the content of an alert notification. For more information, see Variables in new alert templates.
Voice
You can configure the following parameters:
Language: the language of an alert notification. Valid values: Chinese and English.
Content: the content of an alert notification. You can enter content or use template variables to specify the content of an alert notification. For more information, see Variables in new alert templates.
Email
You can configure the following parameters:
Language: the language of an alert notification. Valid values: Chinese and English.
Subject: the subject of an alert notification. You can enter a subject or use template variables to specify the subject of an alert notification.
Content: the content of an alert notification. You can enter content or use template variables to specify the content of an alert notification. For more information, see Variables in new alert templates.
DingTalk
You can configure the following parameters:
Language: the language of an alert notification. Valid values: Chinese and English.
Disable Details Viewing: specifies whether to disable alert details viewing or alert rule management in logon-free mode. For more information, see View alert details in logon-free mode.
Title: the title of an alert notification. You can enter a title or use template variables to specify the title of an alert notification.
Content: the content of an alert notification. You can enter content or use template variables to specify the content of an alert notification. For more information, see Variables in new alert templates.
Webhook-Custom
You can configure the following parameters:
Sending Mode: the method that is used to send alert notifications. Valid values: Single and Batch.
For example, you enter
{ "project": "{{project}}", "alert_name": "{{alert_name}}"}in the Content field, and two alerts are triggered.Single: Two alert notifications are separately sent. The content is
{ "project": "project-1", "alert_name": "alert-1"}and{ "project": "project-2", "alert_name": "alert-2"}.Batch: Two alert notifications are sent at a time. The content is
[{ "project": "project-1", "alert_name": "alert-1"}, { "project": "project-2", "alert_name": "alert-2"}].If you select Batch and set the Maximum number of items sent in a group parameter to N, an alert notification for the first N alerts in a merge set is sent.
If you select Batch and the content that you specify can be parsed into JSON data, an alert notification is sent in the JSON format. If the content cannot be parsed into JSON data, an alert notification is sent as an array that contains strings.
Maximum number of items sent in a group: the maximum number of alerts that can be sent at a time. You can specify a custom value or select Unlimited.
Content: the content of an alert notification. You can enter content or use template variables to specify the content of an alert notification. For more information, see Variables in new alert templates.
NoteWhen ActionTrail sends alert notifications, the request header Content-Type: application/json;charset=utf-8 is used by default. If a webhook receiver requires a request header in a different format, you can specify a custom request header when you configure the notification method. For more information, see Notification methods.
Notifications
You can configure the following parameters:
Language: the language of an alert notification. Valid values: Chinese and English.
Content: the content of an alert notification. You can enter content or use template variables to specify the content of an alert notification. For more information, see Variables in new alert templates.
WeCom
You can configure the following parameters:
Language: the language of an alert notification. Valid values: Chinese and English.
Title: the title of an alert notification. You can enter a title or use template variables to specify the title of an alert notification.
Content: the content of an alert notification. You can enter content or use template variables to specify the content of an alert notification. For more information, see Variables in new alert templates.
Lark
You can configure the following parameters:
Language: the language of an alert notification. Valid values: Chinese and English.
Disable View Details: specifies whether to disable alert details viewing or alert rule management in logon-free mode. For more information, see View alert details in logon-free mode.
Title: the title of an alert notification. You can enter a title or use template variables to specify the title of an alert notification.
Content: the content of an alert notification. You can enter content or use template variables to specify the content of an alert notification. For more information, see Variables in new alert templates.
Slack
You can configure the following parameters:
Language: the language of an alert notification. Valid values: Chinese and English.
Title: the title of an alert notification. You can enter a title or use template variables to specify the title of an alert notification.
Content: the content of an alert notification. You can enter content or use template variables to specify the content of an alert notification. For more information, see Variables in new alert templates.
EventBridge
You can configure the following parameters:
Subject: the subject of an alert notification. You can enter a subject or use template variables to specify the subject of an alert notification.
Content: the content of an alert notification. You can enter content or use template variables to specify the content of an alert notification. For more information, see Variables in new alert templates.
Function Compute
You can configure the following parameters:
Sending Mode: the method that is used to send alert notifications. Valid values: Single and Batch.
For example, you enter
{ "project": "{{project}}", "alert_name": "{{alert_name}}"}in the Content field, and two alerts are triggered.Single: Two alert notifications are separately sent. The content is
{ "project": "project-1", "alert_name": "alert-1"}and{ "project": "project-2", "alert_name": "alert-2"}.Batch: Two alert notifications are sent at a time. The content is
[{ "project": "project-1", "alert_name": "alert-1"}, { "project": "project-2", "alert_name": "alert-2"}].If you select Batch and set the Maximum number of items sent in a group parameter to N, an alert notification for the first N alerts in a merge set is sent.
If you select Batch and the content that you specify can be parsed into JSON data, an alert notification is sent in the JSON format. If the content cannot be parsed into JSON data, an alert notification is sent as an array that contains strings.
Maximum number of items sent in a group: the maximum number of alerts that can be sent at a time. You can specify a custom value or select Unlimited.
Content: the content of an alert notification. You can enter content or use template variables to specify the content of an alert notification. For more information, see Variables in new alert templates.
Click Confirm.
Step 5: (Optional) Create an action policy
You can use action policies to manage the alert notification methods and the frequency at which alert notifications are sent. By default, ActionTrail uses the SLS actiontrail builtin action policy to send alert notifications to the specified alert contacts. You can also create custom action policies based on your business requirements. When you create a custom action policy, you can specify alert notification conditions, alert notification methods, and alert contacts.
Log on to the ActionTrail console.
In the left-side navigation pane, click Alerts.
On the Alert Center page, choose .
Click Create.
In the Add Action Policy dialog box, configure the ID and Name parameters.
On the Primary Action Policy tab, create an action policy.
Click the
icon. Configure the conditions to trigger alert notifications and click Confirm.
Parameter
Description
Example
Condition
Valid values:
All: The action policy is executed only if all alerts in an alert set meet the specified condition.
Any: The action policy is executed if one or more of the alerts in an alert set meet the specified condition.
All
Conditional expression
Alerts that match a conditional expression are processed based on the action policy. You can specify an object, an operator, and an object value for the conditional expression.
Object: Alibaba Cloud Account ID
Operator: Equal to
Object value: 154035569884****
Mode
You can add multiple conditions in standard mode or advanced mode. Valid values:
Standard Mode: If you specify multiple conditions, the conditions are evaluated by using the AND operator.
Advanced Mode: If you specify multiple conditions, the conditions can be evaluated by using the AND or OR operator. You can also group multiple conditions into one group by using parentheses. Nested conditions are supported.
Standard Mode
Configure an action group.
Configure the notification method and related parameters. Supported notification methods include text messages, voice calls, emails, DingTalk, webhooks, and Message Center. For more information, see Notification methods.
Click the
icon for the Condition or Action Group dialog box to end the configuration. NoteIf you want to add more conditions and action groups, click the
icon. Optional. If you want to add more Condition and Action Group nodes after you click End, perform the following steps:
Delete an existing node.
Right-click the node and select Delete Node.
Add a node
Click the
icon to add a Condition node. Click the
icon to add an Action Group node. Click the
icon to add an End node.
Click Confirm.
Step 6: Enable an alert rule
ActionTrail allows you to create alert rules by using an alert template and create custom alert rules. You can create alert rules based on your business requirements. For example, if you want to trigger an alert when the configuration of a virtual private cloud (VPC) route changes, you can create an alert rule by using the VPC Network Route Change Alert template.
After you create a custom alert rule, it is automatically enabled. You do not need to perform the following steps to enable the rule. For more information about how to create a custom alert rule, see Create a custom alert rule.
Log on to the ActionTrail console.
In the left-side navigation pane, click Alerts.
On the Alert Center page, click the Alert Rules tab.
Click the drop-down arrow next to Create Alert.
Select Create from Template.
Click the destination alert template.
Click OK. The alert rule is created.
If Running is displayed in the Status column, the alert rule is enabled. You can click the name of an alert rule to view the details of the alert rule. You can click Edit of an alert rule in the Actions column to view the alert rule configurations.
References
You can configure alert monitoring rules in Simple Log Service. For more information, see Configure an alert monitoring rule in Simple Log Service.
For more information about built-in alert rules, see Built-in alert monitoring rules.
For more information about the possible issues of alert rules, see FAQ about alert monitoring rules.
For more information about alert notification methods, see FAQ about alert notification methods.
For more information about alert notifications, see FAQ about alert notifications.
If you do not receive alert notifications, you can troubleshoot the issue in the Alert History section. For more information, see Troubleshooting for the issue that alert notifications are not received.
When you configure a custom webhook as a notification method, you may encounter specific issues. For more information, see FAQ about custom webhooks.
What do I do if the advanced event query and alerting features of ActionTrail are unavailable?