The event alerting feature in ActionTrail helps you monitor and respond to anomalous activity on your cloud resources in real time. When an alert rule detects a potential security threat or a non-compliant operation, ActionTrail sends notifications to specified users and user groups through various channels. This allows them to handle issues promptly and maintain the security and integrity of your cloud resources. This topic describes how to enable and configure event alerting.
Prerequisites
You must activate Simple Log Service. If you are using Simple Log Service for the first time, log on to the Simple Log Service console and activate the service as prompted. For more information, see What is Simple Log Service?.
Using Simple Log Service incurs charges for resources such as log storage and text message notifications. For more information about pricing details and billing methods, see Billing overview.
Step 1: Create a trail
Create a trail that meets the following conditions:
Trail regions: All regions.
Event type: All management events.
Read/write type: All events (read and write).
Log destination: Deliver trail events to Simple Log Service (SLS).
For more information, see Create a single-account trail and Create a multi-account trail.
When you create a trail, you can also create a task to backfill events from the last 90 days to the trail. This expands the event search scope. For more information, see Create a data backfill task.
Step 2: Select the Logstore for event delivery
Log on to the ActionTrail console.
In the navigation pane on the left, click Advanced Event Query. In the Query Scope section, select the trail that you created in Step 1: Create a trail.
In the left navigation pane, click Event Alerting.
On the Alerting and Monitoring System page, click the Alerting Rules tab and select the Logstore to which events are delivered. The Logstore is named in the format: actiontrail_Trail name.
Step 3: Create users and user groups
Create users and user groups to serve as notification recipients. For example, you can create two users named Alice and Kumer and a user group named ActionTrail O&M Group. Then, add Alice and Kumer to the ActionTrail O&M Group.
Log on to the ActionTrail console.
In the left navigation pane, click Event Alerting.
Create users.
On the Alerting and Monitoring System page, you can choose .
In the User Management section, click Create.
In the Add User dialog box, configure the following parameters and click Confirm.
The following is an example of user information:
# ID, Name, Mobile phone number, Receive text messages, Receive voice calls, Mailbox, Enable test01,Kumer,true,86-1381111*****,true,true,a***@example.net test02,Alice,true,86-1381111*****,true,true,a***@example.netParameter description:
Parameter
Description
Example
ID
The unique identifier of the user. The ID cannot be the same as an existing one.
The ID must be 5 to 60 characters in length, start with a letter, and can contain letters, digits, underscores (_), hyphens (-), and periods (.).
test01, test02
Name
The name of the user.
The name must be 1 to 20 characters in length and cannot contain the following special characters:
"\$|~?&<>{}`'.Kumer, Alice
Mobile phone number
The mobile phone number of the user. The country code must be in digits and be 1 to 4 characters in length.
86-1381111*****, 86-1381112*****
Receive text messages
Specifies whether to allow ActionTrail to send text message notifications to the mobile phone number. Valid values:
true: Allowed.
false: no.
true
Receive voice calls
Specifies whether to allow ActionTrail to send voice calls to the mobile phone number.
true: The operation is allowed.
false: no.
true
Mailbox
The mailbox of the user.
a***@example.net
Enable
Specifies whether to allow ActionTrail to send alert notifications to the user. Valid values:
true: Allows the operation.
false: no.
true
Create a user group.
On the Notification Recipient tab, click User Group Management.
On the User Group Management tab, click Create.
In the Add User Group dialog box, configure the following parameters and click Confirm.
The following table describes the key parameters and provides sample configurations.
Parameter
Description
Example
ID
The unique identifier of the user group. The ID cannot be the same as an existing one.
The ID must be 5 to 60 characters in length, start with a letter, and can contain letters, digits, underscores (_), hyphens (-), and periods (.).
group-01
Group name
The name of the user group.
The name can be up to 20 characters in length and cannot contain the following special characters:
\$|~?&<>{}`'".ActionTrail O&M Group
Members to be added
The users that you have created.
Kumer, Alice
Added members
The users that have been added to the user group.
Kumer, Alice
Enable
Specifies whether to allow ActionTrail to send alert notifications to the user group. Valid values:
Enable: yes.
Disable: no.
Enable
Step 4 (Optional): Create a content template
By default, ActionTrail uses the built-in SLS ActionTrail content template to send alert notifications. You can also create custom content templates as needed.
Log on to the ActionTrail console.
In the left-side navigation pane, click Alerts.
On the Alert Center page, choose .
Click Create.
In the Add Content Template dialog box, configure ID and Name.
Specify the notification content for each alert notification method.
Notification method
Description
SMS
You can configure the following parameters:
Language: the language of an alert notification. Valid values: Chinese and English.
Content: the content of an alert notification. You can enter content or use template variables to specify the content of an alert notification. For more information, see Variables in new alert templates.
Voice
You can configure the following parameters:
Language: the language of an alert notification. Valid values: Chinese and English.
Content: the content of an alert notification. You can enter content or use template variables to specify the content of an alert notification. For more information, see Variables in new alert templates.
Email
You can configure the following parameters:
Language: the language of an alert notification. Valid values: Chinese and English.
Subject: the subject of an alert notification. You can enter a subject or use template variables to specify the subject of an alert notification.
Content: the content of an alert notification. You can enter content or use template variables to specify the content of an alert notification. For more information, see Variables in new alert templates.
DingTalk
You can configure the following parameters:
Language: the language of an alert notification. Valid values: Chinese and English.
Disable Details Viewing: specifies whether to disable alert details viewing or alert rule management in logon-free mode. For more information, see View alert details in logon-free mode.
Title: the title of an alert notification. You can enter a title or use template variables to specify the title of an alert notification.
Content: the content of an alert notification. You can enter content or use template variables to specify the content of an alert notification. For more information, see Variables in new alert templates.
Webhook-Custom
You can configure the following parameters:
Sending Mode: the method that is used to send alert notifications. Valid values: Single and Batch.
For example, you enter
{ "project": "{{project}}", "alert_name": "{{alert_name}}"}in the Content field, and two alerts are triggered.Single: Two alert notifications are separately sent. The content is
{ "project": "project-1", "alert_name": "alert-1"}and{ "project": "project-2", "alert_name": "alert-2"}.Batch: Two alert notifications are sent at a time. The content is
[{ "project": "project-1", "alert_name": "alert-1"}, { "project": "project-2", "alert_name": "alert-2"}].If you select Batch and set the Maximum number of items sent in a group parameter to N, an alert notification for the first N alerts in a merge set is sent.
If you select Batch and the content that you specify can be parsed into JSON data, an alert notification is sent in the JSON format. If the content cannot be parsed into JSON data, an alert notification is sent as an array that contains strings.
Maximum number of items sent in a group: the maximum number of alerts that can be sent at a time. You can specify a custom value or select Unlimited.
Content: the content of an alert notification. You can enter content or use template variables to specify the content of an alert notification. For more information, see Variables in new alert templates.
NoteWhen ActionTrail sends alert notifications, the request header Content-Type: application/json;charset=utf-8 is used by default. If a webhook receiver requires a request header in a different format, you can specify a custom request header when you configure the notification method. For more information, see Notification methods.
Notifications
You can configure the following parameters:
Language: the language of an alert notification. Valid values: Chinese and English.
Content: the content of an alert notification. You can enter content or use template variables to specify the content of an alert notification. For more information, see Variables in new alert templates.
WeCom
You can configure the following parameters:
Language: the language of an alert notification. Valid values: Chinese and English.
Title: the title of an alert notification. You can enter a title or use template variables to specify the title of an alert notification.
Content: the content of an alert notification. You can enter content or use template variables to specify the content of an alert notification. For more information, see Variables in new alert templates.
Lark
You can configure the following parameters:
Language: the language of an alert notification. Valid values: Chinese and English.
Disable View Details: specifies whether to disable alert details viewing or alert rule management in logon-free mode. For more information, see View alert details in logon-free mode.
Title: the title of an alert notification. You can enter a title or use template variables to specify the title of an alert notification.
Content: the content of an alert notification. You can enter content or use template variables to specify the content of an alert notification. For more information, see Variables in new alert templates.
Slack
You can configure the following parameters:
Language: the language of an alert notification. Valid values: Chinese and English.
Title: the title of an alert notification. You can enter a title or use template variables to specify the title of an alert notification.
Content: the content of an alert notification. You can enter content or use template variables to specify the content of an alert notification. For more information, see Variables in new alert templates.
EventBridge
You can configure the following parameters:
Subject: the subject of an alert notification. You can enter a subject or use template variables to specify the subject of an alert notification.
Content: the content of an alert notification. You can enter content or use template variables to specify the content of an alert notification. For more information, see Variables in new alert templates.
Function Compute
You can configure the following parameters:
Sending Mode: the method that is used to send alert notifications. Valid values: Single and Batch.
For example, you enter
{ "project": "{{project}}", "alert_name": "{{alert_name}}"}in the Content field, and two alerts are triggered.Single: Two alert notifications are separately sent. The content is
{ "project": "project-1", "alert_name": "alert-1"}and{ "project": "project-2", "alert_name": "alert-2"}.Batch: Two alert notifications are sent at a time. The content is
[{ "project": "project-1", "alert_name": "alert-1"}, { "project": "project-2", "alert_name": "alert-2"}].If you select Batch and set the Maximum number of items sent in a group parameter to N, an alert notification for the first N alerts in a merge set is sent.
If you select Batch and the content that you specify can be parsed into JSON data, an alert notification is sent in the JSON format. If the content cannot be parsed into JSON data, an alert notification is sent as an array that contains strings.
Maximum number of items sent in a group: the maximum number of alerts that can be sent at a time. You can specify a custom value or select Unlimited.
Content: the content of an alert notification. You can enter content or use template variables to specify the content of an alert notification. For more information, see Variables in new alert templates.
Click Confirm.
Step 5 (Optional): Create an action policy
Action policies control the channels and frequency of alert notifications. Built-in alert rules use the default SLS ActionTrail built-in action policy to send alert notifications. You can also create a custom action policy to set alert trigger conditions, notification channels, and recipients.
Log on to the ActionTrail console.
In the left-side navigation pane, click Alerts.
On the Alert Center page, choose .
Click Create.
In the Add Action Policy dialog box, configure the ID and Name parameters.
On the Primary Action Policy tab, create an action policy.
Click the
icon. Configure the conditions to trigger alert notifications and click Confirm.
Parameter
Description
Example
Condition
Valid values:
All: The action policy is executed only if all alerts in an alert set meet the specified condition.
Any: The action policy is executed if one or more of the alerts in an alert set meet the specified condition.
All
Conditional expression
Alerts that match a conditional expression are processed based on the action policy. You can specify an object, an operator, and an object value for the conditional expression.
Object: Alibaba Cloud Account ID
Operator: Equal to
Object value: 154035569884****
Mode
You can add multiple conditions in standard mode or advanced mode. Valid values:
Standard Mode: If you specify multiple conditions, the conditions are evaluated by using the AND operator.
Advanced Mode: If you specify multiple conditions, the conditions can be evaluated by using the AND or OR operator. You can also group multiple conditions into one group by using parentheses. Nested conditions are supported.
Standard Mode
Configure an action group.
Configure the notification method and related parameters. Supported notification methods include text messages, voice calls, emails, DingTalk, webhooks, and Message Center. For more information, see Notification methods.
Click the
icon for the Condition or Action Group dialog box to end the configuration. NoteIf you want to add more conditions and action groups, click the
icon. Optional. If you want to add more Condition and Action Group nodes after you click End, perform the following steps:
Delete an existing node.
Right-click the node and select Delete Node.
Add a node
Click the
icon to add a Condition node. Click the
icon to add an Action Group node. Click the
icon to add an End node.
Click Confirm.
Step 6: Enable an alert rule
ActionTrail lets you create alert rules from templates or create custom alert rules. For example, if you want to trigger an alert when the routing configuration of a virtual private cloud (VPC) changes, you can create an alert rule from the VPC Network Route Change Alert template.
A custom alert rule is automatically enabled after it is created. You do not need to perform the following steps for custom rules. For more information about how to create a custom alert rule, see Create a custom alert rule.
Log on to the ActionTrail console.
In the navigation pane on the left, click Event Alerting.
On the Alerting and Monitoring System page, click the Alerting Rules tab.
Click the arrow next to the Create Alert button.
Select Create from Template.
Click the target alert template.
Click Confirm to create the alert rule.
If the Status column displays Running, the alert rule is enabled. You can click the alert rule name to query the alert history, or click Edit in the Actions column to view the alert rule configuration.
References
You can also set alert monitoring rules in Simple Log Service. For more information, see Quickly set up log-based alerting.
For more information about built-in alert rules, see Built-in alert monitoring rules.
For more information about issues that you might encounter with alert monitoring rules, see FAQ about alert monitoring rules.
For more information about issues related to alert notification channels, see FAQ about notification channels.
For more information about issues related to alert notification content, see FAQ about notification content.
If you do not receive an alert notification, you can troubleshoot the issue by checking the alert history. For more information, see Troubleshoot issues where alert notifications are not received.
You may encounter issues when you set a custom webhook as a notification channel. For more information, see FAQ about using custom webhooks.
What do I do if the advanced event query and event alerting features of ActionTrail are unavailable?