CreateTrail - ActionTrail - Alibaba Cloud Documentation Center

By default, ActionTrail allows you to query events that are generated within your Alibaba Cloud account in the last 90 days. To query and analyze events that are generated more than 90 days ago, you can create a trail to deliver events to Object Storage Service (OSS), Simple Log Service, or MaxCompute.

Operation description

You can create a trail to deliver events to Log Service, Object Storage Service (OSS), or both. Before you call this operation to create a trail, make sure that the following requirements are met:

Deliver events to Log Service: A project is created in Log Service.

Description After you create a trail to deliver events to Log Service, a Logstore whose name is in the actiontrail_<Trail name> format is automatically created and optimally configured for subsequent auditing. Indexes and a dashboard are created for the Logstore to facilitate event queries. You cannot manually write data to the Logstore. This ensures data accuracy. You do not need to create a Logstore in advance.

Deliver events to OSS: A bucket is created in OSS. This topic provides an example on how to call the API operation to create a single-account trail named trail-test to deliver events to an OSS bucket named audit-log.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer.

Debug

Authorization information

The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:

Operation: the value that you can use in the Action element to specify the operation on a resource.
Access level: the access level of each operation. The levels are read, write, and list.
Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
- The required resource types are displayed in bold characters.
- If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
Condition Key: the condition key that is defined by the cloud service.
Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.

Operation	Access level	Resource type	Condition key	Associated operation
actiontrail:CreateTrail	create	All Resources *	none	none

Request parameters

Parameter	Type	Required	Description	Example
Name	string	Yes	The name of the trail to be created. The name must be 6 to 36 characters in length. The name must start with a lowercase letter and can contain lowercase letters, digits, hyphens (-), and underscores (_). Note The name must be unique within your Alibaba Cloud account.	trail-test
OssBucketName	string	No	The name of the OSS bucket to which events are to be delivered. The name must be 3 to 63 characters in length. The name must start with a lowercase letter or a digit and can contain lowercase letters, digits, and hyphens (-). Note You must specify at least one of the OssBucketName and SlsProjectArn parameters.	audit-log
OssKeyPrefix	string	No	The prefix of the log files to be stored in the destination OSS bucket. This parameter can be left empty. The prefix must be 6 to 32 characters in length. The prefix must start with a letter and can contain letters, digits, hyphens (-), forward slashes (/), and underscores (_).	at-product-account-audit-B
OssWriteRoleArn	string	No	The Alibaba Cloud Resource Name (ARN) of the RAM role that is assumed by ActionTrail to deliver events to the OSS bucket. If you do not specify this parameter, ActionTrail creates a service-linked role to create the required resources. For more information, see Manage the service-linked role. If you specify this parameter, you must grant the permissions of the service-linked role that is assumed by ActionTrail to the RAM role before you can deliver events to your Alibaba Cloud account. If you need to deliver events to other Alibaba Cloud accounts, you must attach the permission policy that is used to grant permissions related to event delivery to the RAM role. For more information about how to deliver events across Alibaba Cloud accounts, see Deliver events across Alibaba Cloud accounts.	acs:ram::***:role/aliyunserviceroleforactiontrail
SlsProjectArn	string	No	The ARN of the Log Service project to which events are to be delivered. Note You must specify at least one of the OssBucketName and SlsProjectArn parameters.	acs:log:cn-shanghai::project/***
SlsWriteRoleArn	string	No	The ARN of the RAM role that is assumed by ActionTrail to deliver events to the Log Service project. If you do not specify this parameter, ActionTrail creates a service-linked role to create the corresponding resource. For more information, see Manage the service-linked role. If you specify this parameter, you must grant the permissions of the service-linked role that is assumed by ActionTrail to the RAM role before you can deliver events to your Alibaba Cloud account. If you need to deliver events to other Alibaba Cloud accounts, you must attach the permission policy that is used to grant permissions related to event delivery to the RAM role. For more information about how to deliver events across Alibaba Cloud accounts, see Deliver events across Alibaba Cloud accounts.	acs:ram::***:role/aliyunserviceroleforactiontrail
EventRW	string	No	The read/write type of the events to be delivered. Valid values: Write: write events. It is the default value. Read: read events. All: read and write events.	Write
TrailRegion	string	No	The one or more regions from which the trail delivers events. The default value is All, which indicates that the trail delivers events from all regions. You can also specify specific regions. You can call the DescribeRegions operation to query all the supported regions.	All
IsOrganizationTrail	boolean	No	Specifies whether to create a multi-account trail. Valid values: true: creates a multi-account trail. false (default): creates a single-account trail.	false

For more information about common request parameters, see Common parameters.

Response parameters

Parameter	Type	Description	Example
	object
SlsProjectArn	string	The ARN of the Log Service project to which events are to be delivered.	acs:log:cn-hangzhou:151266687691****:project/test-project
OssWriteRoleArn	string	The ARN of the service-linked role that is assumed by ActionTrail to deliver events to the destination OSS bucket.	acs:ram::***:role/aliyunserviceroleforactiontrail
EventRW	string	The read/write type of the events to be delivered.	Write
RequestId	string	The ID of the request.	442DDADF-DA58-4029-8E8B-82C73E9A7A70
HomeRegion	string	The home region of the trail.	cn-hangzhou
OssKeyPrefix	string	The prefix of the log files to be stored in the destination OSS bucket.	at-product-account-audit-B
OssBucketName	string	The name of the OSS bucket to which events are to be delivered.	audit-log
SlsWriteRoleArn	string	The ARN of the service-linked role that is assumed by ActionTrail to deliver events to the destination Log Service project.	acs:ram::***:role/aliyunserviceroleforactiontrail
TrailRegion	string	The one or more regions from which the trail delivers events.	All
Name	string	The name of the trail.	trail-test

Examples

Sample success responses

JSONformat

{
  "SlsProjectArn": "acs:log:cn-hangzhou:151266687691****:project/test-project",
  "OssWriteRoleArn": "acs:ram::***:role/aliyunserviceroleforactiontrail",
  "EventRW": "Write",
  "RequestId": "442DDADF-DA58-4029-8E8B-82C73E9A7A70",
  "HomeRegion": "cn-hangzhou",
  "OssKeyPrefix": "at-product-account-audit-B",
  "OssBucketName": "audit-log",
  "SlsWriteRoleArn": "acs:ram::***:role/aliyunserviceroleforactiontrail",
  "TrailRegion": "All",
  "Name": "trail-test"
}

Error codes

HTTP status code	Error code	Error message	Description
400	InvalidDeliveryConfigurationException	You must specify at least one Log Service project or OSS bucket for a Trail.	Trail must have at least one delivery destination
400	InvalidPrefixException	The specified OSS bucket prefix is invalid.	The specified OSS bucket prefix is not valid.
400	InvalidQueryParameter	The specified query parameter is invalid.	The specified query parameter is not valid.
400	InvalidTrailNameException	The specified Trail name is invalid.	The specified Trail name is not valid.
400	RepeatOssBucket	The specified OSS bucket is already in use. We recommend that you modify the existing Trail or specify another bucket.	The specified OSS Bucket is already in used,.We recommend that you modify the tracking area in that Trail.
400	SlsProjectDoesNotExistException	The specified Log Service project does not exist.	The specified SLS Project is not existed.
400	TrailAlreadyExistsException	The specified Trail name already exists.	The specified Trail name already exists,if you want to create a new Trail,please use another Trail name.
400	MaximumNumberOfOrganizationTrailExceeded	Your account can create only one organization trail.	-
400	NotAllowCreateOrganizationTrail	Your account does not allow you to create organization trail. Submit a ticket to get customer support.	-
403	InsufficientBucketPolicyException	Access to the specified OSS bucket was denied.	Access OSS bucket denied.
403	InsufficientSlsPolicyException	Access to the specified Log Service project was denied.	Access SLS Project denied.
403	MaximumNumberOfTrailsExceededException	The number of Trails in the same region exceeds the upper limit (5).	The number of Trail in same region has exceeded the limit 5
404	BucketDoesNotExistException	The specified OSS bucket does not exist.	The specified OSS Bucket is not existed.

For a list of error codes, visit the Service error codes.

Change history

Change time	Summary of changes	Operation
2024-01-09	The Error code has changed. The request parameters of the API has changed. The response structure of the API has changed	View Change Details