Use the Session Record Delivery feature of Cloud Assistant - Elastic Compute Service

You can use the Session Record Delivery feature provided by Cloud Assistant to deliver the session records of Session Manager to Simple Log Service or Object Storage Service (OSS) for persistent storage. This topic describes how to configure the Session Record Delivery feature and view delivered session records.

Background information

If you want to query, analyze, audit, and persist the session records of Session Manager or if you want to use Session Manager in scenarios that require high security and compliance, we recommend that you use the Session Record Delivery feature to deliver the session records of Session Manager to a Simple Log Service Logstore or an OSS bucket for persistent storage.

Note

For information about the regions in which the Session Record Delivery feature is supported, see the Supported regions section of the "Session Manager" topic.

Billing

The Session Record Delivery feature is free of charge. However, you may be charged for the following items when you use the feature:

Billable items of Simple Log Service, such as storage space occupied by the delivered records and log index traffic.
For more information, see Billing overview.
Billable items of OSS, such as space storage occupied by the delivered records and traffic generated when you use the object management feature of OSS.
For more information, see Billing overview.

Step 1: Configure the Session Record Delivery feature

To deliver session records, specify a Simple Log Service project and Logstore or an OSS bucket in the Elastic Compute Service (ECS) console. Perform the following operations:

Log on to the ECS console.
In the left-side navigation pane, choose Maintenance & Monitoring > Cloud Assistant.
In the upper-left corner of the top navigation bar, select a region.
Note
Session records cannot be delivered across regions. To deliver session records to a different region, select the region and then proceed.
In the upper-right corner of the ECS Cloud Assistant page, click Configure.
In the Cloud Assistant Settings dialog box, click the Session Manager Settings tab to configure the delivery settings.
- Deliver session records to Simple Log Service.
  1. Select Deliver to Log Service.
  2. Select an existing Simple Log Service project and Logstore.
    - If you do not have Simple Log Service projects or Logstores in the selected region, click Log Service Console or Logstores to create projects or Logstores in the Simple Log Service console. After you create projects or Logstores, go back to the Cloud Assistant Settings dialog box in the ECS console and click the icon to obtain the most recent list of Simple Log Service projects or Logstores. For information about how to create a Simple Log Service project and how to create a Simple Log Service Logstore, see Manage a project and Manage a Logstore.
    - To query or analyze logs in Simple Log Service, you must enable indexing. For more information, see Create indexes.
    - (Optional) Specify a server-side encryption method for the Logstore. Session records delivered to the Logstore are encrypted by using the encryption method. For more information, see Encrypt data.
- Deliver session records to OSS.
  1. Click Deliver to OSS.
  2. Select an existing OSS bucket and enter a root directory in which you want to store session records.
    If you do not have OSS buckets in the selected region, click OSS Console to create buckets in the OSS console. After you create buckets, go back to the dialog box in the ECS console and click the icon to obtain the most recent list of OSS buckets. For information about how to create an OSS bucket, see Create buckets.
  3. (Optional) Click the icon next to Advanced Options to specify a server-side encryption method.
    Note
    OSS provides a server-side encryption mechanism to protect static data. You can use the mechanism in scenarios that require high security or compliance. If you specify a server-side encryption method, the objects that contain the session records are encrypted by using the method. For more information, see Server-side encryption.
Click Determine.
The first time you configure delivery settings, the system creates a service-linked role that grants Cloud Assistant access to Simple Log Service and OSS resources. This way, you can deliver session records to specific Simple Log Service Logstores or OSS buckets. If the service-linked role already exists, the system does not re-create the role. You can manage the role for Cloud Assistant based on your business requirements. For more information, see Manage the service-linked role for ECS Cloud Assistant.

Step 2: Use Session Manager to connect to the instance

After you use Session Manager to connect to the instance, session records are automatically delivered to the specified Simple Log Service Logstore or OSS bucket.

For more information, see Connect to an instance by using Session Manager.

Step 3: View session records

You can go to the Simple Log Service console or OSS console to view session records.

View session records in the Simple Log Service console

This section describes how to access a Logstore from the ECS console to view the logs of session records that are delivered to the Logstore. Alternatively, you can log on to the Simple Log Service console to access the Logstore.

Log on to the ECS console.
In the left-side navigation pane, choose Maintenance & Monitoring > Cloud Assistant.
In the upper-left corner of the top navigation bar, select a region.
In the upper-right corner of the ECS Cloud Assistant page, click Configure.
In the Cloud Assistant Settings dialog box, click the Session Manager Settings tab and select Delivery to Log Service.

On the right side of the Logstore section, click Logstores.

For information about how to view and analyze logs, see Query and analyze logs.

The following table describes the parameters in logs of session records.

Parameter	Description
LoginUser	The username used to perform operations.
CallerUid	The ID of the account used to perform operations.
Content	The command and the command output. The command and the output are separated by equal signs (=).
InstanceId	The ID of the instance.
SessionId	The ID of the session.
ChannelId	The ID of the channel.
TokenPrincipalId	The ID of the principal that actually performs operations after the instance is connected with a Security Token Service (STS) role by using Session Manager.

View session records in the OSS console

This section describes how to access an OSS bucket from the ECS console to view the objects of session records that are delivered to the bucket. Alternatively, you can log on to the OSS console to access the bucket.

Log on to the ECS console.
In the left-side navigation pane, choose Maintenance & Monitoring > Cloud Assistant.
In the upper-left corner of the top navigation bar, select a region.
In the upper-right corner of the ECS Cloud Assistant page, click Configure.
In the Cloud Assistant Settings dialog box, click the Session Manager Settings tab and select Deliver to OSS.
On the right side of the Bucket section, click OSS Console.
Access the directory of a specific session record object.
After you go to the OSS console, you are directed to the root directory that you specified when you configure delivery settings. You can view session record objects in the subdirectories that are automatically generated and organized hierarchically. The subdirectories are in the following format:
<Root directory>/<Region ID of the instance>/<Session record time (Year-Month)>/<Session record time (Day)>/<Instance ID>/<SessionId>/<ChannelId>

Analyze a session record object.

Session record objects are in the YAML format. You can download the objects for analysis and auditing.

The following sample Java code shows a session record object in the YAML format:

//The document parsing class of the YAML object.
public static class Document {
    //The basic information about the session.
    private MetaData metaData;
    //The session records.
    private List<SessionData> sessionData;
}

//The basic information about the session.
public static class MetaData {
    //The parsing version of the YAML object.
    private String version;
    //The username used to perform operations.
    private String loginUser;
    //The ID of the account used to perform operations.
    private Long callerUid;
    //The ID of the instance.
    private String instanceId;
    //The ID of the session.
    private String sessionId;
    //The ID of the channel.
    private String channelId;
    //The ID of the principal that actually performs operations after the instance is connected with an STS role by using Session Manager.
    private String stsTokenPrincipalId;
}

//The session records.
public static class SessionData {
    //The time of the session record.
    private String time;
    //The command and corresponding output. In most cases, the command and the output are separated by closing angle brackets (>).
    private String content;
}

/**
* Obtain the session records of Session Manager.
*
* @param deliveryFileName. The name of the YAML object.
* @return. The session records.
*/
public Document getSessionData(String deliveryFileName) {
    Yaml yaml = new Yaml(new Constructor(Document.class));
	  File deliveryFile = new File(deliveryFileName);
	  try (InputStream deliveryInputStream = new FileInputStream(deliveryFile)) {
        Document document = (Document) yaml.load(deliveryInputStream);
        //The basic information about the session.
        //MetaData metaData = document.getMetaData();
        //The session records.
        //List<SessionData> sessionDataList = document.getSessionData();
        return document;
    } catch (IOException exception) {
        // log.error("");
    }
    return null;
}