ActionTrail monitors and records the events within your Alibaba Cloud account. You can collect the events to Simple Log Service and use the new version of Log Audit Service to perform the following operations: behavior analysis, security analysis, resource change tracing, and behavior compliance audit. This topic describes how to collect ActionTrail logs to the new version of Log Audit Service.
Background information
ActionTrail monitors and records the events within your Alibaba Cloud account. The events include your access to and use of cloud services in the Alibaba Cloud Management Console or by using APIs and SDKs. By default, ActionTrail tracks and records events that are generated within the previous 90 days. You can query the events. For more information, see What is ActionTrail?
The new version of Log Audit Service is based on Alibaba Cloud Simple Log Service. You can use multiple projects to manage logs. You can aggregate, query, and analyze cloud service logs in a centralized manner, and you can process logs to meet region-specific data compliance requirements. This way, you can manage data in a legal and orderly manner. For more information, see Overview of Log Audit Service (new version).
Overview
The following figure shows the flowchart of collecting ActionTrail logs to the new version of Log Audit Service. The application supports multiple cloud services.
Prerequisites
Simple Log Service is activated. For more information, see Getting Started.
ActionTrail is activated. For more information, see Enable the Inner-ActionTrail feature.
1. Associate a project
Log on to the Simple Log Service console and create a project. For this example, create a project named
sample-production-cn-hangzhouin the China (Hangzhou) region.In the Log Application section, click the Audit & Security tab. Then, click Log Audit Service (New Version).
On the Log Audit (New Version) page, click Associate Project. In the Associate Project dialog box, configure the parameters and click Confirm.
ActionTrail logs are collected to the project that you associate with the new version of Log Audit Service.
On the Log Audit (New Version) page, click the associated project.
On the Cloud Services tab, click Enable Now for ActionTrail.
2. Create a trail
In the Go to ActionTrail Console Create Trail panel, read the requirements for creating a trail. Then, click ActionTrail Console.
In the ActionTrail console, configure the parameters in the Basic Information and Event Delivery sections. The following figure shows sample configurations.
After you create the trail, view the details of the trail. A Logstore named
actiontrail_sample-production-actiontrailis automatically created.ActionTrail automatically creates a Logstore named
actiontrail_<Trail name>.
3. Query and analyze logs
On the Log Audit (New Version) page, click the project that you want to manage. On the Cloud Services tab of the page that appears, click View for ActionTrail in the Policy-enabled Cloud Services section.
On the ActionTrail Logs tab of the Query and Analysis page, query and analyze logs.
References
For more information about how to enable indexing for a Logstore, see Create indexes. For more information about how to query and analyze logs in a Logstore, see Query and analyze logs.
In this topic, ActionTrail logs are used only as an example. For more information about the log types, default project and Logstore names, and billing details of other supported cloud services, see Usage notes of cloud service configuration.
