使用 SDK 创建跟踪与在控制台创建跟踪的主要区别是:
• 在控制台创建跟踪时,操作审计可以帮您创建 OSS Bucket 和日志服务项目(LogProject)、日志库(LogStore)及报表;
• 在控制台创建跟踪后,操作审计会自动帮您开启跟踪。
因为通过控制台创建跟踪,操作审计会自动帮您调用配置日志服务、启用跟踪(StartLogging) 等接口。
使用 SDK 创建跟踪
通过 SDK 创建跟踪的过程可以分为两步:
• 创建并配置日志服务(如果已有日志项目及日志库则可忽略该步骤)
• 创建并启用跟踪
接下来以实际场景为例,详细介绍整个创建过程:
创建一个名为 cloud_trail 的跟踪,将所有地域的所有事件,投递到杭州地域的日志项目 cloud_trail_project 中,并配置日志服务的索引、报表。
为了方便,下面的代码示例将使用阿里云 Python SDK,Python版本为 3.7。
创建并配置日志服务
如果您已完成日志服务配置,则可跳过此段内容
如果要创建跟踪将数据投递到日志服务,首先需要创建对应的日志项目(LogProject),并创建名为 actiontrail_{TrailName} 的日志库(LogStore),TrailName 是跟踪名称。
此外,如果需要对操作日志进行分析,则还需要对 LogStore 配置索引和报表。我们可以使用日志服务的 Python SDK aliyun-log-python-sdk 来实现。
初始化 SDK
安装依赖:
$ pip install -U aliyun-log-python-sdk初始化 SDK:
from aliyun.log import LogClient
# 华东 1 (杭州) Region
region = 'cn-hangzhou'
# 日志服务入口
endpoint = '{region}.log.aliyuncs.com'.format(region=region)
# 用户访问秘钥对中的 AccessKeyId
access_key_id = 'ABCDEFGHIJKLJMN'
# 用户访问秘钥对中的 AccessKeySecret
access_key_secret = 'OPQRSTUVWXYZ'
# 阿里云主账号 ID
account_id = '123456789'
client = LogClient(endpoint, access_key_id, access_key_secret)创建日志项目(LogProject)和日志库(LogStore)
如下面代码,跟踪名称为 cloud_trail ,日志项目名称为 cloud_trail_project ,日志库名称为 actiontrail_cloud_trail 。创建日志库时,指定 preserve_storage 为 True ,永久保存数据。可根据实际情况修改。
# 跟踪名称
trail_name = 'cloud_trail'
# 日志项目名称
log_project_name = 'cloud_trail_project'
# 创建日志服务
res = client.create_project(log_project_name, '操作审计事件日志项目')
res.log_print()
# 日志库名称
log_store_name = 'actiontrail_{trail_name}'.format(trail_name=trail_name)
# 创建日志库
res = client.create_logstore(log_project_name, log_store_name, shard_count=3, preserve_storage=True)
res.log_print()配置索引
可以使用 client.create_index(self, project_name, logstore_name, index_detail) 方法创建索引。其中 index_detail 是 JSON 格式的索引配置。
import json
from aliyun.log import LogClient
from aliyun.log import IndexConfig
def get_json_data(path):
with open(path) as f:
return json.load(f)
# 从 log_index.json 中读取索引配置
index_json = get_json_data('./log_index.json')
index_detail = IndexConfig()
index_detail.from_json(index_json)
# 创建索引
client.create_index(log_project_name, log_store_name, index_detail)详细索引配置在文末附录部分。
索引如图所示:
创建报表
可以使用 client.create_dashboard(dashboard_detail) 方法创建索引。其中 dashboard_detail 是 JSON 格式的报表配置。
# 从 log_dashboard.json 中读取报表配置
dashboard_detail = get_json_data('./log_dashboard.json')
# 创建报表
client.create_dashboard(log_project_name, dashboard_detail)报表如图所示:
创建并启用跟踪
您可以使用阿里云 Python SDK aliyun-python-sdk-core 来创建跟踪。
初始化 SDK
安装依赖:
$ pip install aliyun-python-sdk-core
$ pip install aliyun-python-sdk-actiontrail初始化 SDK :
from aliyunsdkcore.client import AcsClient
from aliyunsdkcore.acs_exception.exceptions import ClientException
from aliyunsdkcore.acs_exception.exceptions import ServerException
from aliyunsdkactiontrail.request.v20171204.CreateTrailRequest import CreateTrailRequest
client = AcsClient(access_key_id, access_key_secret, region)创建跟踪到指定日志项目(LogProject)
创建跟踪的 API 是 CreateTrail 。
示例代码如下:
sls_project_arn = 'acs:log:{region}:{account_id}:project/{log_project_name}'.format(
region=region,
account_id=account_id,
log_project_name=log_project_name,
)
request = CreateTrailRequest()
request.set_accept_format('json')
# 设置跟踪名称
request.set_Name(trail_name)
# 设置 SLS project arn
request.set_SlsProjectArn(sls_project_arn)
# 跟踪所有事件
request.set_EventRW("All")
# 跟踪所有地域
request.set_TrailRegion("All")
response = client.do_action_with_exception(request)
print(str(response, encoding='utf-8'))通过 API 创建跟踪后,跟踪状态是 Fresh,表示已创建但未开启。所以后续还要开启跟踪。
启用跟踪
启用跟踪的接口是 StartLogging 。
代码示例:
from aliyunsdkactiontrail.request.v20171204.CreateTrailRequest import StartLoggingRequest
request = StartLoggingRequest()
request.set_accept_format('json')
request.set_Name(trail_name)
response = client.do_action_with_exception(request)
print(str(response, encoding='utf-8'))至此,跟踪就创建完成了。
总结
本文介绍了如何通过 SDK 创建跟踪并配置日志服务。整个过程可分为两个步骤:
- 创建并配置日志服务
- 创建并启用跟踪
其中 “创建并配置日志服务” 比较复杂,因为要通过 SDK 去配置日志服务的日志库、索引、报表等。创建并启用跟踪比较简单,调用对应 API 就可以了。希望通过本文的介绍后,大家能根据需要灵活地使用 SDK 去创建跟踪。
附录
索引配置
下面是操作事件的索引 JSON 配置,该配置会针对操作事件开启全文索引和字段索引。您可以直接使用。
{
"index_mode": "v2",
"keys": {
"event": {
"caseSensitive": false,
"chn": false,
"json_keys": {
"acsRegion": {
"doc_value": true,
"type": "text"
},
"apiVersion": {
"doc_value": true,
"type": "text"
},
"errorCode": {
"doc_value": true,
"type": "text"
},
"errorMessage": {
"doc_value": true,
"type": "text"
},
"eventId": {
"doc_value": true,
"type": "text"
},
"eventName": {
"doc_value": true,
"type": "text"
},
"eventSource": {
"doc_value": true,
"type": "text"
},
"eventType": {
"doc_value": true,
"type": "text"
},
"eventVersion": {
"doc_value": true,
"type": "text"
},
"requestId": {
"doc_value": true,
"type": "text"
},
"requestParameters.HostId": {
"doc_value": true,
"type": "text"
},
"requestParameters.Name": {
"doc_value": true,
"type": "text"
},
"requestParameters.Region": {
"doc_value": true,
"type": "text"
},
"serviceName": {
"doc_value": true,
"type": "text"
},
"sourceIpAddress": {
"doc_value": true,
"type": "text"
},
"userAgent": {
"doc_value": true,
"type": "text"
},
"userIdentity.accessKeyId": {
"doc_value": true,
"type": "text"
},
"userIdentity.accountId": {
"doc_value": true,
"type": "text"
},
"userIdentity.principalId": {
"doc_value": true,
"type": "text"
},
"userIdentity.type": {
"doc_value": true,
"type": "text"
},
"userIdentity.userName": {
"doc_value": true,
"type": "text"
}
},
"token": [
",",
" ",
"'",
"\"",
";",
"=",
"(",
")",
"[",
"]",
"{",
"}",
"?",
"@",
"&",
"<",
">",
"/",
":",
"\n",
"\t",
"\r"
],
"type": "json"
}
},
"line": {
"caseSensitive": false,
"chn": false,
"token": [
",",
" ",
"'",
"\"",
";",
"=",
"(",
")",
"[",
"]",
"{",
"}",
"?",
"@",
"&",
"<",
">",
"/",
":",
"\n",
"\t",
"\r"
]
}
}报表配置
下面是操作事件的报表 JSON 配置,您可以直接使用。使用时注意需要将 charts[].search.logstore 的值(即日志库)改为您的日志库(LogStore)名称。
{
"charts": [
{
"title": "actiontrail-dashboard-pv",
"search": {
"topic": "",
"logstore": "actiontrail_cloud_trail",
"start": "-2592000s",
"query": "__topic__: actiontrail_audit_event | select count(1) as PV",
"end": "now"
},
"action": {},
"display": {
"fontColor": {
"g": 255,
"b": 255,
"r": 255,
"a": 1
},
"yPos": 0,
"descriptionSize": 24,
"width": 2,
"fontSize": 32,
"bgColor": {
"g": 204,
"b": 228,
"r": 44,
"a": 1
},
"unit": "",
"height": 2,
"unitSize": 14,
"xPos": 0,
"description": "",
"showTitle": true,
"xAxis": [
"PV"
],
"displayName": "PV"
},
"type": "number"
},
{
"title": "actiontrail-dashboard-uv",
"search": {
"topic": "",
"logstore": "actiontrail_cloud_trail",
"start": "-2592000s",
"query": "__topic__: actiontrail_audit_event | select count(distinct \"event.sourceIpAddress\" ) as UV",
"end": "now"
},
"action": {},
"display": {
"fontColor": {
"g": 255,
"b": 255,
"r": 255,
"a": 1
},
"yPos": 0,
"descriptionSize": 24,
"width": 2,
"fontSize": 32,
"bgColor": {
"g": 204,
"b": 228,
"r": 44,
"a": 1
},
"unit": "",
"height": 2,
"unitSize": 14,
"xPos": 2,
"description": "",
"showTitle": true,
"xAxis": [
"UV"
],
"displayName": "UV"
},
"type": "number"
},
{
"title": "actiontrail-dashboard-event-area",
"search": {
"topic": "",
"logstore": "actiontrail_cloud_trail",
"start": "-2592000s",
"query": "__topic__: actiontrail_audit_event | select \"event.acsRegion\" as region, count(1 ) as cnt group by region order by cnt DESC limit 20",
"end": "now"
},
"action": {},
"display": {
"yAxis": [
"cnt"
],
"yPos": 7,
"height": 5,
"xPos": 0,
"legendPosition": "right",
"width": 5,
"pieType": "ring",
"margin": [
30,
100,
40,
50
],
"xAxis": [
"region"
],
"displayName": "事件区域分布"
},
"type": "pie"
},
{
"title": "actiontrail-dashboard-event-type",
"search": {
"topic": "",
"logstore": "actiontrail_cloud_trail",
"start": "-2592000s",
"query": "__topic__: actiontrail_audit_event | select \"event.eventType\" as event_type, count(1 ) as cnt group by event_type order by cnt desc limit 20",
"end": "now"
},
"action": {},
"display": {
"yAxis": [
"cnt"
],
"yPos": 12,
"height": 5,
"xPos": 0,
"legendPosition": "right",
"width": 5,
"pieType": "ring",
"margin": [
30,
100,
40,
50
],
"xAxis": [
"event_type"
],
"displayName": "事件类型分布"
},
"type": "pie"
},
{
"title": "actiontrail-dashboard-event-source",
"search": {
"topic": "",
"logstore": "actiontrail_cloud_trail",
"start": "-2592000s",
"query": "__topic__: actiontrail_audit_event | select ip_to_country(\"event.sourceIpAddress\") as country, count(1 ) as PV group by country",
"end": "now"
},
"action": {},
"display": {
"yAxis": [
"PV"
],
"yPos": 2,
"height": 5,
"xPos": 0,
"width": 5,
"xAxis": [
"country"
],
"displayName": "事件来源分布"
},
"type": "world-map"
},
{
"title": "actiontrail-dashboard-event-service-source",
"search": {
"topic": "",
"logstore": "actiontrail_cloud_trail",
"start": "-2592000s",
"query": "__topic__: actiontrail_audit_event | select \"event.serviceName\" as service, count(1 ) as cnt group by service order by cnt DESC limit 20",
"end": "now"
},
"action": {},
"display": {
"yAxis": [
"cnt"
],
"yPos": 7,
"height": 5,
"xPos": 5,
"legendPosition": "right",
"width": 5,
"pieType": "ring",
"margin": [
30,
100,
40,
50
],
"xAxis": [
"service"
],
"displayName": "事件来源服务分布"
},
"type": "pie"
},
{
"title": "actiontrail-dashboard-event-service-number",
"search": {
"topic": "",
"logstore": "actiontrail_cloud_trail",
"start": "-2592000s",
"query": "__topic__: actiontrail_audit_event | select count(distinct \"event.serviceName\") as cnt",
"end": "now"
},
"action": {},
"display": {
"fontColor": {
"g": 255,
"b": 255,
"r": 255,
"a": 1
},
"yPos": 0,
"descriptionSize": 24,
"width": 2,
"fontSize": 32,
"bgColor": {
"g": 204,
"b": 228,
"r": 44,
"a": 1
},
"unit": "",
"height": 2,
"unitSize": 14,
"xPos": 4,
"description": "",
"showTitle": true,
"xAxis": [
"cnt"
],
"displayName": "来源服务数"
},
"type": "number"
},
{
"title": "actiontrail-dashboard-event-area-number",
"search": {
"topic": "",
"logstore": "actiontrail_cloud_trail",
"start": "-2592000s",
"query": "__topic__: actiontrail_audit_event | select count(distinct \"event.acsRegion\") as cnt",
"end": "now"
},
"action": {},
"display": {
"fontColor": {
"g": 255,
"b": 255,
"r": 255,
"a": 1
},
"yPos": 0,
"descriptionSize": 24,
"width": 2,
"fontSize": 32,
"bgColor": {
"g": 204,
"b": 228,
"r": 44,
"a": 1
},
"unit": "",
"height": 2,
"unitSize": 14,
"xPos": 6,
"description": "",
"showTitle": true,
"xAxis": [
"cnt"
],
"displayName": "来源区域数"
},
"type": "number"
},
{
"title": "actiontrail-dashboard-pv-uv",
"search": {
"topic": "",
"logstore": "actiontrail_cloud_trail",
"start": "-2592000s",
"query": "* | select date_trunc('day', __time__) AS dt, count(1) as pv, count(distinct \"event.sourceIpAddress\" ) as uv group by dt order by dt",
"end": "now"
},
"action": {},
"display": {
"intervalArray": [],
"yAxisRight": [],
"yAxis": [
"pv",
"uv"
],
"yPos": 2,
"height": 5,
"xPos": 5,
"legendPosition": "right",
"width": 5,
"margin": [
30,
100,
40,
50
],
"xAxis": [
"dt"
],
"displayName": "PV/UV趋势"
},
"type": "line"
}
],
"description": "",
"dashboardName": "actiontrail_cloud_trail_dashboard",
"attribute": {},
"displayName": "操作审计报表"
}相关阅读
《操作审计最佳实践》系列由阿里云操作审计团队出品,旨在向集团输出云上审计相关的业务知识和技术,更多相关内容可以查看下面的系列文章。
基础篇
• [操作审计最佳实践:操作日志查询-谁动了我的 NAT](https://developer.aliyun.com/article/773588?spm=a2c6h.13148508.0.0.57a34f0eyHKRLM
• [操作审计最佳实践:将阿里云操作日志持续投递到您的 SLS/OSS](https://developer.aliyun.com/article/772258?spm=a2c6h.13148508.0.0.57a34f0eyHKRLM
• [操作审计最佳实践:使用 Terraform 一键创建跟踪](https://developer.aliyun.com/article/773595?spm=a2c6h.13148508.0.0.57a34f0eyHKRLM
进阶篇
[• 操作审计最佳实践:使用 SQL 分析投递到 OSS 中的操作审计日志](https://developer.aliyun.com/article/771478?spm=a2c6h.13148508.0.0.57a34f0eyHKRLM
[• 操作审计最佳实践:在 SLS 中分析ActionTrail跟踪投递日志](https://developer.aliyun.com/article/773674?spm=a2c6h.13148508.0.0.57a34f0eyHKRLM
