使用 SDK 創建跟蹤與在控制檯創建跟蹤的主要區別是:
• 在控制檯創建跟蹤時,操作審計可以幫您創建 OSS Bucket 和日誌服務項目(LogProject)、日誌庫(LogStore)及報表;
• 在控制檯創建跟蹤後,操作審計會自動幫您開啟跟蹤。
因為通過控制檯創建跟蹤,操作審計會自動幫您調用配置日誌服務、啟用跟蹤(StartLogging) 等接口。
使用 SDK 創建跟蹤
通過 SDK 創建跟蹤的過程可以分為兩步:
• 創建並配置日誌服務(如果已有日誌項目及日誌庫則可忽略該步驟)
• 創建並啟用跟蹤
接下來以實際場景為例,詳細介紹整個創建過程:
創建一個名為 cloud_trail 的跟蹤,將所有地域的所有事件,投遞到杭州地域的日誌項目 cloud_trail_project 中,並配置日誌服務的索引、報表。
為了方便,下面的代碼示例將使用阿里雲 Python SDK,Python版本為 3.7。
創建並配置日誌服務
如果您已完成日誌服務配置,則可跳過此段內容
如果要創建跟蹤將數據投遞到日誌服務,首先需要創建對應的日誌項目(LogProject),並創建名為 actiontrail_{TrailName} 的日誌庫(LogStore),TrailName 是跟蹤名稱。
此外,如果需要對操作日誌進行分析,則還需要對 LogStore 配置索引和報表。我們可以使用日誌服務的 Python SDK aliyun-log-python-sdk 來實現。
初始化 SDK
安裝依賴:
$ pip install -U aliyun-log-python-sdk初始化 SDK:
from aliyun.log import LogClient
# 華東 1 (杭州) Region
region = 'cn-hangzhou'
# 日誌服務入口
endpoint = '{region}.log.aliyuncs.com'.format(region=region)
# 用戶訪問祕鑰對中的 AccessKeyId
access_key_id = 'ABCDEFGHIJKLJMN'
# 用戶訪問祕鑰對中的 AccessKeySecret
access_key_secret = 'OPQRSTUVWXYZ'
# 阿里雲主賬號 ID
account_id = '123456789'
client = LogClient(endpoint, access_key_id, access_key_secret)創建日誌項目(LogProject)和日誌庫(LogStore)
如下面代碼,跟蹤名稱為 cloud_trail ,日誌項目名稱為 cloud_trail_project ,日誌庫名稱為 actiontrail_cloud_trail 。創建日誌庫時,指定 preserve_storage 為 True ,永久保存數據。可根據實際情況修改。
# 跟蹤名稱
trail_name = 'cloud_trail'
# 日誌項目名稱
log_project_name = 'cloud_trail_project'
# 創建日誌服務
res = client.create_project(log_project_name, '操作審計事件日誌項目')
res.log_print()
# 日誌庫名稱
log_store_name = 'actiontrail_{trail_name}'.format(trail_name=trail_name)
# 創建日誌庫
res = client.create_logstore(log_project_name, log_store_name, shard_count=3, preserve_storage=True)
res.log_print()配置索引
可以使用 client.create_index(self, project_name, logstore_name, index_detail) 方法創建索引。其中 index_detail 是 JSON 格式的索引配置。
import json
from aliyun.log import LogClient
from aliyun.log import IndexConfig
def get_json_data(path):
with open(path) as f:
return json.load(f)
# 從 log_index.json 中讀取索引配置
index_json = get_json_data('./log_index.json')
index_detail = IndexConfig()
index_detail.from_json(index_json)
# 創建索引
client.create_index(log_project_name, log_store_name, index_detail)詳細索引配置在文末附錄部分。
索引如圖所示:
創建報表
可以使用 client.create_dashboard(dashboard_detail) 方法創建索引。其中 dashboard_detail 是 JSON 格式的報表配置。
# 從 log_dashboard.json 中讀取報表配置
dashboard_detail = get_json_data('./log_dashboard.json')
# 創建報表
client.create_dashboard(log_project_name, dashboard_detail)報表如圖所示:
創建並啟用跟蹤
您可以使用阿里雲 Python SDK aliyun-python-sdk-core 來創建跟蹤。
初始化 SDK
安裝依賴:
$ pip install aliyun-python-sdk-core
$ pip install aliyun-python-sdk-actiontrail初始化 SDK :
from aliyunsdkcore.client import AcsClient
from aliyunsdkcore.acs_exception.exceptions import ClientException
from aliyunsdkcore.acs_exception.exceptions import ServerException
from aliyunsdkactiontrail.request.v20171204.CreateTrailRequest import CreateTrailRequest
client = AcsClient(access_key_id, access_key_secret, region)創建跟蹤到指定日誌項目(LogProject)
創建跟蹤的 API 是 CreateTrail 。
示例代碼如下:
sls_project_arn = 'acs:log:{region}:{account_id}:project/{log_project_name}'.format(
region=region,
account_id=account_id,
log_project_name=log_project_name,
)
request = CreateTrailRequest()
request.set_accept_format('json')
# 設置跟蹤名稱
request.set_Name(trail_name)
# 設置 SLS project arn
request.set_SlsProjectArn(sls_project_arn)
# 跟蹤所有事件
request.set_EventRW("All")
# 跟蹤所有地域
request.set_TrailRegion("All")
response = client.do_action_with_exception(request)
print(str(response, encoding='utf-8'))通過 API 創建跟蹤後,跟蹤狀態是 Fresh,表示已創建但未開啟。所以後續還要開啟跟蹤。
啟用跟蹤
啟用跟蹤的接口是 StartLogging 。
代碼示例:
from aliyunsdkactiontrail.request.v20171204.CreateTrailRequest import StartLoggingRequest
request = StartLoggingRequest()
request.set_accept_format('json')
request.set_Name(trail_name)
response = client.do_action_with_exception(request)
print(str(response, encoding='utf-8'))至此,跟蹤就創建完成了。
總結
本文介紹瞭如何通過 SDK 創建跟蹤並配置日誌服務。整個過程可分為兩個步驟:
- 創建並配置日誌服務
- 創建並啟用跟蹤
其中 “創建並配置日誌服務” 比較複雜,因為要通過 SDK 去配置日誌服務的日誌庫、索引、報表等。創建並啟用跟蹤比較簡單,調用對應 API 就可以了。希望通過本文的介紹後,大家能根據需要靈活地使用 SDK 去創建跟蹤。
附錄
索引配置
下面是操作事件的索引 JSON 配置,該配置會針對操作事件開啟全文索引和字段索引。您可以直接使用。
{
"index_mode": "v2",
"keys": {
"event": {
"caseSensitive": false,
"chn": false,
"json_keys": {
"acsRegion": {
"doc_value": true,
"type": "text"
},
"apiVersion": {
"doc_value": true,
"type": "text"
},
"errorCode": {
"doc_value": true,
"type": "text"
},
"errorMessage": {
"doc_value": true,
"type": "text"
},
"eventId": {
"doc_value": true,
"type": "text"
},
"eventName": {
"doc_value": true,
"type": "text"
},
"eventSource": {
"doc_value": true,
"type": "text"
},
"eventType": {
"doc_value": true,
"type": "text"
},
"eventVersion": {
"doc_value": true,
"type": "text"
},
"requestId": {
"doc_value": true,
"type": "text"
},
"requestParameters.HostId": {
"doc_value": true,
"type": "text"
},
"requestParameters.Name": {
"doc_value": true,
"type": "text"
},
"requestParameters.Region": {
"doc_value": true,
"type": "text"
},
"serviceName": {
"doc_value": true,
"type": "text"
},
"sourceIpAddress": {
"doc_value": true,
"type": "text"
},
"userAgent": {
"doc_value": true,
"type": "text"
},
"userIdentity.accessKeyId": {
"doc_value": true,
"type": "text"
},
"userIdentity.accountId": {
"doc_value": true,
"type": "text"
},
"userIdentity.principalId": {
"doc_value": true,
"type": "text"
},
"userIdentity.type": {
"doc_value": true,
"type": "text"
},
"userIdentity.userName": {
"doc_value": true,
"type": "text"
}
},
"token": [
",",
" ",
"'",
"\"",
";",
"=",
"(",
")",
"[",
"]",
"{",
"}",
"?",
"@",
"&",
"<",
">",
"/",
":",
"\n",
"\t",
"\r"
],
"type": "json"
}
},
"line": {
"caseSensitive": false,
"chn": false,
"token": [
",",
" ",
"'",
"\"",
";",
"=",
"(",
")",
"[",
"]",
"{",
"}",
"?",
"@",
"&",
"<",
">",
"/",
":",
"\n",
"\t",
"\r"
]
}
}報表配置
下面是操作事件的報表 JSON 配置,您可以直接使用。使用時注意需要將 charts[].search.logstore 的值(即日誌庫)改為您的日誌庫(LogStore)名稱。
{
"charts": [
{
"title": "actiontrail-dashboard-pv",
"search": {
"topic": "",
"logstore": "actiontrail_cloud_trail",
"start": "-2592000s",
"query": "__topic__: actiontrail_audit_event | select count(1) as PV",
"end": "now"
},
"action": {},
"display": {
"fontColor": {
"g": 255,
"b": 255,
"r": 255,
"a": 1
},
"yPos": 0,
"descriptionSize": 24,
"width": 2,
"fontSize": 32,
"bgColor": {
"g": 204,
"b": 228,
"r": 44,
"a": 1
},
"unit": "",
"height": 2,
"unitSize": 14,
"xPos": 0,
"description": "",
"showTitle": true,
"xAxis": [
"PV"
],
"displayName": "PV"
},
"type": "number"
},
{
"title": "actiontrail-dashboard-uv",
"search": {
"topic": "",
"logstore": "actiontrail_cloud_trail",
"start": "-2592000s",
"query": "__topic__: actiontrail_audit_event | select count(distinct \"event.sourceIpAddress\" ) as UV",
"end": "now"
},
"action": {},
"display": {
"fontColor": {
"g": 255,
"b": 255,
"r": 255,
"a": 1
},
"yPos": 0,
"descriptionSize": 24,
"width": 2,
"fontSize": 32,
"bgColor": {
"g": 204,
"b": 228,
"r": 44,
"a": 1
},
"unit": "",
"height": 2,
"unitSize": 14,
"xPos": 2,
"description": "",
"showTitle": true,
"xAxis": [
"UV"
],
"displayName": "UV"
},
"type": "number"
},
{
"title": "actiontrail-dashboard-event-area",
"search": {
"topic": "",
"logstore": "actiontrail_cloud_trail",
"start": "-2592000s",
"query": "__topic__: actiontrail_audit_event | select \"event.acsRegion\" as region, count(1 ) as cnt group by region order by cnt DESC limit 20",
"end": "now"
},
"action": {},
"display": {
"yAxis": [
"cnt"
],
"yPos": 7,
"height": 5,
"xPos": 0,
"legendPosition": "right",
"width": 5,
"pieType": "ring",
"margin": [
30,
100,
40,
50
],
"xAxis": [
"region"
],
"displayName": "事件區域分佈"
},
"type": "pie"
},
{
"title": "actiontrail-dashboard-event-type",
"search": {
"topic": "",
"logstore": "actiontrail_cloud_trail",
"start": "-2592000s",
"query": "__topic__: actiontrail_audit_event | select \"event.eventType\" as event_type, count(1 ) as cnt group by event_type order by cnt desc limit 20",
"end": "now"
},
"action": {},
"display": {
"yAxis": [
"cnt"
],
"yPos": 12,
"height": 5,
"xPos": 0,
"legendPosition": "right",
"width": 5,
"pieType": "ring",
"margin": [
30,
100,
40,
50
],
"xAxis": [
"event_type"
],
"displayName": "事件類型分佈"
},
"type": "pie"
},
{
"title": "actiontrail-dashboard-event-source",
"search": {
"topic": "",
"logstore": "actiontrail_cloud_trail",
"start": "-2592000s",
"query": "__topic__: actiontrail_audit_event | select ip_to_country(\"event.sourceIpAddress\") as country, count(1 ) as PV group by country",
"end": "now"
},
"action": {},
"display": {
"yAxis": [
"PV"
],
"yPos": 2,
"height": 5,
"xPos": 0,
"width": 5,
"xAxis": [
"country"
],
"displayName": "事件來源分佈"
},
"type": "world-map"
},
{
"title": "actiontrail-dashboard-event-service-source",
"search": {
"topic": "",
"logstore": "actiontrail_cloud_trail",
"start": "-2592000s",
"query": "__topic__: actiontrail_audit_event | select \"event.serviceName\" as service, count(1 ) as cnt group by service order by cnt DESC limit 20",
"end": "now"
},
"action": {},
"display": {
"yAxis": [
"cnt"
],
"yPos": 7,
"height": 5,
"xPos": 5,
"legendPosition": "right",
"width": 5,
"pieType": "ring",
"margin": [
30,
100,
40,
50
],
"xAxis": [
"service"
],
"displayName": "事件來源服務分佈"
},
"type": "pie"
},
{
"title": "actiontrail-dashboard-event-service-number",
"search": {
"topic": "",
"logstore": "actiontrail_cloud_trail",
"start": "-2592000s",
"query": "__topic__: actiontrail_audit_event | select count(distinct \"event.serviceName\") as cnt",
"end": "now"
},
"action": {},
"display": {
"fontColor": {
"g": 255,
"b": 255,
"r": 255,
"a": 1
},
"yPos": 0,
"descriptionSize": 24,
"width": 2,
"fontSize": 32,
"bgColor": {
"g": 204,
"b": 228,
"r": 44,
"a": 1
},
"unit": "",
"height": 2,
"unitSize": 14,
"xPos": 4,
"description": "",
"showTitle": true,
"xAxis": [
"cnt"
],
"displayName": "來源服務數"
},
"type": "number"
},
{
"title": "actiontrail-dashboard-event-area-number",
"search": {
"topic": "",
"logstore": "actiontrail_cloud_trail",
"start": "-2592000s",
"query": "__topic__: actiontrail_audit_event | select count(distinct \"event.acsRegion\") as cnt",
"end": "now"
},
"action": {},
"display": {
"fontColor": {
"g": 255,
"b": 255,
"r": 255,
"a": 1
},
"yPos": 0,
"descriptionSize": 24,
"width": 2,
"fontSize": 32,
"bgColor": {
"g": 204,
"b": 228,
"r": 44,
"a": 1
},
"unit": "",
"height": 2,
"unitSize": 14,
"xPos": 6,
"description": "",
"showTitle": true,
"xAxis": [
"cnt"
],
"displayName": "來源區域數"
},
"type": "number"
},
{
"title": "actiontrail-dashboard-pv-uv",
"search": {
"topic": "",
"logstore": "actiontrail_cloud_trail",
"start": "-2592000s",
"query": "* | select date_trunc('day', __time__) AS dt, count(1) as pv, count(distinct \"event.sourceIpAddress\" ) as uv group by dt order by dt",
"end": "now"
},
"action": {},
"display": {
"intervalArray": [],
"yAxisRight": [],
"yAxis": [
"pv",
"uv"
],
"yPos": 2,
"height": 5,
"xPos": 5,
"legendPosition": "right",
"width": 5,
"margin": [
30,
100,
40,
50
],
"xAxis": [
"dt"
],
"displayName": "PV/UV趨勢"
},
"type": "line"
}
],
"description": "",
"dashboardName": "actiontrail_cloud_trail_dashboard",
"attribute": {},
"displayName": "操作審計報表"
}相關閱讀
《操作審計最佳實踐》系列由阿里雲操作審計團隊出品,旨在向集團輸出雲上審計相關的業務知識和技術,更多相關內容可以查看下面的系列文章。
基礎篇
• [操作審計最佳實踐:操作日誌查詢-誰動了我的 NAT](https://developer.aliyun.com/article/773588?spm=a2c6h.13148508.0.0.57a34f0eyHKRLM
• [操作審計最佳實踐:將阿里雲操作日誌持續投遞到您的 SLS/OSS](https://developer.aliyun.com/article/772258?spm=a2c6h.13148508.0.0.57a34f0eyHKRLM
• [操作審計最佳實踐:使用 Terraform 一鍵創建跟蹤](https://developer.aliyun.com/article/773595?spm=a2c6h.13148508.0.0.57a34f0eyHKRLM
進階篇
[• 操作審計最佳實踐:使用 SQL 分析投遞到 OSS 中的操作審計日誌](https://developer.aliyun.com/article/771478?spm=a2c6h.13148508.0.0.57a34f0eyHKRLM
[• 操作審計最佳實踐:在 SLS 中分析ActionTrail跟蹤投遞日誌](https://developer.aliyun.com/article/773674?spm=a2c6h.13148508.0.0.57a34f0eyHKRLM
