使用 SDK 建立跟蹤與在控制台建立跟蹤的主要差別是:
• 在控制台建立跟蹤時,操作審計可以幫您建立 OSS Bucket 和日志服務項目(LogProject)、日志庫(LogStore)及報表;
• 在控制台建立跟蹤後,操作審計會自動幫您開啟跟蹤。
因為通過控制台建立跟蹤,操作審計會自動幫您調用配置日志服務、啟用跟蹤(StartLogging) 等接口。
使用 SDK 建立跟蹤
通過 SDK 建立跟蹤的過程可以分為兩步:
• 建立并配置日志服務(如果已有日志項目及日志庫則可忽略該步驟)
• 建立并啟用跟蹤
接下來以實際場景為例,詳細介紹整個建立過程:
建立一個名為 cloud_trail 的跟蹤,将所有地域的所有事件,投遞到杭州地域的日志項目 cloud_trail_project 中,并配置日志服務的索引、報表。
為了友善,下面的代碼示例将使用阿裡雲 Python SDK,Python版本為 3.7。
建立并配置日志服務
如果您已完成日志服務配置,則可跳過此段内容
如果要建立跟蹤将資料投遞到日志服務,首先需要建立對應的日志項目(LogProject),并建立名為 actiontrail_{TrailName} 的日志庫(LogStore),TrailName 是跟蹤名稱。
此外,如果需要對記錄檔進行分析,則還需要對 LogStore 配置索引和報表。我們可以使用日志服務的 Python SDK
aliyun-log-python-sdk來實作。
初始化 SDK
安裝依賴:
$ pip install -U aliyun-log-python-sdk 初始化 SDK:
from aliyun.log import LogClient
# 華東 1 (杭州) Region
region = 'cn-hangzhou'
# 日志服務入口
endpoint = '{region}.log.aliyuncs.com'.format(region=region)
# 使用者通路秘鑰對中的 AccessKeyId
access_key_id = 'ABCDEFGHIJKLJMN'
# 使用者通路秘鑰對中的 AccessKeySecret
access_key_secret = 'OPQRSTUVWXYZ'
# 阿裡雲主賬号 ID
account_id = '123456789'
client = LogClient(endpoint, access_key_id, access_key_secret) 建立日志項目(LogProject)和日志庫(LogStore)
如下面代碼,跟蹤名稱為 cloud_trail ,日志項目名稱為 cloud_trail_project ,日志庫名稱為 actiontrail_cloud_trail 。建立日志庫時,指定 preserve_storage 為 True ,永久儲存資料。可根據實際情況修改。
# 跟蹤名稱
trail_name = 'cloud_trail'
# 日志項目名稱
log_project_name = 'cloud_trail_project'
# 建立日志服務
res = client.create_project(log_project_name, '操作審計事件日志項目')
res.log_print()
# 日志庫名稱
log_store_name = 'actiontrail_{trail_name}'.format(trail_name=trail_name)
# 建立日志庫
res = client.create_logstore(log_project_name, log_store_name, shard_count=3, preserve_storage=True)
res.log_print() 配置索引
可以使用 client.create_index(self, project_name, logstore_name, index_detail) 方法建立索引。其中 index_detail 是 JSON 格式的索引配置。
import json
from aliyun.log import LogClient
from aliyun.log import IndexConfig
def get_json_data(path):
with open(path) as f:
return json.load(f)
# 從 log_index.json 中讀取索引配置
index_json = get_json_data('./log_index.json')
index_detail = IndexConfig()
index_detail.from_json(index_json)
# 建立索引
client.create_index(log_project_name, log_store_name, index_detail) 詳細索引配置在文末附錄部分。
索引如圖所示:
建立報表
可以使用 client.create_dashboard(dashboard_detail) 方法建立索引。其中 dashboard_detail 是 JSON 格式的報表配置。
# 從 log_dashboard.json 中讀取報表配置
dashboard_detail = get_json_data('./log_dashboard.json')
# 建立報表
client.create_dashboard(log_project_name, dashboard_detail) 報表如圖所示:
建立并啟用跟蹤
您可以使用阿裡雲 Python SDK aliyun-python-sdk-core 來建立跟蹤。
$ pip install aliyun-python-sdk-core
$ pip install aliyun-python-sdk-actiontrail 初始化 SDK :
from aliyunsdkcore.client import AcsClient
from aliyunsdkcore.acs_exception.exceptions import ClientException
from aliyunsdkcore.acs_exception.exceptions import ServerException
from aliyunsdkactiontrail.request.v20171204.CreateTrailRequest import CreateTrailRequest
client = AcsClient(access_key_id, access_key_secret, region) 建立跟蹤到指定日志項目(LogProject)
建立跟蹤的 API 是
CreateTrail。
示例代碼如下:
sls_project_arn = 'acs:log:{region}:{account_id}:project/{log_project_name}'.format(
region=region,
account_id=account_id,
log_project_name=log_project_name,
)
request = CreateTrailRequest()
request.set_accept_format('json')
# 設定跟蹤名稱
request.set_Name(trail_name)
# 設定 SLS project arn
request.set_SlsProjectArn(sls_project_arn)
# 跟蹤所有事件
request.set_EventRW("All")
# 跟蹤所有地域
request.set_TrailRegion("All")
response = client.do_action_with_exception(request)
print(str(response, encoding='utf-8')) 通過 API 建立跟蹤後,跟蹤狀态是 Fresh,表示已建立但未開啟。是以後續還要開啟跟蹤。
啟用跟蹤
啟用跟蹤的接口是
StartLogging代碼示例:
from aliyunsdkactiontrail.request.v20171204.CreateTrailRequest import StartLoggingRequest
request = StartLoggingRequest()
request.set_accept_format('json')
request.set_Name(trail_name)
response = client.do_action_with_exception(request)
print(str(response, encoding='utf-8')) 至此,跟蹤就建立完成了。
總結
本文介紹了如何通過 SDK 建立跟蹤并配置日志服務。整個過程可分為兩個步驟:
其中 “建立并配置日志服務” 比較複雜,因為要通過 SDK 去配置日志服務的日志庫、索引、報表等。建立并啟用跟蹤比較簡單,調用對應 API 就可以了。希望通過本文的介紹後,大家能根據需要靈活地使用 SDK 去建立跟蹤。
附錄
索引配置
下面是操作事件的索引 JSON 配置,該配置會針對操作事件開啟全文索引和字段索引。您可以直接使用。
{
"index_mode": "v2",
"keys": {
"event": {
"caseSensitive": false,
"chn": false,
"json_keys": {
"acsRegion": {
"doc_value": true,
"type": "text"
},
"apiVersion": {
"doc_value": true,
"type": "text"
},
"errorCode": {
"doc_value": true,
"type": "text"
},
"errorMessage": {
"doc_value": true,
"type": "text"
},
"eventId": {
"doc_value": true,
"type": "text"
},
"eventName": {
"doc_value": true,
"type": "text"
},
"eventSource": {
"doc_value": true,
"type": "text"
},
"eventType": {
"doc_value": true,
"type": "text"
},
"eventVersion": {
"doc_value": true,
"type": "text"
},
"requestId": {
"doc_value": true,
"type": "text"
},
"requestParameters.HostId": {
"doc_value": true,
"type": "text"
},
"requestParameters.Name": {
"doc_value": true,
"type": "text"
},
"requestParameters.Region": {
"doc_value": true,
"type": "text"
},
"serviceName": {
"doc_value": true,
"type": "text"
},
"sourceIpAddress": {
"doc_value": true,
"type": "text"
},
"userAgent": {
"doc_value": true,
"type": "text"
},
"userIdentity.accessKeyId": {
"doc_value": true,
"type": "text"
},
"userIdentity.accountId": {
"doc_value": true,
"type": "text"
},
"userIdentity.principalId": {
"doc_value": true,
"type": "text"
},
"userIdentity.type": {
"doc_value": true,
"type": "text"
},
"userIdentity.userName": {
"doc_value": true,
"type": "text"
}
},
"token": [
",",
" ",
"'",
"\"",
";",
"=",
"(",
")",
"[",
"]",
"{",
"}",
"?",
"@",
"&",
"<",
">",
"/",
":",
"\n",
"\t",
"\r"
],
"type": "json"
}
},
"line": {
"caseSensitive": false,
"chn": false,
"token": [
",",
" ",
"'",
"\"",
";",
"=",
"(",
")",
"[",
"]",
"{",
"}",
"?",
"@",
"&",
"<",
">",
"/",
":",
"\n",
"\t",
"\r"
]
}
} 報表配置
下面是操作事件的報表 JSON 配置,您可以直接使用。使用時注意需要将 charts[].search.logstore 的值(即日志庫)改為您的日志庫(LogStore)名稱。
{
"charts": [
{
"title": "actiontrail-dashboard-pv",
"search": {
"topic": "",
"logstore": "actiontrail_cloud_trail",
"start": "-2592000s",
"query": "__topic__: actiontrail_audit_event | select count(1) as PV",
"end": "now"
},
"action": {},
"display": {
"fontColor": {
"g": 255,
"b": 255,
"r": 255,
"a": 1
},
"yPos": 0,
"descriptionSize": 24,
"width": 2,
"fontSize": 32,
"bgColor": {
"g": 204,
"b": 228,
"r": 44,
"a": 1
},
"unit": "",
"height": 2,
"unitSize": 14,
"xPos": 0,
"description": "",
"showTitle": true,
"xAxis": [
"PV"
],
"displayName": "PV"
},
"type": "number"
},
{
"title": "actiontrail-dashboard-uv",
"search": {
"topic": "",
"logstore": "actiontrail_cloud_trail",
"start": "-2592000s",
"query": "__topic__: actiontrail_audit_event | select count(distinct \"event.sourceIpAddress\" ) as UV",
"end": "now"
},
"action": {},
"display": {
"fontColor": {
"g": 255,
"b": 255,
"r": 255,
"a": 1
},
"yPos": 0,
"descriptionSize": 24,
"width": 2,
"fontSize": 32,
"bgColor": {
"g": 204,
"b": 228,
"r": 44,
"a": 1
},
"unit": "",
"height": 2,
"unitSize": 14,
"xPos": 2,
"description": "",
"showTitle": true,
"xAxis": [
"UV"
],
"displayName": "UV"
},
"type": "number"
},
{
"title": "actiontrail-dashboard-event-area",
"search": {
"topic": "",
"logstore": "actiontrail_cloud_trail",
"start": "-2592000s",
"query": "__topic__: actiontrail_audit_event | select \"event.acsRegion\" as region, count(1 ) as cnt group by region order by cnt DESC limit 20",
"end": "now"
},
"action": {},
"display": {
"yAxis": [
"cnt"
],
"yPos": 7,
"height": 5,
"xPos": 0,
"legendPosition": "right",
"width": 5,
"pieType": "ring",
"margin": [
30,
100,
40,
50
],
"xAxis": [
"region"
],
"displayName": "事件區域分布"
},
"type": "pie"
},
{
"title": "actiontrail-dashboard-event-type",
"search": {
"topic": "",
"logstore": "actiontrail_cloud_trail",
"start": "-2592000s",
"query": "__topic__: actiontrail_audit_event | select \"event.eventType\" as event_type, count(1 ) as cnt group by event_type order by cnt desc limit 20",
"end": "now"
},
"action": {},
"display": {
"yAxis": [
"cnt"
],
"yPos": 12,
"height": 5,
"xPos": 0,
"legendPosition": "right",
"width": 5,
"pieType": "ring",
"margin": [
30,
100,
40,
50
],
"xAxis": [
"event_type"
],
"displayName": "事件類型分布"
},
"type": "pie"
},
{
"title": "actiontrail-dashboard-event-source",
"search": {
"topic": "",
"logstore": "actiontrail_cloud_trail",
"start": "-2592000s",
"query": "__topic__: actiontrail_audit_event | select ip_to_country(\"event.sourceIpAddress\") as country, count(1 ) as PV group by country",
"end": "now"
},
"action": {},
"display": {
"yAxis": [
"PV"
],
"yPos": 2,
"height": 5,
"xPos": 0,
"width": 5,
"xAxis": [
"country"
],
"displayName": "事件來源分布"
},
"type": "world-map"
},
{
"title": "actiontrail-dashboard-event-service-source",
"search": {
"topic": "",
"logstore": "actiontrail_cloud_trail",
"start": "-2592000s",
"query": "__topic__: actiontrail_audit_event | select \"event.serviceName\" as service, count(1 ) as cnt group by service order by cnt DESC limit 20",
"end": "now"
},
"action": {},
"display": {
"yAxis": [
"cnt"
],
"yPos": 7,
"height": 5,
"xPos": 5,
"legendPosition": "right",
"width": 5,
"pieType": "ring",
"margin": [
30,
100,
40,
50
],
"xAxis": [
"service"
],
"displayName": "事件來源服務分布"
},
"type": "pie"
},
{
"title": "actiontrail-dashboard-event-service-number",
"search": {
"topic": "",
"logstore": "actiontrail_cloud_trail",
"start": "-2592000s",
"query": "__topic__: actiontrail_audit_event | select count(distinct \"event.serviceName\") as cnt",
"end": "now"
},
"action": {},
"display": {
"fontColor": {
"g": 255,
"b": 255,
"r": 255,
"a": 1
},
"yPos": 0,
"descriptionSize": 24,
"width": 2,
"fontSize": 32,
"bgColor": {
"g": 204,
"b": 228,
"r": 44,
"a": 1
},
"unit": "",
"height": 2,
"unitSize": 14,
"xPos": 4,
"description": "",
"showTitle": true,
"xAxis": [
"cnt"
],
"displayName": "來源服務數"
},
"type": "number"
},
{
"title": "actiontrail-dashboard-event-area-number",
"search": {
"topic": "",
"logstore": "actiontrail_cloud_trail",
"start": "-2592000s",
"query": "__topic__: actiontrail_audit_event | select count(distinct \"event.acsRegion\") as cnt",
"end": "now"
},
"action": {},
"display": {
"fontColor": {
"g": 255,
"b": 255,
"r": 255,
"a": 1
},
"yPos": 0,
"descriptionSize": 24,
"width": 2,
"fontSize": 32,
"bgColor": {
"g": 204,
"b": 228,
"r": 44,
"a": 1
},
"unit": "",
"height": 2,
"unitSize": 14,
"xPos": 6,
"description": "",
"showTitle": true,
"xAxis": [
"cnt"
],
"displayName": "來源區域數"
},
"type": "number"
},
{
"title": "actiontrail-dashboard-pv-uv",
"search": {
"topic": "",
"logstore": "actiontrail_cloud_trail",
"start": "-2592000s",
"query": "* | select date_trunc('day', __time__) AS dt, count(1) as pv, count(distinct \"event.sourceIpAddress\" ) as uv group by dt order by dt",
"end": "now"
},
"action": {},
"display": {
"intervalArray": [],
"yAxisRight": [],
"yAxis": [
"pv",
"uv"
],
"yPos": 2,
"height": 5,
"xPos": 5,
"legendPosition": "right",
"width": 5,
"margin": [
30,
100,
40,
50
],
"xAxis": [
"dt"
],
"displayName": "PV/UV趨勢"
},
"type": "line"
}
],
"description": "",
"dashboardName": "actiontrail_cloud_trail_dashboard",
"attribute": {},
"displayName": "操作審計報表"
} 相關閱讀
《操作審計最佳實踐》系列由阿裡雲操作審計團隊出品,旨在向集團輸出雲上審計相關的業務知識和技術,更多相關内容可以檢視下面的系列文章。
基礎篇
• [操作審計最佳實踐:記錄檔查詢-誰動了我的 NAT](
https://developer.aliyun.com/article/773588?spm=a2c6h.13148508.0.0.57a34f0eyHKRLM • [操作審計最佳實踐:将阿裡雲記錄檔持續投遞到您的 SLS/OSS](
https://developer.aliyun.com/article/772258?spm=a2c6h.13148508.0.0.57a34f0eyHKRLM • [操作審計最佳實踐:使用 Terraform 一鍵建立跟蹤](
https://developer.aliyun.com/article/773595?spm=a2c6h.13148508.0.0.57a34f0eyHKRLM 進階篇
[• 操作審計最佳實踐:使用 SQL 分析投遞到 OSS 中的操作審計日志](
https://developer.aliyun.com/article/771478?spm=a2c6h.13148508.0.0.57a34f0eyHKRLM [• 操作審計最佳實踐:在 SLS 中分析ActionTrail跟蹤投遞日志](
https://developer.aliyun.com/article/773674?spm=a2c6h.13148508.0.0.57a34f0eyHKRLM