Help Center/ Cloud Trace Service/ Service Overview/ Basic Concepts
Updated on 2025-10-30 GMT+08:00
View PDF
Share

Basic Concepts

Tracker

When you enable CTS for the first time, a management tracker named system is created automatically. You can also manually create multiple data trackers on the Tracker List page.

The management tracker identifies and associates with all cloud services your tenant account is using, and records all operations of your tenant account. Data trackers record details of the tenant's operations on data in OBS buckets.

A management tracker and 100 data trackers can be created for a tenant account.

Trace

Traces are cloud resource operation logs captured and archived by CTS. You can view traces to identify when operations were performed by which users.

There are two types of traces:
  • Management traces

    Traces reported by cloud services.

  • Data traces

    Traces of read and write operations reported by OBS.

Trace List

The trace list displays traces generated in the last seven days. These traces record operations (in the last hour by default) on cloud service resources, including creation, modification, and deletion, but do not record query operations. There are two types of traces:

  • Management traces record details about creating, modifying, and deleting cloud service resources in your cloud account.
  • Data traces record operations on data in OBS buckets, such as data upload and download.

Trace File

A trace file is a collection of traces. CTS generates trace files based on services and transfer cycle and sends these files to your specified OBS buckets in real time. Typically, all traces of a service generated in a transfer cycle are compressed into one trace file. However, CTS dynamically adjusts the number of traces per file when dealing with a high volume of traces.

Traces files are in JSON format. Figure 1 shows an example of original trace content.

Figure 1 Trace file example

Trace File Integrity Verification

During a security audit, operation records will not be able to serve as effective and authentic evidence if they have been deleted or otherwise tampered with. You can enable integrity verification in CTS to ensure the authenticity of trace files.

The verification function for trace file integrity adopts industry standard algorithms and generates a Hash value for each trace file. This Hash value changes when the trace file is modified or deleted. Therefore, by tracking the Hash value, you can confirm whether the trace file is modified. In addition, the RSA algorithm is used to sign on the digest file to ensure that the file is not modified. In this way, any operations of modifying or deleting trace files are recorded by CTS.

After the verification function for trace file integrity is enabled, CTS generates a digest file for Hash values of all trace files recorded in the past hour and synchronizes the digest file to an OBS bucket configured for the current tracker.

CTS signs on each digest file using public and private keys. You can verify the digest file using the public key after the file is stored to the OBS bucket.

Region

A region refers to a geographic area where the server for installing CTS is located. AZs in the same geographic area can communicate with each other through an internal network.

Huawei Cloud's data centers (DCs) are distributed across various global regions, such as Europe and Asia. Enabling CTS by region makes applications more user-friendly and ensures they comply with local laws and regulations.

Project

A project corresponds to a Huawei Cloud region. Default projects are defined to isolate resources (including computing, storage, and network resources) across regions. You can create sub-projects in a default region project to isolate resources more precisely.