Configuring a Tracker

Scenarios

On the CTS console, you can add configurations such as OBS or LTS transfer for the created management tracker.

You can select whether to send recorded traces to an OBS bucket for long-term storage. You can also transfer management traces recorded by other accounts to a same OBS bucket for centralized management.

After the tracker configuration is complete, CTS will immediately start recording operations under the new settings.

This section describes how to configure the management tracker.

Constraints

1. For global services, you must configure trackers on the CTS console in the central region (CN-Hong Kong). This configuration enables the function of transferring traces to OBS or LTS. This function will not take effect if you perform the configuration on the CTS console in any region outside the central region.

   For details about Huawei Cloud global services, see Notes and Constraints.

2. There are three storage classes of OBS buckets: Standard, Infrequent Access, and Archive. CTS frequently accesses OBS buckets storing transferred traces. Therefore, when you create an OBS bucket on the CTS console, it defaults to a single-AZ private bucket with Standard storage. If you need other configurations, create the bucket on OBS Console in advance. For details, see Creating a Bucket.
3. When configuring the transfer to OBS, you need to select an OBS bucket. If you delete the OBS bucket, CTS cannot transfer traces to OBS, and you cannot query traces of the last seven days.
4. After you configure the transfer in CTS, the retention period of the transferred trace is subject to the configuration on the OBS/LTS console.
   • First, create an OBS bucket and select a storage class on OBS Console by referring to Creating a Bucket. The storage period varies with the selected storage class. When configuring the tracker for transfer traces to OBS, select the created OBS bucket. By default, the retention period of transferred traces is the same as that configured on OBS.
   • The retention period of trace logs transferred to LTS is subject to the log retention period configured in LTS. For details, see Managing Log Groups.

Prerequisites

You have enabled CTS.

Configuring a Management Tracker

1. Log in to the management console.
2. Click in the upper left corner to select the desired region and project.
3. Click in the upper left corner and choose Management & Governance > Cloud Trace Service. The CTS console is displayed.
4. Choose Tracker List in the navigation pane.
5. Click Configure in the Operation column in the row of the management tracker.
   Figure 1 Configuring the tracker
   

6. Configure the basic information of the tracker, and click Next.
   Figure 2 Excluding DEW traces
   

   Parameter	Description
   Tracker Name	The default value is system and cannot be changed.
   Enterprise Project	Select an enterprise project. NOTE: Enterprise projects allow you to manage cloud resources and users by project. For details about how to enable the enterprise project function, see Creating an Enterprise Project.
   Excluding DEW traces	Deselected by default. If this option is selected, the createDataKey and decryptDatakey operations on DEW will not be transferred to OBS/LTS. NOTE: For details about DEW audit operations, see Operations supported by CTS.

7. On the Configure Transfer page, configure the transfer parameters of the tracker. You can only query operation records of the last seven days on the CTS console. To store and query operation records beyond seven days, transfer them to OBS or LTS. For details, see Table 1 and Table 2.

   Table 1 Parameters for configuring the transfer to OBS

   Parameter	Description
   Transfer to OBS	Select an existing OBS bucket or create one on this page and set File Prefix if Transfer to OBS is enabled. When Transfer to OBS is disabled, no operation is required.
   Create a cloud service agency.	(Mandatory) If you select this check box, CTS automatically creates a cloud service agency when you create a tracker. The agency authorizes you to use OBS.
   OBS Bucket Account	CTS allows you to transfer traces to OBS buckets of other users for unified management. If you select Logged-in user, you do not need to grant the transfer permission. If you select Other users, ensure that the user to which the OBS bucket belongs has granted the transfer permission to your current user. Otherwise, the transfer fails. For details about how to grant the transfer permission, see Cross-Tenant Transfer Authorization.
   OBS Bucket	New: An OBS bucket will be created automatically with the name you enter. NOTE: The OBS bucket created on this page is a single-AZ private bucket with Standard storage. If you need other configurations, create the bucket on OBS Console in advance and choose Existing to select it. For details, see Creating a Bucket. Existing: Select an existing OBS bucket in the current region.
   Select Bucket	If you select New for OBS Bucket, enter a name for the new OBS bucket. The bucket name cannot be empty. Enter 3 to 63 characters, including only lowercase letters, digits, hyphens (-), and periods (.). It cannot contain two consecutive periods (for example, my..bucket). A period (.) and a hyphen (-) cannot be adjacent to each other (for example, my-.bucket and my.-bucket). Do not use an IP address as a bucket name. If you select Existing for OBS Bucket, select an existing OBS bucket.
   Retention Period	For the management tracker, the retention period configured on the OBS console is used by default and cannot be changed.
   File Prefix	A file prefix is used to mark transferred trace files. The prefix you set will be automatically added to the beginning of the file names, facilitating file filtering. Enter 0 to 64 characters. Only letters, digits, underscores (_), hyphens (-), and periods (.) are allowed.
   Compression	The usage of object storage space can be reduced. Do not compress: Transfer files in the *.json format. gzip: Transfer files in *.json.gz format.
   Sort by Cloud Service	When this function is enabled, the cloud service name is added to the transfer file path, and multiple small files are generated in OBS. Example: /CloutTrace/cn-north-7/2022/11/8/doctest/Cloud service/_XXX.json.gz When this function is disabled, the cloud service name will not be added to the transfer file path. Example: /CloutTrace/cn-north-7/2022/11/8/doctest/_XXX.json.gz
   Transfer Path	Log transfer path is automatically set by the system.
   Verify Trace File	When this function is enabled, integrity verification will be performed to check whether trace files in OBS buckets have been tampered with. For details about file integrity verification, see Verifying Trace File Integrity.
   Encrypt Trace File	When OBS Bucket Account is set to Logged-in user, you can configure an encryption key for the traces. When Encrypt Trace File is enabled, CTS obtains the key IDs of the current login user from DEW. You can select a key from the drop-down list. NOTE: Use the keys in DEW to fully or partially encrypt objects in an OBS bucket. For details, see Encrypting Data in OBS.

   Table 2 Parameters for configuring the transfer to LTS

   Parameter	Description
   Transfer to LTS	When Transfer to LTS is enabled, traces are transferred to the log stream.
   Log Group	When Transfer to LTS is enabled, the default log group name CTS is set. When Transfer to LTS is disabled, no operation is required.

8. Click Next > Configure to complete the configuration of the tracker.

   You can then view the tracker details on the Tracker List page.

   

   Traces recorded by CTS are delivered periodically to the OBS bucket for storage. If you configure an OBS bucket for a tracker, traces generated during the current cycle (usually several minutes) will be delivered to the configured OBS bucket. For example, if the current cycle is from 12:00:00 to 12:05:00 and you configure an OBS bucket for a tracker at 12:02:00, traces received from 12:00:00 to 12:02:00 will also be delivered to the configured OBS bucket for storage at 12:05:00.

9. (Optional) On the Tracker List page, click in the Tag column to add tags to the tracker.
   Figure 3 Adding a tag
   

   Tags are key-value pairs, which are used to identify, classify, and search for trackers. Tracker tags are used to filter and manage trackers only. A maximum of 20 tags can be added to a tracker.

   If your organization has configured tag policies for CTS, add tags to trackers based on the policies. For details about tag policies, see Overview of a Tag Policy. For details about tag management, see Overview of a Tag.

   Table 3 Tag parameters

   Parameter	Description	Example
   Tag key	A tag key of a tracker must be unique. You can customize a key or select the key of an existing tag created in Tag Management Service (TMS). A tag key: Can contain 1 to 128 characters. Can contain letters, digits, spaces, and special characters _.:=+-@, but cannot start or end with a space or start with _sys_.	Key_0001
   Tag value	A tag value can be repetitive or left blank. A tag value: Can contain 0 to 255 characters. Can contain letters, digits, spaces, and special characters _.:/=+-@	Value_0001