Configuring a Tracker

Scenario

You can configure the created management tracker to transfer traces recorded in CTS to OBS or LTS for long-term storage.

You can select whether to send recorded traces to an OBS bucket. You can also transfer the traces of multiple accounts to the same OBS bucket for centralized management.

There are three storage classes of OBS buckets, Standard, Infrequent Access, and Archive. You must use Standard OBS buckets for trace transfer because CTS needs to frequently access the OBS buckets.

After the tracker configuration is complete, CTS will immediately start recording operations under the new settings.

This section describes how to configure the management tracker.

Constraints

For global services, you must configure trackers on the CTS console in the central region (CN-Hong Kong). This configuration enables the function of transferring traces to OBS or LTS. The preceding function will not take effect if you perform the configuration on the CTS console in any region outside the central region.

For details about Huawei Cloud global services, see Constraints.

Prerequisites

You have enabled CTS.

Configuring a Management Tracker

1. Log in to the management console.
2. Click in the upper left corner to select the desired region and project.
3. Click in the upper left corner and choose Management & Governance > Cloud Trace Service. The CTS console is displayed.
4. Choose Tracker List in the navigation pane.
5. Click Configure in the Operation column in the row of the management tracker.
   Figure 1 Configuring the tracker
   

6. Configure the basic information of the tracker, and click Next.
   Figure 2 Excluding KMS traces
   

   Parameter	Description
   Tracker Name	The default value is system and cannot be changed.
   Enterprise Project	Select an enterprise project. NOTE: Enterprise projects allow you to manage cloud resources and users by project. For details about how to enable the enterprise project function, see Creating an Enterprise Project.
   Exclude KMS traces	Deselected by default. After this option is selected, the tracker will not transfer the data about user operations on Data Encryption Workshop (DEW). NOTE: For details about DEW audit operations, see Operations supported by CTS.

7. On the Configure Transfer page, configure the transfer parameters of the tracker. You can query operation records of the last seven days on the CTS console. To store and query operation records beyond seven days, transfer them to OBS or LTS. For details, see Table 1 and Table 2.

   Table 1 Parameters for configuring the transfer to OBS

   Parameter	Description
   Transfer to OBS	Select an existing OBS bucket or create one on this page and set File Prefix if Transfer to OBS is enabled. When Transfer to OBS is disabled, no operation is required.
   Create a cloud service agency.	(Mandatory) If you select this check box, CTS automatically creates a cloud service agency when you create a tracker. The agency authorizes you to use OBS.
   OBS Bucket Account	CTS allows you to transfer traces to OBS buckets of other users for unified management. If you select Logged-in user, you do not need to grant the transfer permission. If you select Other users, ensure that the user to which the OBS bucket belongs has granted the transfer permission to your current user. Otherwise, the transfer fails. For details about how to grant the transfer permission, see Cross-Tenant Transfer Authorization.
   OBS Bucket	New: An OBS bucket will be created automatically with the name you enter. Existing: Select an existing OBS bucket.
   Select Bucket	If you select New for OBS Bucket, enter an OBS bucket name. The OBS bucket name cannot be empty. It can contain 3 to 63 characters, including only lowercase letters, digits, hyphens (-), and periods (.). It cannot contain two consecutive periods (for example, my..bucket). A period (.) and a hyphen (-) cannot be adjacent to each other (for example, my-.bucket and my.-bucket). Do not use an IP address as a bucket name. If you select Existing for OBS Bucket, select an existing OBS bucket.
   Retention Period	For the management tracker, the retention period configured on the OBS console is used by default and cannot be changed.
   File Prefix	A file prefix is used to mark transferred trace files. The prefix you set will be automatically added to the beginning of the file names, facilitating file filtering. Enter 0 to 64 characters. Only letters, digits, underscores (_), hyphens (-), and periods (.) are allowed.
   Compression	The usage of object storage space can be reduced. Do not compress: Transfer files in the *.json format. gzip: Transfer files in *.json.gz format.
   Sort by Cloud Service	When this function is enabled, the cloud service name is added to the transfer file path, and multiple small files are generated in OBS. Example: /CloutTrace/cn-north-7/2022/11/8/doctest/Cloud service/_XXX.json.gz When this function is disabled, the cloud service name will not be added to the transfer file path. Example: /CloutTrace/cn-north-7/2022/11/8/doctest/_XXX.json.gz
   Transfer Path	Log transfer path is automatically set by the system.
   Verify Trace File	When this function is enabled, integrity verification will be performed to check whether trace files in OBS buckets have been tampered with. For details about file integrity verification, see Verifying Trace File Integrity.
   Encrypt Trace File	When OBS Bucket Account is set to Logged-in user, you can configure an encryption key for the traces. When Encrypt Trace File is enabled, CTS obtains the key IDs of the current login user from DEW. You can select a key from the drop-down list. NOTE: Use the keys in DEW to fully or partially encrypt objects in an OBS bucket. For details, see Encrypting Data in OBS.

   Table 2 Parameters for configuring the transfer to LTS

   Parameter	Description
   Transfer to LTS	When Transfer to LTS is enabled, traces are transferred to the log stream.
   Log Group	When Transfer to LTS is enabled, the default log group name CTS is set. When Transfer to LTS is disabled, no operation is required.

8. Click Next > Configure to complete the configuration of the tracker.

   You can then view the tracker details on the Tracker List page.

   

   Traces recorded by CTS are delivered periodically to the OBS bucket for storage. If you configure an OBS bucket for a tracker, traces generated during the current cycle (usually several minutes) will be delivered to the configured OBS bucket. For example, if the current cycle is from 12:00:00 to 12:05:00 and you configure an OBS bucket for a tracker at 12:02:00, traces received from 12:00:00 to 12:02:00 will also be delivered to the configured OBS bucket for storage at 12:05:00.

9. (Optional) On the Tracker List page, click in the Tag column to add tags to the tracker.
   Figure 3 Adding a tag
   

   Tags are key-value pairs, which are used to identify, classify, and search for trackers. Tracker tags are used to filter and manage trackers only. A maximum of 20 tags can be added to a tracker.

   If your organization has configured tag policies for CTS, add tags to trackers based on the policies. For details about tag policies, see Overview of a Tag Policy. For details about tag management, see Overview of a Tag.

   Table 3 Tag parameters

   Parameter	Description	Example
   Tag key	A tag key of a tracker must be unique. You can customize a key or select the key of an existing tag created in Tag Management Service (TMS). A tag key: Can contain 1 to 128 characters. Can contain letters, digits, spaces, and special characters _.:=+-@, but cannot start or end with a space or start with _sys_.	Key_0001
   Tag value	A tag value can be repetitive or left blank. A tag value: Can contain 0 to 255 characters. Can contain letters, digits, spaces, and special characters _.:/=+-@	Value_0001