Configuring an Organization Tracker

Use a delegated administrator account to enable the organization function of a management tracker in CTS. In this way, an organization tracker is configured.

Prerequisites

You are using a delegated administrator account.
You have used an organization administrator account to set CTS as a trusted service in Organizations.
You have planned an OBS bucket for the delegated administrator to store audit traces.

Procedure

Log in to the management console.
Click in the upper left corner to select the desired region and project.
Click in the upper left corner and choose Management & Governance > Cloud Trace Service.
In the navigation pane, choose Tracker List. Click Configure on the right of the management tracker. If no management tracker is displayed, enable CTS first.
On the Basic Information page, enable Apply to Organization and click Next.

On the Configure Transfer page, toggle on Transfer to OBS and Transfer to LTS, and set related parameters by referring to Table 1. Set OBS Bucket Account to Logged-in user, select Existing for OBS Bucket, and select the OBS bucket planned by the administrator. Click Next > Configure.

**Table 1** Transfer parameters
Parameter	Description
Transfer to OBS	Select an existing OBS bucket or create one on this page and set File Prefix if Transfer to OBS is enabled. When Transfer to OBS is disabled, no operation is required.
OBS Bucket	New: If this function is enabled, an OBS bucket will be created automatically with the name you enter. Existing: Select an existing OBS bucket.
Select Bucket	If you select New for OBS Bucket, enter an OBS bucket name. The OBS bucket name cannot be empty. It can contain 3 to 63 characters, including only lowercase letters, digits, hyphens (-), and periods (.). It cannot contain two consecutive periods (for example, my..bucket). A period (.) and a hyphen (-) cannot be adjacent to each other (for example, my-.bucket and my.-bucket). Do not use an IP address as a bucket name. If you select Existing for OBS Bucket, select an existing OBS bucket.
Retention Period	For the management tracker, the retention period configured on the OBS console is used by default and cannot be changed.
File Prefix	A prefix is used to mark a transferred trace file. Your specified prefix will be automatically added to the beginning of the name of a transferred file, helping you quickly filter files. Enter 0 to 64 characters. Only letters, digits, hyphens (-), underscores (_), and periods (.) are allowed.
Compression	The usage of object storage space can be reduced. Do not compress: Transfer files in the .json format. gzip: Transfer files in .json.gz format.
Sort by Cloud Service	When this function is enabled, the cloud service name is added to the transfer file path, and multiple small files are generated in OBS. Example: */CloutTrace/cn-north-7/2022/11/8/doctest/Cloud service/_XXX.json.gz* When this function is disabled, the cloud service name will not be added to the transfer file path. Example: /CloutTrace/cn-north-7/2022/11/8/doctest/_XXX.json.gz
Transfer Path	Log transfer path is automatically set by the system.
Verify Trace File	When this function is enabled, integrity verification will be performed to check whether trace files in OBS buckets have been tampered with. For details about file integrity verification, see Verifying Trace File Integrity.
Encrypt Trace File	When OBS Bucket Account is set to Logged-in user, you can configure an encryption key for the traces. When Encrypt Trace File is enabled, CTS obtains the key IDs of the current login user from DEW. You can select a key from the drop-down list.
Transfer to LTS	When Transfer to LTS is enabled, traces are transferred to the log stream.
Log Group	When Transfer to LTS is enabled, the default log group name CTS is set. When Transfer to LTS is disabled, no operation is required.