Configuring an Organization Tracker

An organization tracker is a management tracker with organization function enabled. To configure it, use a delegated or organization administrator account to log in to CTS and enable Apply to Organization for the management tracker.

Prerequisites

You are using a delegated or organization administrator account.
You have used an organization administrator account to set CTS as a trusted service in Organizations.
You have planned an OBS bucket for the delegated administrator to store audit traces.

Configuring an Organization Tracker

Log in to the management console.
Click in the upper left corner to select the desired region and project.
Click in the upper left corner and choose Management & Governance > Cloud Trace Service.
In the navigation pane, choose Tracker List. Click Configure on the right of the management tracker. If no management tracker is displayed, enable CTS first.

Figure 1 Management tracker
On the Basic Information page, enable Apply to Organization and click Next.

Figure 2 Applying to my organization

On the Configure Transfer page, enable Transfer to OBS and Transfer to LTS. You can query operation records of the last seven days on the CTS console. To store and query operation records beyond seven days, transfer them to OBS or LTS. For details, see Table 1 and Table 2. Set OBS Bucket Account to Logged-in user, select Existing for OBS Bucket, and select the OBS bucket planned by the administrator. Click Next > Configure.

**Table 1** Parameters for configuring the transfer to OBS
Parameter	Description
Transfer to OBS	Select an existing OBS bucket or create one on this page and set File Prefix if Transfer to OBS is enabled. When Transfer to OBS is disabled, no operation is required.
Create a cloud service agency.	(Mandatory) If you select this check box, CTS automatically creates a cloud service agency when you create a tracker. The agency authorizes you to use OBS.
OBS Bucket Account	CTS allows you to transfer traces to OBS buckets of other users for unified management. If you select Logged-in user, you do not need to grant the transfer permission. If you select Other users, ensure that the user to which the OBS bucket belongs has granted the transfer permission to your current user. Otherwise, the transfer fails. For details about how to grant the transfer permission, see Cross-Tenant Transfer Authorization.
OBS Bucket	New: An OBS bucket will be created automatically with the name you enter. NOTE: The OBS bucket created on this page is a single-AZ private bucket with Standard storage. If you need other configurations, create the bucket on OBS Console in advance and choose Existing to select it. For details, see Creating a Bucket. Existing: Select an existing OBS bucket in the current region.
Select Bucket	If you select New for OBS Bucket, enter a name for the new OBS bucket. The bucket name cannot be empty. Enter 3 to 63 characters, including only lowercase letters, digits, hyphens (-), and periods (.). It cannot contain two consecutive periods (for example, my..bucket). A period (.) and a hyphen (-) cannot be adjacent to each other (for example, my-.bucket and my.-bucket). Do not use an IP address as a bucket name. If you select Existing for OBS Bucket, select an existing OBS bucket.
Retention Period	For the management tracker, the retention period configured on the OBS console is used by default and cannot be changed.
File Prefix	A file prefix is used to mark transferred trace files. The prefix you set will be automatically added to the beginning of the file names, facilitating file filtering. Enter 0 to 64 characters. Only letters, digits, underscores (_), hyphens (-), and periods (.) are allowed.
Compression	The usage of object storage space can be reduced. Do not compress: Transfer files in the .json format. gzip: Transfer files in .json.gz format.
Sort by Cloud Service	When this function is enabled, the cloud service name is added to the transfer file path, and multiple small files are generated in OBS. Example: */CloutTrace/cn-north-7/2022/11/8/doctest/Cloud service/_XXX.json.gz* When this function is disabled, the cloud service name will not be added to the transfer file path. Example: /CloutTrace/cn-north-7/2022/11/8/doctest/_XXX.json.gz
Transfer Path	Log transfer path is automatically set by the system.
Verify Trace File	When this function is enabled, integrity verification will be performed to check whether trace files in OBS buckets have been tampered with. For details about file integrity verification, see Verifying Trace File Integrity.
Encrypt Trace File	When OBS Bucket Account is set to Logged-in user, you can configure an encryption key for the traces. When Encrypt Trace File is enabled, CTS obtains the key IDs of the current login user from DEW. You can select a key from the drop-down list. NOTE: Use the keys in DEW to fully or partially encrypt objects in an OBS bucket. For details, see Encrypting Data in OBS.

**Table 2** Parameters for configuring the transfer to LTS
Parameter	Description
Transfer to LTS	When Transfer to LTS is enabled, traces are transferred to the log stream.
Log Group	When Transfer to LTS is enabled, the default log group name CTS is set. When Transfer to LTS is disabled, no operation is required.

After the configuration is complete, administrators can view information about OBS buckets and LTS log groups on the Tracker List page.

Figure 3 Viewing trackers as an administrator
Log in to CTS using an organization member account and go to the Tracker List page. The value in the Organization Enabled column of the target tracker is Yes.

The system tracker of the administrator account is displayed in the first row, and the system tracker of the current account is displayed in the second row. Audit logs of the organization member account can be transferred to the OBS buckets and LTS log groups of both the administrator account and the current account.
Figure 4 Viewing a tracker as an organization member