Configuring an Organization Tracker
An organization tracker is a management tracker with organization function enabled. To configure it, use a delegated or organization administrator account to log in to CTS and enable Apply to Organization for the management tracker.
Prerequisites
- You are using a delegated or organization administrator account.
- You have used an organization administrator account to set CTS as a trusted service in Organizations.
- You have planned an OBS bucket for the delegated administrator to store audit traces.
Configuring an Organization Tracker
- Log in to the management console.
- Click
in the upper left corner to select the desired region and project. - Click
in the upper left corner and choose Management & Governance > Cloud Trace Service. - In the navigation pane, choose Tracker List. Click Configure on the right of the management tracker. If no management tracker is displayed, enable CTS first.
Figure 1 Management tracker
- On the Basic Information page, enable Apply to Organization and click Next.
Figure 2 Applying to my organization
- On the Configure Transfer page, enable Transfer to OBS and Transfer to LTS. You can query operation records of the last seven days on the CTS console. To store and query operation records beyond seven days, transfer them to OBS or LTS. For details, see Table 1 and Table 2. Set OBS Bucket Account to Logged-in user, select Existing for OBS Bucket, and select the OBS bucket planned by the administrator. Click Next > Configure.
Table 1 Parameters for configuring the transfer to OBS Parameter
Description
Transfer to OBS
Select an existing OBS bucket or create one on this page and set File Prefix if Transfer to OBS is enabled.
When Transfer to OBS is disabled, no operation is required.
Create a cloud service agency.
(Mandatory) If you select this check box, CTS automatically creates a cloud service agency when you create a tracker. The agency authorizes you to use OBS.
OBS Bucket Account
CTS allows you to transfer traces to OBS buckets of other users for unified management.
- If you select Logged-in user, you do not need to grant the transfer permission.
- If you select Other users, ensure that the user to which the OBS bucket belongs has granted the transfer permission to your current user. Otherwise, the transfer fails. For details about how to grant the transfer permission, see Cross-Tenant Transfer Authorization.
OBS Bucket
New: An OBS bucket will be created automatically with the name you enter.
Existing: Select an existing OBS bucket.
Select Bucket
If you select New for OBS Bucket, enter an OBS bucket name. The OBS bucket name cannot be empty. It can contain 3 to 63 characters, including only lowercase letters, digits, hyphens (-), and periods (.). It cannot contain two consecutive periods (for example, my..bucket). A period (.) and a hyphen (-) cannot be adjacent to each other (for example, my-.bucket and my.-bucket). Do not use an IP address as a bucket name.
If you select Existing for OBS Bucket, select an existing OBS bucket.
Retention Period
For the management tracker, the retention period configured on the OBS console is used by default and cannot be changed.
File Prefix
A file prefix is used to mark transferred trace files. The prefix you set will be automatically added to the beginning of the file names, facilitating file filtering. Enter 0 to 64 characters. Only letters, digits, underscores (_), hyphens (-), and periods (.) are allowed.
Compression
The usage of object storage space can be reduced.- Do not compress: Transfer files in the *.json format.
- gzip: Transfer files in *.json.gz format.
Sort by Cloud Service
- When this function is enabled, the cloud service name is added to the transfer file path, and multiple small files are generated in OBS. Example: /CloutTrace/cn-north-7/2022/11/8/doctest/Cloud service/_XXX.json.gz
- When this function is disabled, the cloud service name will not be added to the transfer file path. Example: /CloutTrace/cn-north-7/2022/11/8/doctest/_XXX.json.gz
Transfer Path
Log transfer path is automatically set by the system.
Verify Trace File
When this function is enabled, integrity verification will be performed to check whether trace files in OBS buckets have been tampered with. For details about file integrity verification, see Verifying Trace File Integrity.
Encrypt Trace File
When OBS Bucket Account is set to Logged-in user, you can configure an encryption key for the traces.
When Encrypt Trace File is enabled, CTS obtains the key IDs of the current login user from DEW. You can select a key from the drop-down list.
NOTE:Use the keys in DEW to fully or partially encrypt objects in an OBS bucket. For details, see Encrypting Data in OBS.
Table 2 Parameters for configuring the transfer to LTS Parameter
Description
Transfer to LTS
When Transfer to LTS is enabled, traces are transferred to the log stream.
Log Group
When Transfer to LTS is enabled, the default log group name CTS is set. When Transfer to LTS is disabled, no operation is required.
- After the configuration is complete, administrators can view information about OBS buckets and LTS log groups on the Tracker List page.
Figure 3 Viewing trackers as an administrator
- Log in to CTS using an organization member account and go to the Tracker List page. The value in the Organization Enabled column of the target tracker is Yes.
The system tracker of the administrator account is displayed in the first row, and the system tracker of the current account is displayed in the second row. Audit logs of the organization member account can be transferred to the OBS buckets and LTS log groups of both the administrator account and the current account.Figure 4 Viewing a tracker as an organization member
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
