Continuously Transferring CTS Traces to Specified Services

Restrictions

If you want to report audit traces to CTS and transfer the traces to OBS or LTS, configure a tracker for global service on the CTS console in the central region (CN-Hong Kong). For details about Huawei Cloud global services, see Notes and Constraints.

Scenario 1: Transferring CTS Traces to OBS

1. Go to the CTS console.
2. Select a region closest to your application to reduce latency and accelerate access.

   In this example, select CN North-Beijing4.

3. In the navigation pane, choose Tracker List.
4. Click Configure in the Operation column of the system tracker.
   Figure 1 Configuring a system tracker
   

5. On the Basic Information page, set basic information and click Next.

   Table 1 Setting basic information

   Parameter	Description	Example
   Tracker Name	The name of a management tracker is system by default and cannot be changed.	system
   Enterprise Project	Enterprise projects allow you to manage cloud resources and users by project. For details about how to enable enterprise projects, see Creating an Enterprise Project. If you have not enabled the enterprise project management service, skip this step. If you have enabled the service, select default in this example.	default
   Apply to Organization	CTS supports the multi-account management capability of Organizations. After you enable Apply to Organization, the following functions are available. For details, see Organization Trackers. Use an organization administrator account to set CTS as a trusted service on the Organizations console and specify a delegated administrator account. You can use the delegated administrator account to configure an organization tracker in CTS. Then the delegated administrator account can implement cloud audit capabilities, such as security audit.	Disable
   Operation	If you select Exclude DEW traces, the tracker will not transfer the data about operations on Data Encryption Workshop (DEW). For details about DEW audit operations, see Operations supported by CTS.	Deselect Exclude DEW traces

6. On the Configure Transfer page, configure transfer parameters and choose Next > Configure. Then, the system immediately records operations based on the new rules.

   Table 2 Parameters for configuring transfer to OBS

   Parameter	Description	Example
   Transfer to OBS	CTS records details about operations performed by tenants, such as creating, modifying, and deleting cloud service resources, and retains these records as traces for seven days. To store traces for more than seven days, configure trace transfer to OBS. This allows CTS to periodically transfer operation records to OBS buckets for long-term storage. After Transfer to OBS is enabled, audit logs can be periodically transferred to OBS buckets.	Enable
   Create a cloud service agency.	After enabling Transfer to OBS, you must select Create a cloud service agency. CTS will automatically create a cloud service agency named cts_admin_trust to authorize you to use OBS.	Select Create a cloud service agency.
   OBS Bucket Account	You can transfer traces to OBS buckets of the logged-in user or other users for unified management. If you select Logged-in user, you do not need to grant the transfer permission. If you select Other users, ensure that the OBS bucket owner has granted you the transfer permission. Otherwise, the transfer will fail. For details about how to grant the transfer permission, see Cross-Tenant Transfer Authorization.	Select Logged-in user
   OBS Bucket	You can create an OBS bucket or select an existing one. New: An OBS bucket will be created automatically with the name you enter. NOTE: A single-AZ private bucket with Standard storage will be created. If you need other configurations, create the bucket on the OBS console in advance and choose Existing to select it. Existing: Select an existing OBS bucket in the current region.	Select New
   Select Bucket	Mandatory. Enter 3 to 63 characters, including only lowercase letters, digits, hyphens (-), and periods (.). It cannot contain two consecutive periods (for example, my..bucket). A period (.) and a hyphen (-) cannot be adjacent to each other (for example, my-.bucket and my.-bucket). Do not use an IP address as a bucket name.	system-bucket-01
   Retention Period	Different compliance standards require different trace retention periods. When you configure a management tracker, Same as OBS is selected for Retention Period by default and cannot be modified.	Select Same as OBS
   File Prefix	A file prefix is used to mark transferred trace files. The prefix you set will be automatically added to the beginning of the file names, facilitating file filtering. Enter 0 to 64 characters, including letters, digits, underscores (_), hyphens (-), and periods (.). A trace file name is in the following format: Trace file prefix_CloudTrace_Region/Region-project_Time when the trace file was uploaded to OBS: Year-Month-DayTHour-Minute-SecondZ_Random characters.json.gz For example, FilePrefix_CloudTrace_ap-southeast-1_2024-12-13T01-29-19Z_47b9d51830deff47.json.gz.	FilePrefix
   Verify Trace File	To enable this function, toggle on Verify Trace File. Then CTS will generate a digest file for hash values of all trace files recorded in the past hour and synchronize the digest file to the OBS bucket configured for the current tracker. You can implement your own verification solution with these files. For details about integrity verification, see Verifying Trace File Integrity. For more information about digest files, see Digest Files.	Disable
   Encrypt Trace File	CTS supports trace file encryption. Trace files transferred to OBS buckets can be encrypted using keys provided by DEW. If you selected Logged-in user for OBS Bucket Account and enabled Encrypt Trace File, CTS obtains the key IDs of the logged-in user from DEW and displays them in the drop-down list for you to select.	Disable

7. On the Tracker List page, the OBS bucket system-bucket-01 that you set when configuring the transfer is displayed in the Storage column of the system tracker. Traces recorded in CTS will be continuously transferred to the OBS bucket. For details about how to check trace records in an OBS bucket, see Viewing Historical Traces in an OBS Bucket.
   Figure 2 Selecting a bucket name
   

Scenario 2: Transferring CTS Traces to LTS

1. Go to the CTS console.
2. Select a region closest to your application to reduce latency and accelerate access.

   In this example, select CN North-Beijing4.

3. In the navigation pane, choose Tracker List.
4. Click Configure in the Operation column of the system tracker.
   Figure 3 Configuring a system tracker
   

5. On the Basic Information page, set basic information and click Next.

   Table 3 Setting basic information

   Parameter	Description	Example
   Tracker Name	The name of a management tracker is system by default and cannot be changed.	system
   Enterprise Project	Enterprise projects allow you to manage cloud resources and users by project. For details about how to enable enterprise projects, see Creating an Enterprise Project. If you have not enabled the enterprise project management service, skip this step. If you have enabled the service, select default in this example.	default
   Apply to Organization	CTS supports the multi-account management capability of Organizations. After you enable Apply to Organization, the following functions are available. For details, see Organization Trackers. Use an organization administrator account to set CTS as a trusted service on the Organizations console and specify a delegated administrator account. You can use the delegated administrator account to configure an organization tracker in CTS. Then the delegated administrator account can implement cloud audit capabilities, such as security audit.	Disable
   Operation	If you select Exclude DEW traces, the tracker will not transfer the data about operations on Data Encryption Workshop (DEW). For details about DEW audit operations, see Operations supported by CTS.	Deselect Exclude DEW traces

6. On the Configure Transfer page, configure transfer parameters and choose Next > Configure. Then, the system immediately records operations based on the new rules.

   Table 4 Parameters for configuring transfer to LTS

   Parameter	Description	Example
   Transfer to LTS	CTS records details of tenant operations, such as creating, modifying, and deleting cloud service resources, and stores these records as traces in the trace list for seven days. To store traces for more than seven days, configure trace transfer to LTS. This allows CTS to periodically transfer trace files to LTS log streams for long-term storage. After Transfer to LTS is enabled, audit logs can be periodically transferred to LTS log streams.	Enable
   Log Group Name	The log group name defaults to CTS and cannot be changed. Traces will be transferred to log stream CTS/system-trace.	CTS

7. On the Tracker List page, the LTS log stream CTS/system-trace that you set when configuring the transfer is displayed in the Storage column of the system tracker. Traces recorded in CTS will be continuously transferred to the LTS log stream. For details about how to check trace records in an LTS log stream, see Viewing Historical Traces in an LTS Log Stream.
   Figure 4 Log stream name