Help Center/ Cloud Trace Service/ User Guide/ Organization Trackers/ Configuring an Organization Tracker
Updated on 2024-07-30 GMT+08:00
View PDF

Configuring an Organization Tracker

An organization tracker is a management tracker with organization function enabled. To configure it, use a delegated or organization administrator account to enable the organization function of the management tracker in CTS.

Prerequisites

  1. You are using a delegated or organization administrator account.
  2. You have used an organization administrator account to set CTS as a trusted service in Organizations.
  3. You have planned an OBS bucket for the delegated administrator to store audit traces.

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner to select the desired region and project.
  3. Click in the upper left corner and choose Management & Governance > Cloud Trace Service.
  4. In the navigation pane, choose Tracker List. Click Configure on the right of the management tracker. If no management tracker is displayed, enable CTS first.

    Figure 1 Management tracker

  5. On the Basic Information page, enable Apply to Organization and click Next.

    Figure 2 Applying to my organization

  6. On the Configure Transfer page, enable Transfer to OBS and Transfer to LTS, and set related parameters by referring to Table 1. Set OBS Bucket Account to Logged-in user, select Existing for OBS Bucket, and select the OBS bucket planned by the administrator. Click Next > Configure.

    Table 1 Transfer parameters

    Parameter

    Description

    Transfer to OBS

    Select an existing OBS bucket or create one on this page and set File Prefix if Transfer to OBS is enabled.

    When Transfer to OBS is disabled, no operation is required.

    OBS Bucket

    New: If this function is enabled, an OBS bucket will be created automatically with the name you enter.

    Existing: Select an existing OBS bucket.

    Select Bucket

    If you select New for OBS Bucket, enter an OBS bucket name. The OBS bucket name cannot be empty. It can contain 3 to 63 characters, including only lowercase letters, digits, hyphens (-), and periods (.). It cannot contain two consecutive periods (for example, my..bucket). A period (.) and a hyphen (-) cannot be adjacent to each other (for example, my-.bucket and my.-bucket). Do not use an IP address as a bucket name.

    If you select Existing for OBS Bucket, select an existing OBS bucket.

    Retention Period

    For the management tracker, the retention period configured on the OBS console is used by default and cannot be changed.

    File Prefix

    A prefix is used to mark a transferred trace file. Your specified prefix will be automatically added to the beginning of the name of a transferred file, helping you quickly filter files. Enter 0 to 64 characters. Only letters, digits, hyphens (-), underscores (_), and periods (.) are allowed.

    Compression
    The usage of object storage space can be reduced.
    • Do not compress: Transfer files in the *.json format.
    • gzip: Transfer files in *.json.gz format.

    Sort by Cloud Service
    • When this function is enabled, the cloud service name is added to the transfer file path, and multiple small files are generated in OBS. Example: /CloutTrace/cn-north-7/2022/11/8/doctest/Cloud service/_XXX.json.gz
    • When this function is disabled, the cloud service name will not be added to the transfer file path. Example: /CloutTrace/cn-north-7/2022/11/8/doctest/_XXX.json.gz

    Transfer Path

    Log transfer path is automatically set by the system.

    Verify Trace File

    When this function is enabled, integrity verification will be performed to check whether trace files in OBS buckets have been tampered with. For details about file integrity verification, see Verifying Trace File Integrity.

    Encrypt Trace File

    When OBS Bucket Account is set to Logged-in user, you can configure an encryption key for the traces.

    When Encrypt Trace File is enabled, CTS obtains the key IDs of the current login user from DEW. You can select a key from the drop-down list.

    Transfer to LTS

    When Transfer to LTS is enabled, traces are transferred to the log stream.

    Log Group

    When Transfer to LTS is enabled, the default log group name CTS is set. When Transfer to LTS is disabled, no operation is required.

  7. After the configuration is complete, administrators can view information about OBS buckets and LTS log groups on the Tracker List page.

    Figure 3 Viewing trackers as an administrator

  8. Log in to CTS using an organization member account and go to the Tracker List page. The value in the Organization Enabled column of the target tracker is Yes.

    The system tracker of the administrator account is displayed in the first row, and the system tracker of the current account is displayed in the second row. Audit logs of the organization member account can be transferred to the OBS buckets and LTS log groups of both the administrator account and the current account.
    Figure 4 Viewing a tracker as an organization member

Parent topic: Organization Trackers