Help Center/ Cloud Trace Service/ Best Practices/ Using CTS to Monitor Huawei Cloud Account Usage
Updated on 2025-07-03 GMT+08:00

Using CTS to Monitor Huawei Cloud Account Usage

A Huawei Cloud account owns your Huawei Cloud resources and makes payments for the use of these resources. Leaking your Huawei Cloud account could put your resources at risk. You can use CTS to monitor your Huawei Cloud account and set alarms to keep your Huawei Cloud account resources secure.

This section describes how to monitor your Huawei Cloud account using the operation audit and audit log transfer to LTS functions in CTS, and how to use the log alarm function of LTS to generate alarms.

Preparations

Add the CTS and LTS operation permissions to the user.
  • If you log in to Huawei Cloud as the account owner, go to Step 1: Enable CTS and Configure a System Tracker.
  • If you log in to Huawei Cloud as an IAM user, first contact your CTS administrator (account owner or a user in the admin user group) to obtain the CTS FullAccess permissions. For details, see Assigning Permissions to an IAM User.
  • Contact the LTS administrator (the account owner or a user in the admin user group) to grant the LTS FullAccess permission to the IAM user.

    Using log storage of LTS incurs additional charges. For details about LTS pricing, see Product Pricing Details.

Step 1: Enable CTS and Configure a System Tracker

  1. Log in to the CTS console.
  2. In the navigation pane on the left, choose Tracker List.
  3. Click Enable CTS in the upper right corner. A management tracker named system is automatically created.
  4. Click Configure in the Operation column in the row of the management tracker (named system).

    Figure 1 Configuring the tracker

  5. Configure the basic information of the tracker and click Next.

    Parameter

    Description

    Requirements

    Tracker Name

    The default value is system and cannot be changed.

    system

    Enterprise Project

    If you have enabled enterprise project management for your account, select an enterprise project.

    NOTE:

    Enterprise projects allow you to manage cloud resources and users by project.

    For details about how to enable them, see Creating an Enterprise Project.

    default

    Excluding DEW traces

    This parameter is deselected by default. If this parameter is selected, the createDataKey and decryptDatakey operations on DEW will not be transferred to OBS/LTS.

    NOTE:

    For details about DEW audit operations, see Operations supported by CTS.

    Deselect

  6. On the transfer configuration page, enable Transfer to LTS. The system automatically creates CTS for Log Group and system-trace for the log stream. Operation traces will be transferred to the log stream.

    Figure 2 Enabling transfer to LTS

  7. Click Next and click Configure. The system tracker is configured. You can then check the tracker details on the Tracker List page.

Step 2: Query Traces in LTS

  1. On the Tracker List page of the CTS console, click the LTS log stream name on the right of the system tracker. The system-trace log stream details page is displayed.

    Figure 3 Clicking the log stream name

    Figure 4 system-trace log stream page

  2. Click 15 minutes (From now) in the upper right corner to set the query time range.
  3. Enter user.name:{username} in the search box and click Search.

    • Before searching and analyzing reported logs, you need to configure structuring and indexing for them. For details, see Setting Cloud Structuring Parsing and Setting LTS Log Indexes.
    • Replace {username} with your username. To obtain your username, hover over the username in the upper right corner of the console, select My Credentials from the drop-down menu, and locate the name on the right of IAM Username.

    Figure 5 Searching for user.name

  4. Click on the right of the search box to create a quick query. Enter a query name and click the confirm button.

    Figure 6 Creating a quick search

  5. After creating a quick query, you can select it on the CTS log group page of the LTS console.

Step 3: Configure an Alarm in LTS

  1. On the CTS log group page of the LTS console, click in the upper right corner to add an alarm.
  2. On the alarm rule creation panel, set the parameters and click the confirm button. For details, see Configuring Log Alarm Rules.
  3. Once alarm rules are configured, you will get notifications when the trigger conditions are met.
  4. You can manage the added alarms on the Log Alarms page of the LTS console.