使用 SDK 创建跟踪并配置日志服务报表

使用 SDK 创建跟踪并配置日志服务报表

使用 SDK 创建跟踪与在控制台创建跟踪的主要区别是:
• 在控制台创建跟踪时,操作审计可以帮您创建 OSS Bucket 和日志服务项目(LogProject)、日志库(LogStore)及报表;
• 在控制台创建跟踪后,操作审计会自动帮您开启跟踪。
因为通过控制台创建跟踪,操作审计会自动帮您调用配置日志服务、启用跟踪(StartLogging) 等接口。

使用 SDK 创建跟踪

通过 SDK 创建跟踪的过程可以分为两步:
• 创建并配置日志服务(如果已有日志项目及日志库则可忽略该步骤)
• 创建并启用跟踪
接下来以实际场景为例,详细介绍整个创建过程:
创建一个名为 cloud_trail 的跟踪,将所有地域的所有事件,投递到杭州地域的日志项目 cloud_trail_project 中,并配置日志服务的索引、报表。

为了方便,下面的代码示例将使用阿里云 Python SDK,Python版本为 3.7。

创建并配置日志服务

如果您已完成日志服务配置,则可跳过此段内容

如果要创建跟踪将数据投递到日志服务,首先需要创建对应的日志项目(LogProject),并创建名为 actiontrail_{TrailName} 的日志库(LogStore),TrailName 是跟踪名称。
此外,如果需要对操作日志进行分析,则还需要对 LogStore 配置索引和报表。我们可以使用日志服务的 Python SDK aliyun-log-python-sdk 来实现。

初始化 SDK

安装依赖:

$ pip install -U aliyun-log-python-sdk

初始化 SDK:

from aliyun.log import LogClient

# 华东 1 (杭州)  Region 
region = 'cn-hangzhou'

#  日志服务入口
endpoint = '{region}.log.aliyuncs.com'.format(region=region)
# 用户访问秘钥对中的 AccessKeyId
access_key_id = 'ABCDEFGHIJKLJMN'
# 用户访问秘钥对中的 AccessKeySecret
access_key_secret = 'OPQRSTUVWXYZ'
# 阿里云主账号 ID
account_id = '123456789'

client = LogClient(endpoint, access_key_id, access_key_secret)

创建日志项目(LogProject)和日志库(LogStore)

如下面代码,跟踪名称为 cloud_trail ,日志项目名称为 cloud_trail_project ,日志库名称为 actiontrail_cloud_trail 。创建日志库时,指定 preserve_storage 为 True ,永久保存数据。可根据实际情况修改。

# 跟踪名称
trail_name = 'cloud_trail'

# 日志项目名称
log_project_name = 'cloud_trail_project'

# 创建日志服务
res = client.create_project(log_project_name, '操作审计事件日志项目')
res.log_print()

# 日志库名称
log_store_name = 'actiontrail_{trail_name}'.format(trail_name=trail_name)
# 创建日志库
res = client.create_logstore(log_project_name, log_store_name, shard_count=3, preserve_storage=True)
res.log_print()

配置索引

可以使用 client.create_index(self, project_name, logstore_name, index_detail) 方法创建索引。其中 index_detail 是 JSON 格式的索引配置。

import json
from aliyun.log import LogClient
from aliyun.log import IndexConfig

def get_json_data(path):
    with open(path) as f:
        return json.load(f)
      
# 从 log_index.json 中读取索引配置
index_json = get_json_data('./log_index.json')
index_detail = IndexConfig()
index_detail.from_json(index_json)
# 创建索引
client.create_index(log_project_name, log_store_name, index_detail)

详细索引配置在文末附录部分。

索引如图所示:

使用 SDK 创建跟踪并配置日志服务报表

创建报表

可以使用 client.create_dashboard(dashboard_detail) 方法创建索引。其中 dashboard_detail 是 JSON 格式的报表配置。

#  从 log_dashboard.json 中读取报表配置
dashboard_detail = get_json_data('./log_dashboard.json')
# 创建报表 
client.create_dashboard(log_project_name, dashboard_detail)

报表如图所示:

使用 SDK 创建跟踪并配置日志服务报表

创建并启用跟踪

您可以使用阿里云 Python SDK aliyun-python-sdk-core 来创建跟踪。

初始化 SDK

安装依赖:

$ pip install aliyun-python-sdk-core
$ pip install aliyun-python-sdk-actiontrail

初始化 SDK :

from aliyunsdkcore.client import AcsClient
from aliyunsdkcore.acs_exception.exceptions import ClientException
from aliyunsdkcore.acs_exception.exceptions import ServerException
from aliyunsdkactiontrail.request.v20171204.CreateTrailRequest import CreateTrailRequest

client = AcsClient(access_key_id, access_key_secret, region)

创建跟踪到指定日志项目(LogProject)

创建跟踪的 API 是 CreateTrail
示例代码如下:

sls_project_arn = 'acs:log:{region}:{account_id}:project/{log_project_name}'.format(
    region=region,
    account_id=account_id,
    log_project_name=log_project_name,
)

request = CreateTrailRequest()
request.set_accept_format('json')

# 设置跟踪名称
request.set_Name(trail_name)
# 设置 SLS project arn
request.set_SlsProjectArn(sls_project_arn)
# 跟踪所有事件
request.set_EventRW("All")
# 跟踪所有地域
request.set_TrailRegion("All")

response = client.do_action_with_exception(request)
print(str(response, encoding='utf-8'))

通过 API 创建跟踪后,跟踪状态是 Fresh,表示已创建但未开启。所以后续还要开启跟踪。

启用跟踪

启用跟踪的接口是 StartLogging

代码示例:

from aliyunsdkactiontrail.request.v20171204.CreateTrailRequest import StartLoggingRequest

request = StartLoggingRequest()
request.set_accept_format('json')

request.set_Name(trail_name)

response = client.do_action_with_exception(request)
print(str(response, encoding='utf-8'))

至此,跟踪就创建完成了。

总结

本文介绍了如何通过 SDK 创建跟踪并配置日志服务。整个过程可分为两个步骤:

  1. 创建并配置日志服务
  2. 创建并启用跟踪

其中 “创建并配置日志服务” 比较复杂,因为要通过 SDK 去配置日志服务的日志库、索引、报表等。创建并启用跟踪比较简单,调用对应 API 就可以了。希望通过本文的介绍后,大家能根据需要灵活地使用 SDK 去创建跟踪。

附录

索引配置

下面是操作事件的索引 JSON 配置,该配置会针对操作事件开启全文索引和字段索引。您可以直接使用。

{
  "index_mode": "v2",
  "keys": {
    "event": {
      "caseSensitive": false,
      "chn": false,
      "json_keys": {
        "acsRegion": {
          "doc_value": true,
          "type": "text"
        },
        "apiVersion": {
          "doc_value": true,
          "type": "text"
        },
        "errorCode": {
          "doc_value": true,
          "type": "text"
        },
        "errorMessage": {
          "doc_value": true,
          "type": "text"
        },
        "eventId": {
          "doc_value": true,
          "type": "text"
        },
        "eventName": {
          "doc_value": true,
          "type": "text"
        },
        "eventSource": {
          "doc_value": true,
          "type": "text"
        },
        "eventType": {
          "doc_value": true,
          "type": "text"
        },
        "eventVersion": {
          "doc_value": true,
          "type": "text"
        },
        "requestId": {
          "doc_value": true,
          "type": "text"
        },
        "requestParameters.HostId": {
          "doc_value": true,
          "type": "text"
        },
        "requestParameters.Name": {
          "doc_value": true,
          "type": "text"
        },
        "requestParameters.Region": {
          "doc_value": true,
          "type": "text"
        },
        "serviceName": {
          "doc_value": true,
          "type": "text"
        },
        "sourceIpAddress": {
          "doc_value": true,
          "type": "text"
        },
        "userAgent": {
          "doc_value": true,
          "type": "text"
        },
        "userIdentity.accessKeyId": {
          "doc_value": true,
          "type": "text"
        },
        "userIdentity.accountId": {
          "doc_value": true,
          "type": "text"
        },
        "userIdentity.principalId": {
          "doc_value": true,
          "type": "text"
        },
        "userIdentity.type": {
          "doc_value": true,
          "type": "text"
        },
        "userIdentity.userName": {
          "doc_value": true,
          "type": "text"
        }
      },
      "token": [
        ",",
        " ",
        "'",
        "\"",
        ";",
        "=",
        "(",
        ")",
        "[",
        "]",
        "{",
        "}",
        "?",
        "@",
        "&",
        "<",
        ">",
        "/",
        ":",
        "\n",
        "\t",
        "\r"
      ],
      "type": "json"
    }
  },
  "line": {
    "caseSensitive": false,
    "chn": false,
    "token": [
      ",",
      " ",
      "'",
      "\"",
      ";",
      "=",
      "(",
      ")",
      "[",
      "]",
      "{",
      "}",
      "?",
      "@",
      "&",
      "<",
      ">",
      "/",
      ":",
      "\n",
      "\t",
      "\r"
    ]
  }
}

报表配置

下面是操作事件的报表 JSON 配置,您可以直接使用。使用时注意需要将 charts[].search.logstore 的值(即日志库)改为您的日志库(LogStore)名称。

{
  "charts": [
    {
      "title": "actiontrail-dashboard-pv",
      "search": {
        "topic": "",
        "logstore": "actiontrail_cloud_trail",
        "start": "-2592000s",
        "query": "__topic__: actiontrail_audit_event | select count(1) as PV",
        "end": "now"
      },
      "action": {},
      "display": {
        "fontColor": {
          "g": 255,
          "b": 255,
          "r": 255,
          "a": 1
        },
        "yPos": 0,
        "descriptionSize": 24,
        "width": 2,
        "fontSize": 32,
        "bgColor": {
          "g": 204,
          "b": 228,
          "r": 44,
          "a": 1
        },
        "unit": "",
        "height": 2,
        "unitSize": 14,
        "xPos": 0,
        "description": "",
        "showTitle": true,
        "xAxis": [
          "PV"
        ],
        "displayName": "PV"
      },
      "type": "number"
    },
    {
      "title": "actiontrail-dashboard-uv",
      "search": {
        "topic": "",
        "logstore": "actiontrail_cloud_trail",
        "start": "-2592000s",
        "query": "__topic__: actiontrail_audit_event | select count(distinct \"event.sourceIpAddress\" ) as UV",
        "end": "now"
      },
      "action": {},
      "display": {
        "fontColor": {
          "g": 255,
          "b": 255,
          "r": 255,
          "a": 1
        },
        "yPos": 0,
        "descriptionSize": 24,
        "width": 2,
        "fontSize": 32,
        "bgColor": {
          "g": 204,
          "b": 228,
          "r": 44,
          "a": 1
        },
        "unit": "",
        "height": 2,
        "unitSize": 14,
        "xPos": 2,
        "description": "",
        "showTitle": true,
        "xAxis": [
          "UV"
        ],
        "displayName": "UV"
      },
      "type": "number"
    },
    {
      "title": "actiontrail-dashboard-event-area",
      "search": {
        "topic": "",
        "logstore": "actiontrail_cloud_trail",
        "start": "-2592000s",
        "query": "__topic__: actiontrail_audit_event | select \"event.acsRegion\" as region, count(1 ) as cnt  group by region order by cnt DESC  limit 20",
        "end": "now"
      },
      "action": {},
      "display": {
        "yAxis": [
          "cnt"
        ],
        "yPos": 7,
        "height": 5,
        "xPos": 0,
        "legendPosition": "right",
        "width": 5,
        "pieType": "ring",
        "margin": [
          30,
          100,
          40,
          50
        ],
        "xAxis": [
          "region"
        ],
        "displayName": "事件区域分布"
      },
      "type": "pie"
    },
    {
      "title": "actiontrail-dashboard-event-type",
      "search": {
        "topic": "",
        "logstore": "actiontrail_cloud_trail",
        "start": "-2592000s",
        "query": "__topic__: actiontrail_audit_event | select \"event.eventType\" as event_type, count(1 ) as cnt  group by event_type order by cnt desc limit 20",
        "end": "now"
      },
      "action": {},
      "display": {
        "yAxis": [
          "cnt"
        ],
        "yPos": 12,
        "height": 5,
        "xPos": 0,
        "legendPosition": "right",
        "width": 5,
        "pieType": "ring",
        "margin": [
          30,
          100,
          40,
          50
        ],
        "xAxis": [
          "event_type"
        ],
        "displayName": "事件类型分布"
      },
      "type": "pie"
    },
    {
      "title": "actiontrail-dashboard-event-source",
      "search": {
        "topic": "",
        "logstore": "actiontrail_cloud_trail",
        "start": "-2592000s",
        "query": "__topic__: actiontrail_audit_event | select ip_to_country(\"event.sourceIpAddress\") as country, count(1 ) as PV  group by country",
        "end": "now"
      },
      "action": {},
      "display": {
        "yAxis": [
          "PV"
        ],
        "yPos": 2,
        "height": 5,
        "xPos": 0,
        "width": 5,
        "xAxis": [
          "country"
        ],
        "displayName": "事件来源分布"
      },
      "type": "world-map"
    },
    {
      "title": "actiontrail-dashboard-event-service-source",
      "search": {
        "topic": "",
        "logstore": "actiontrail_cloud_trail",
        "start": "-2592000s",
        "query": "__topic__: actiontrail_audit_event | select \"event.serviceName\" as service, count(1 ) as cnt  group by service order by cnt DESC  limit 20",
        "end": "now"
      },
      "action": {},
      "display": {
        "yAxis": [
          "cnt"
        ],
        "yPos": 7,
        "height": 5,
        "xPos": 5,
        "legendPosition": "right",
        "width": 5,
        "pieType": "ring",
        "margin": [
          30,
          100,
          40,
          50
        ],
        "xAxis": [
          "service"
        ],
        "displayName": "事件来源服务分布"
      },
      "type": "pie"
    },
    {
      "title": "actiontrail-dashboard-event-service-number",
      "search": {
        "topic": "",
        "logstore": "actiontrail_cloud_trail",
        "start": "-2592000s",
        "query": "__topic__: actiontrail_audit_event | select count(distinct \"event.serviceName\") as cnt",
        "end": "now"
      },
      "action": {},
      "display": {
        "fontColor": {
          "g": 255,
          "b": 255,
          "r": 255,
          "a": 1
        },
        "yPos": 0,
        "descriptionSize": 24,
        "width": 2,
        "fontSize": 32,
        "bgColor": {
          "g": 204,
          "b": 228,
          "r": 44,
          "a": 1
        },
        "unit": "",
        "height": 2,
        "unitSize": 14,
        "xPos": 4,
        "description": "",
        "showTitle": true,
        "xAxis": [
          "cnt"
        ],
        "displayName": "来源服务数"
      },
      "type": "number"
    },
    {
      "title": "actiontrail-dashboard-event-area-number",
      "search": {
        "topic": "",
        "logstore": "actiontrail_cloud_trail",
        "start": "-2592000s",
        "query": "__topic__: actiontrail_audit_event | select count(distinct \"event.acsRegion\") as cnt",
        "end": "now"
      },
      "action": {},
      "display": {
        "fontColor": {
          "g": 255,
          "b": 255,
          "r": 255,
          "a": 1
        },
        "yPos": 0,
        "descriptionSize": 24,
        "width": 2,
        "fontSize": 32,
        "bgColor": {
          "g": 204,
          "b": 228,
          "r": 44,
          "a": 1
        },
        "unit": "",
        "height": 2,
        "unitSize": 14,
        "xPos": 6,
        "description": "",
        "showTitle": true,
        "xAxis": [
          "cnt"
        ],
        "displayName": "来源区域数"
      },
      "type": "number"
    },
    {
      "title": "actiontrail-dashboard-pv-uv",
      "search": {
        "topic": "",
        "logstore": "actiontrail_cloud_trail",
        "start": "-2592000s",
        "query": "*  | select date_trunc('day', __time__) AS dt, count(1) as pv,  count(distinct \"event.sourceIpAddress\" ) as uv group by dt order by dt",
        "end": "now"
      },
      "action": {},
      "display": {
        "intervalArray": [],
        "yAxisRight": [],
        "yAxis": [
          "pv",
          "uv"
        ],
        "yPos": 2,
        "height": 5,
        "xPos": 5,
        "legendPosition": "right",
        "width": 5,
        "margin": [
          30,
          100,
          40,
          50
        ],
        "xAxis": [
          "dt"
        ],
        "displayName": "PV/UV趋势"
      },
      "type": "line"
    }
  ],
  "description": "",
  "dashboardName": "actiontrail_cloud_trail_dashboard",
  "attribute": {},
  "displayName": "操作审计报表"
}

相关阅读

《操作审计最佳实践》系列由阿里云操作审计团队出品,旨在向集团输出云上审计相关的业务知识和技术,更多相关内容可以查看下面的系列文章。

基础篇

• [操作审计最佳实践:操作日志查询-谁动了我的 NAT](https://developer.aliyun.com/article/773588?spm=a2c6h.13148508.0.0.57a34f0eyHKRLM
使用 SDK 创建跟踪并配置日志服务报表
• [操作审计最佳实践:将阿里云操作日志持续投递到您的 SLS/OSS](https://developer.aliyun.com/article/772258?spm=a2c6h.13148508.0.0.57a34f0eyHKRLM
使用 SDK 创建跟踪并配置日志服务报表
• [操作审计最佳实践:使用 Terraform 一键创建跟踪](https://developer.aliyun.com/article/773595?spm=a2c6h.13148508.0.0.57a34f0eyHKRLM
使用 SDK 创建跟踪并配置日志服务报表

进阶篇

[• 操作审计最佳实践:使用 SQL 分析投递到 OSS 中的操作审计日志](https://developer.aliyun.com/article/771478?spm=a2c6h.13148508.0.0.57a34f0eyHKRLM
使用 SDK 创建跟踪并配置日志服务报表
[• 操作审计最佳实践:在 SLS 中分析ActionTrail跟踪投递日志](https://developer.aliyun.com/article/773674?spm=a2c6h.13148508.0.0.57a34f0eyHKRLM
使用 SDK 创建跟踪并配置日志服务报表

上一篇:K8S有状态服务-动态云盘使用最佳实践


下一篇:监控异常操作频率并报警