user guide...cloud trace service user guide contents issue 09 (2018-01-15) ii contents 1 overview 1...

Cloud Trace Service

User Guide

Issue 09

Date 2018-01-15

Cloud Trace Service

User Guide Contents

Issue 09 (2018-01-15) ii

Contents

1 Overview ......................................................................................................................................... 1

1.1 Basic Concepts.............................................................................................................................................................. 1

1.1.1 Cloud Trace Service ................................................................................................................................................... 1

1.1.2 Trackers ..................................................................................................................................................................... 1

1.1.3 Traces ......................................................................................................................................................................... 1

1.1.4 Trace Lists .................................................................................................................................................................. 2

1.1.5 Trace Files .................................................................................................................................................................. 2

1.1.6 Region ........................................................................................................................................................................ 3

1.1.7 Project ........................................................................................................................................................................ 3

1.2 How CTS Functions ..................................................................................................................................................... 4

1.3 Application Scenarios ................................................................................................................................................... 4

1.4 Supported Services ....................................................................................................................................................... 5

1.4.1 Computing ................................................................................................................................................................. 5

1.4.2 Network ..................................................................................................................................................................... 9

1.4.3 Storage ..................................................................................................................................................................... 11

1.4.4 Management & Deployment .................................................................................................................................... 13

1.4.5 Application ............................................................................................................................................................... 16

1.4.6 Database ................................................................................................................................................................... 18

1.4.7 Enterprise Application ............................................................................................................................................. 18

1.4.8 Data Analysis ........................................................................................................................................................... 20

1.5 Accessing CTS ............................................................................................................................................................ 21

2 Getting Started............................................................................................................................. 22

2.1 Enabling CTS ............................................................................................................................................................. 22

2.2 Querying Real-Time Traces ........................................................................................................................................ 23

2.3 Querying Archived Traces .......................................................................................................................................... 24

3 Management ................................................................................................................................. 26

3.1 Modifying a Tracker ................................................................................................................................................... 26

3.2 Disabling or Enabling a Tracker ................................................................................................................................. 27

3.3 Deleting a Tracker ....................................................................................................................................................... 27

4 CTS Application Examples ....................................................................................................... 29

4.1 Security Auditing ........................................................................................................................................................ 29

4.2 Fault Locating ............................................................................................................................................................. 30

Cloud Trace Service

User Guide Contents

Issue 09 (2018-01-15) iii

4.3 Resource Tracing ........................................................................................................................................................ 31

5 CTS Trace Reference .................................................................................................................. 32

5.1 Trace Structure ............................................................................................................................................................ 32

5.2 Trace Examples ........................................................................................................................................................... 34

6 FAQs .............................................................................................................................................. 37

6.1 Can Multiple Trackers Be Created for One Tenant? ................................................................................................... 37

6.2 Which Type of Information Is Displayed on the Trace List? ...................................................................................... 37

6.3 Can Information Be Deleted from the Trace List? ...................................................................................................... 37

6.4 Which Users May Require CTS? ................................................................................................................................ 37

6.5 How Long Can Trace Files Be Retained? ................................................................................................................... 38

6.6 What Will Happen If I Have Enabled CTS But Have Not Configured a Correct Policy for the OBS Bucket? .......... 38

6.7 Does CTS Support Authentication of Keywords of Trace Files? ................................................................................ 38

6.8 Does Enabling CTS Affect the Performance of Other Cloud Resources? .................................................................. 38

6.9 Why Are Fields IP, code, request, response, and message of Some Traces Displayed on the View Trace Page Null?38

6.10 Why Is the Resource ID of Some Traces in the Trace List a Hyperlink? .................................................................. 39

6.11 Why Do Some Operation Records Occur Twice in the Trace List? .......................................................................... 39

6.12 Why Is user_account/op_service Displayed When I Filter Traces by Operator? ...................................................... 39

6.13 Which Type of OBS Buckets Is Suitable for CTS to Store Traces, Standard Storage, Low-Frequent Access Storage,

or Archived Storage? ........................................................................................................................................................ 39

A Change History ........................................................................................................................... 40

Cloud Trace Service

User Guide 1 Overview

Issue 09 (2018-01-15) 1

1 Overview

1.1 Basic Concepts

1.1.1 Cloud Trace Service

The log audit module is a core component necessary for information security audit and an

important of information system security risk management and control for enterprises and

organizations. As the information system is migrating to the cloud, information and data

security management departments around the world have released multiple standards, such

as ISO IEC27000, GB/T 20945-2013, COSO, COBIT, ITIL, and NISTSP800.

Cloud Trace Service (CTS) is a log audit service intended for cloud security. It allows you to

collect, store, and query cloud resource operation records and use these records for security

analysis, compliance auditing, resource tracking, and fault locating.

CTS provides the following functions:

Log recording: CTS records operations performed on the management console or by

calling APIs, as well as operations triggered by each cloud service.

Log query: Operation records of the last seven days can be queried on the management

console from multiple dimensions, such as trace source, trace name, operation type,

resource name, resource ID, and time.

Log dumping: Logs are delivered to the Object Storage Service (OBS) buckets at a

regular basis for long time storage. In the process, logs are changed to trace files and

classified by service.

1.1.2 Trackers

A tracker is automatically created after CTS is enabled. This tracker automatically identifies

and associates with all cloud services enabled by the current tenant, and records all operations

by the tenant.

Only one tracker can be created for each tenant.

1.1.3 Traces

Traces are operations logs of cloud service resources that are captured and stored by CTS.

You can view these traces to see a history of the operations performed by a specific user on

specific resources.

Cloud Trace Service


Issue 09 (2018-01-15) 2

There are two types of traces:

Real-time trace

An operation record generated during the last seven days

Archived trace

A historical operation record that has been stored in an OBS bucket

1.1.4 Trace Lists

A trace list displays details about the operations that have been performed by a tenant, such as

creating, modifying, and deleting cloud service resources. It contains all of the traces that

were generated during the last seven days.

1.1.5 Trace Files

Trace files are collections of traces that CTS automatically generates by service and dump

interval. These trace files are simultaneously delivered to the OBS buckets you have

specified.

Generally, all traces of a single service generated during a dump interval are compressed to

one trace file. However, if there are a large number of traces, the system will adjust the

number of traces contained in each trace file as needed.

Traces files are in JSON format. Figure 1-1 shows an example of a trace file.

Cloud Trace Service


Issue 09 (2018-01-15) 3

Figure 1-1 Trace file example

For details about how to obtain trace files, see section 2.3 Querying Archived Traces. For

details about key fields in the structure of a trace, see section 5.1 Trace Structure.

1.1.6 Region

A region refers to the geographic area where the server for installing CTS is located. AZs in

the same geographic area can communicate with each other through the internal network.

Public cloud data centers (DCs) are scattered in different regions around the world, for

example, North America, Europe, and Asia. Enabling CTS in different regions makes

applications more user-friendly or meets laws or other requirements of different areas.

1.1.7 Project

A project is used to group and isolate OpenStack resources, including computing, storage, and

network resources. Multiple projects can be created under one account, and a project may be a

department or a project team.

Cloud Trace Service


Issue 09 (2018-01-15) 4

1.2 How CTS Functions

CTS interconnects directly with other cloud services and records the operations performed on

cloud resources by cloud tenants and operation results in real time. It stores records in the

form of trace files to an OBS bucket.

Before enabling CTS, you must enable OBS. After CTS is enabled, the associated tracker can

track the generated trace files and store them in OBS buckets.

You can perform two types of operations on a trace file:

Trace file creation and storage

− When adding, deletion, or modification operations are performed in services interconnected with CTS, such as Elastic Cloud Server (ECS), Elastic Volume Service (EVS), and Image Management Service (IMS), the operations and their results will be automatically recorded and then delivered in the form of traces to CTS for archiving.

− Operation records of the last seven days are displayed on the CTS console and are periodically delivered to the OBS bucket that you define for long-term storage.

Trace file query

− You can query operation records of the last seven days on the Trace List page by filters, including time.

− To query operation records earlier than seven days, you can download the trace files stored in the OBS buckets.

− You can enable, disable, delete, or a tracker on the Tracker page.

For example, if you create an image using the IMS service, the IMS service will report

the image creation to CTS which will then deliver the trace to the OBS bucket for

storage. You can view a trace file on the trace list. Figure 1-2 shows how CTS functions.

Figure 1-2 How CTS functions

1.3 Application Scenarios

CTS is mainly used in the following scenarios:

Compliance auditing

Cloud Trace Service


Issue 09 (2018-01-15) 5

CTS allows you to query all operation records for security control. This is essential for

enterprises and organizations, especially financial and payment enterprises, to obtain the

certification, such as PCI DSS, GB/T 24589.1, and COSO.

Resource tracking

By using CTS, you can search for resources and track operations on and changes to any

cloud resources during their lifecycle, as well as the source and result of each operation

or change, to better use resources.

Fault locating

When a cloud resource becomes faulty, you can use traces generated by CTS to quickly

find out the suspicious operation causing the fault and its result, greatly reducing the

time and labor costs on locating and rectifying the fault.

Security analysis

Enterprises and organizations can specify the scope of risky operations or key operations

based on their requirements, and periodically view the operator, time and IP address of

each operation request to which attention must be paid for security analysis.

1.4 Supported Services

1.4.1 Computing

Elastic Cloud Server (ECS)

An ECS is a computing server that consists of CPUs, memory, images, and EVS disks,

and that allows on-demand allocation and elastic scaling. ECS integrates virtual private

cloud (VPC), virtual firewall, and multi-data-copy capabilities to construct an efficient,

reliable, and secure computing environment. It ensures that your services are stable and

can run continuously.

With CTS, you can record operations associated with ECSs for later query, audit, and

backtrack operations.

Table 1-1 ECS operations that can be recorded by CTS

Operation Resource Type Trace Name

Creating an ECS ecs createServer

Deleting an ECS ecs deleteServer

Operating an ECS ecs serverActions

Adding NICs to an ECS ecs addNic

Deleting NICs from an ECS ecs deleteNic

Attaching EVS disks to an ECS ecs attachVolume

Detaching EVS disks from an

ECS

ecs detachVolume

Reinstalling the OS ecs reinstallOs

Changing the OS ecs changeOs

Cloud Trace Service


Issue 09 (2018-01-15) 6


Modifying ECS specifications ecs resizeServer

Adding the automatic recovery tag

to VM

ecs addAutoRecovery

Deleting the automatic recovery

tag to VM

ecs deleteAutoRecovery

Deleting a security group rule ecs deleteSgRule

Creating a security group rule ecs createSgRule

Deleting a floating IP address ecs deleteFloatingIp

Creating a floating IP address ecs createFloatingIp

Updating a security group ecs updateSecurityGroup

Creating a security group ecs createSecurityGroup

Image Management Service (IMS)

IMS provides simple and convenient image management. You can use a public or private

image to create an ECS. You can also create a private image using an existing ECS or an

external image file.

With CTS, you can record operations associated with IMS for later query, audit, and


Table 1-2 IMS operations that can be recorded by CTS


Creating an image ims createImage

Modifying an image ims updateImage

Deleting images in batches ims deleteImage

Adding a member ims addMember

Modifying image members

in batches

ims updateMember

Deleting image members

in batches

ims deleteMember

Bare Metal Server (BMS)

BMSs are dedicated physical servers for individual tenants. BMSs provide remarkable

computing performance and stability required by core applications. In addition, BMSs

can be combined flexibly with other cloud services, such as VPC, boasting both the

stability of the traditional host service and the high elasticity of cloud resources.

With CTS, you can record operations associated with BMS for later query, audit, and backtrack operations.

Cloud Trace Service


Issue 09 (2018-01-15) 7

Table 1-3 BMS operations that can be recorded by CTS


Creating a BMS bms createBareMetalServers

Deleting a BMS bms deleteBareMetalServers

Starting a BMS bms startBareMetalServers

Stopping a BMS bms stopBareMetalServers

Restarting a BMS bms rebootBareMetalServers

Attaching a data volume

to a BMS

bms attachDataVolume

Detaching a data volume

from a BMS

bms detachDataVolume

Auto Scaling (AS)

AS automatically adjusts compute resources based on your service requirements and AS

policies you have configured to ensure that the number of ECSs increases or decreases as

the service load changes over time and that services are running properly.

With CTS, you can record operations associated with AS for later query, audit, and


Table 1-4 AS operations that can be recorded by CTS


Creating an AS group scaling_group createScalingGroup

Modifying an AS group scaling_group modifyScalingGroup

Deleting an AS group scaling_group deleteScalingGroup

Enabling an AS group scaling_group enableScalingGroup

Disabling an AS group scaling_group disableScalingGroup

Creating an AS

configuration

scaling_configuration createScalingConfiguration

Deleting an AS

configuration

scaling_configuration deleteScalingConfiguration

Deleting AS

configurations in batches scaling_configuration batchDeleteScalingConfiguratio

n

Creating an AS policy scaling_policy createScalingPolicy

Modifying an AS policy scaling_policy modifyScalingPolicy

Deleting an AS policy scaling_policy deleteScalingPolicy

Enabling an AS policy scaling_policy enableScalingPolicy

Cloud Trace Service


Issue 09 (2018-01-15) 8


Disabling an AS policy scaling_policy disableScalingPolicy

Executing an AS policy scaling_policy executeScalingPolicy

Removing instances from

an AS group

scaling_instance removeInstance

Removing instances in

batches

scaling_instance batchRemoveInstances

Adding instances in

batches

scaling_instance batchAddInstances

Cloud Container Engine (CCE)

CCE is a platform for developing, deploying, and managing containerized applications.

CCE provides a cost-efficient way to roll out new containerized applications anywhere

and at any time, shortening their time to market (TTM).

With CTS, you can record operations associated with CCE for later query, audit, and


Table 1-5 CCE operations that can be recorded by CTS


Uploading a certificate aksk uploadAKSK

Creating a cluster cluster_cce createCluster

Upgrading a cluster cluster_cce upgradeCluster

Updating a cluster cluster_cce updateCluster

Deleting a cluster cluster_cce deleteCluster

Creating a node node createNode

Deleting a node node deleteNode

Creating a template component createComponent

Updating a template component updateComponent

Deleting a template component deleteComponent

Creating an application app createApp

Updating an application app updateApp

Rolling back an

application

app rollBackApp

Deleting an application app deleteApp

Creating an application

using a blueprint

app createAppByBlueprint

Cloud Trace Service


Issue 09 (2018-01-15) 9


Creating a blueprint blueprint createBlueprint

Deleting a blueprint blueprint deleteBlueprint

Updating a blueprint blueprint updateBlueprint

Renaming a blueprint blueprint renameBlueprint

Validating a blueprint blueprint validateBlueprint

Deleting junk images image garbageCollectImage

Deleting a specified

image

image deleteImage

Deleting a tag image image deleteTagImage

Updating the description

of an image

image updateImageDesc

Creating a policy policy createPolicy

Updating a policy policy updatePolicy

Deleting a policy policy deletePolicy

Enabling a policy policy enablePolicy

Disabling a policy policy disablePolicy

Creating a periodic or

scheduled policy

scaling_policy_cce createScalingPolicy

Deleting a periodic or

scheduled policy

scaling_policy_cce deleteScalingPolicy

1.4.2 Network

Virtual Private Cloud (VPC)

VPC lets you provision logically isolated, configurable, and manageable virtual networks

for ECSs, improving the security of your resources in the cloud and simplifying network

deployment.

With CTS, you can record operations associated with VPC for later query, audit, and


Table 1-6 VPC operations that can be recorded by CTS


Modifying the bandwidth bandwidth modifyBandwidth

Creating an EIP eip createEip

Releasing an EIP eip deleteEip

Cloud Trace Service


Issue 09 (2018-01-15) 10


Binding an EIP eip bindEip

Unbinding an EIP eip unbindEip

Creating a private IP

address

privateIps createPrivateIp

Deleting a private IP

address

privateIps deletePrivateIp

Creating a security group security_group createSecurityGroup

Modifying Object Groups security_group modifySecurityGroup

Creating a subnet subnet createSubnet

Deleting a subnet subnet deleteSubnet

Modifying a subnet subnet modifySubnet

Creating a VPC vpc createVpc

Deleting a VPC vpc deleteVpc

Modifying a VPC vpc modifyVpc

Creating a VPN vpn createVpn

Deleting a VPN vpn deleteVpn

Modifying a VPN vpn modifyVpn

Elastic Load Balance (ELB)

ELB automatically distributes access traffic among multiple ECSs to balance their

service loads. It improves your applications' fault tolerance and expands their service

capabilities.

With a web-based console, you can create load balancers, configure the ports required

for listening, and add backend ECSs for load balancers. ELB helps eliminate single

points of failure (SPOFs), improving availability of the whole system.

With CTS, you can record operations associated with ELB for later query, audit, and


Table 1-7 ELB operations that can be recorded by CTS


Configuring access logs Access Log ConfigureAccess Log

Creating a certificate certificate createcertificate

Updating a certificate certificate updatecertificate

Deleting a certificate certificate deletecertificate

Creating a health check healthmonitor createHealthmonitor

Cloud Trace Service


Issue 09 (2018-01-15) 11


task

Updating a health check

task

healthmonitor updateHealthmonitor

Deleting a health check

task

healthmonitor deleteHealthmonitor

Creating a forwarding

policy

l7policy createL7policy

Updating a forwarding

policy

l7policy updateL7policy

Deleting a forwarding

policy

l7policy deleteL7policy

Creating a forwarding rule l7rule createL7rule

Updating a forwarding rule l7rule updateL7rule

Deleting a forwarding rule l7rule deleteL7rule

Creating a listener listener createListener

Updating a listener listener updateListener

Deleting a listener listener deleteListener

Creating a load balancer loadbalancer createLoadbalancer

Updating a load balancer loadbalancer updateLoadbalancer

Deleting a load balancer loadbalancer deleteLoadbalancer

Adding a backend ECS member createMember

Updating a backend ECS member updateMember

Removing a backend ECS member deleteMember

Creating a backend ECS

group

pool createPool

Updating a backend ECS

group

pool updatePool

Deleting a backend ECS

group

pool deletePool

1.4.3 Storage

Elastic Volume Service (EVS)

An EVS disk is a type of virtual block storage device that is based on the distributed

architecture and can elastically scale up or down. EVS disks can be operated online. Using them is similar to using common server hard disks. Compared with common

Cloud Trace Service


Issue 09 (2018-01-15) 12

server hard disks, EVS disks have higher data reliability and I/O throughput capabilities.

They are also easier to use. EVS disks apply to file systems, databases, or system

software or other applications that require block storage devices.

With CTS, you can record operations associated with EVS disks for later query, audit,

and backtrack operations.

Table 1-8 EVS operations that can be recorded by CTS


Creating an EVS disk evs createVolume

Updating an EVS disk evs updateVolume

Expanding EVS disk

capacity

evs extendVolume

Deleting an EVS disk evs deleteVolume

Volume Backup Service (VBS)

Volume Backup Service (VBS) provides snapshot-based data protection for EVS disks

on ECSs in the public cloud environment. VBS supports both full and incremental

backups. By default, the system performs a full backup initially, and then performs

incremental backups. You can use those data backups generated in either backup mode to

restore EVS disks to the state they were in when the backup was created.

With CTS, you can record operations associated with VBS backups for later query, audit,


Table 1-9 VBS operations that can be recorded by CTS


Creating a VBS backup vbs bksCreateBackup

Deleting a VBS backup vbs bksDeleteBackup

Restoring a VBS backup vbs bksRestoreBackup

Binding a backup policy autobackup addPolicyResource

Unbinding a backup policy autobackup deletePolicyResource

Executing a backup policy autobackup actionPolicy

Creating a backup policy autobackup createPolicy

Deleting a backup policy autobackup deletePolicy

Modifying a backup policy autobackup modifyPolicy

Creating backups

scheduled by a backup

policy

autobackup schedulecreateBackup

Automatically deleting

redundant backups autobackup scheduledeleteBackup

Cloud Trace Service


Issue 09 (2018-01-15) 13


scheduled by a backup

policy

Object Storage Migration Service (MaaS)

MaaS enables you to migrate object storage on other cloud platforms to the OBS service.

The migration operations are simple. Users can use the console to create automatic

migration tasks or manually perform migration tasks.

With CTS, you can record operations associated with MaaS for later query, audit, and


Table 1-10 MaaS operations that can be recorded by CTS


Creating a task migrationTask createTask

Deleting a task migrationTask deleteTask

Starting a task migrationTask startTask

Stopping or suspending a

task

migrationTask stopTask

1.4.4 Management & Deployment

Cloud Trace Service (CTS)

CTS provides records of operations on cloud service resources. With CTS, you can query,

audit, and backtrack operations.

With CTS, you can record operations associated with CTS itself for later query, audit,


Table 1-11 CTS operations that can be recorded by itself


Creating a tracker tracker createTracker

Modifying a tracker tracker updateTracker

Disabling a tracker tracker updateTracker

Enabling a tracker tracker updateTracker

Deleting a tracker tracker deleteTracker

Cloud Eye (CES)

CES is an open monitoring platform. It provides monitoring, alarm reporting, and alarm

notification for your resources in near-real time.

Cloud Trace Service


Issue 09 (2018-01-15) 14

With CTS, you can record operations associated with CES for later query, audit, and


Table 1-12 CES operations that can be recorded by CTS


Creating an alarm rule alarm_rule createAlarmRule

Modifying an alarm rule alarm_rule updateAlarmRule

Enabling an alarm rule alarm_rule enableAlarmRule

Disabling an alarm rule alarm_rule disableAlarmRule

Deleting an alarm rule alarm_rule deleteAlarmRule

Changing the alarm rule status

to alarm

alarm_rule alarmStatusChangeToAlarm

(The Trace Name is alarm in

versions earlier than 1.3.0.)


to ok

alarm_rule alarmStatusChangeToOk

(The Trace Name is ok in

versions earlier than 1.3.0.)


to insufficientData

alarm_rule alarmStatusChangeToInsufficient

Data

(The Trace Name is

insufficientData in versions

earlier than 1.3.0.)

Identity and Access Management (IAM)

IAM enables you to centrally manage authentication information, including your

authenticated email, phone number, and password. When you invoke an interface to

apply for an ECS, manage cloud resources, or log in to the public cloud platform in

multi-tenant mode, you can query the required project ID, AK/SK, and username in real

time.

With CTS, you can record operations associated with IAM for later query, audit, and


Table 1-13 IAM operations that can be recorded by CTS


Creating an agency agency createAgency

Deleting an agency agency deleteAgency

Modifying agency information agency updateAgency

Updating the login policy domain updateSecurityPolicies

Updating the password policy domain updatePasswordPolicies

Updating the access control domain updateACLPolicies

Cloud Trace Service


Issue 09 (2018-01-15) 15


list (ACL)

Updating the security warning

policy

domain updateWarningPolicies

Creating a domain domain createDomain

Creating an identity provider

(IDP)

identityProvider createIdentityProvider

Deleting an IDP identityProvider deleteIdentityProvider

Modifying an IDP identityProvider updateIdentityProvider

Updating the IDP metadata identityProvider updateMetadata

Updating the preset IDP

metadata

identityProvider updateSystemMetaConfigure

User login user login

User logout user logout

Resetting the login password user changePassword

Creating a user user createUser

Deleting a user user deleteUser

Modifying a user user updateUser

Creating an AK/SK user addCredential

Deleting an AK/SK user deleteCredential

Changing the email address user modifyUserEmail

Changing the mobile phone

number

user modifyUserMobile

Changing the password user modifyUserPassword

Enabling the two-factor

authentication for login

user modifySMVerify

Uploading a user picture user modifyUserPicture

Modifying latch user modifyLatchVerify

Modifying mc user modifyMCConnectVerify

Setting the user password user setPasswordByAdmin

Switching user roles user switchRole

Creating a user group userGroup createUserGroup

Deleting a user group userGroup deleteUserGroup

Modifying a user group userGroup updateUserGroup

Cloud Trace Service


Issue 09 (2018-01-15) 16


Creating a project project createProject

Updating a project project updateProject

Freezing a project project suspendProject

Canceling project deletion project cancelProjectDeletion

IAM is a global-level service and IAM traces are only displayed for the central region of the current site.

Tag Management Service (TMS)

Tag Management Service (TMS) is a visualized service for fast, unified tag management

that enables you to control your resource permissions and billing more efficiently. It

allows you to tag and categorize cloud services across regions, and it can be accessed

through the TMS console or using APIs.

With CTS, you can record operations associated with TMS for later query, audit, and


Table 1-14 TMS operations that can be recorded by CTS


Creating or deleting a

predefined tag

application addTag/deleteTag

Modifying a predefined tag application modifyTag

Creating or deleting a

resource tag

application addResourceTage/deleteResourc

eTag

TMS is a global-level service and TMS traces are only displayed for the central region of the current

site.

1.4.5 Application

Simple Message Notification (SMN)

SMN enables you to easily publish, maintain, and send notifications on the cloud

platform.

In SMN, deleting a topic will delete all subscription information associated with the topic, and the

subscription information deletion operation will not be recorded by CTS.

With CTS, you can record operations associated with SMN for later query, audit, and


Table 1-15 SMN operations that can be recorded by CTS


Cloud Trace Service


Issue 09 (2018-01-15) 17


Creating a topic topic createTopic

Deleting a topic topic deleteTopic

Updating a topic topic updateTopic

Updating attributes of a

topic

topic updateTopicAttribute

Deleting all topic

attributes

topic deleteTopicAttributes

Deleting a specified topic

attribute

topic deleteTopicAttributeByName

Adding a subscription subscription subscribe

Deleting a subscription subscription unsubscribe

Creating a message

template message_template createMessageTemplate

Creating message

templates in batches

message_template batchCreateMessageTemplate

Modifying a message

template

message_template updateMessageTemplate

Deleting a message

template

message_template deleteMessageTemplate

Creating an SMS

signature

sms createSmsSign

Deleting an SMS

signature

sms deleteSmsSign

Updating an SMS

message event

sms updateSmsEvent

Distributed Message Service (DMS)

DMS is a Kafka-based and high-performance message service that allows multi-user and

concurrent access and message queue isolation.

With CTS, you can record operations associated with DMS for later query, audit, and


Table 1-16 DMS operations that can be recorded by CTS


Creating a queue queue createQueue

Deleting a queue queue deleteQueue

Creating a group group createGroup

Cloud Trace Service


Issue 09 (2018-01-15) 18


Deleting a group group deleteGroup

1.4.6 Database

Distributed Cache Service (DCS)

DCS is an online distributed database service that is based on the cloud computing

platform, available immediately after it is enabled, stable and reliable, scalable online,

and easy to manage.

With CTS, you can record operations associated with DCS for later query, audit, and


Table 1-17 DCS operations that can be recorded by CTS


Creating a DCS instance

(on-demand)

DCS createDCSInstance

Creating a DCS instance

(duration-based)

DCS createDCSInstance

Modifying information about

a DCS instance

DCS modifyDCSInstanceInfo

Deleting a DCS instance DCS deleteDCSInstance

Modifying configuration of a

DCS instance

DCS modifyDCSInstanceConfig

Changing the status of a DCS

instance

DCS startDCSInstance\closeDCSInstance\

restartDCSInstance

Changing the name of a DCS

instance DCS modifyDCSInstancePassword

1.4.7 Enterprise Application

Workspace

Workspace is a cloud computing–based desktop service that is superior to traditional

desktop services. Workspace supports access by various devices, including PCs running

Windows or Mac, iPad, iPhone, and Android smart devices. It enables you to access,

store, and obtain files and applications anywhere and at any time, that is, mobile working

and entertainment. Workspace provides configuration similar to a traditional desktop,

including vCPU, GPU, memory, disks, and Windows. You can use it in the same way

you use a PC.

With CTS, you can record operations associated with Workspace for later query, audit,


Cloud Trace Service


Issue 09 (2018-01-15) 19

Table 1-18 Workspace operations that can be recorded by CTS


Updating the status of a

cloud service

workspace updateDesktopMetadata

Order a desktop workspace orderVm

Restarting a VM workspace rebootDesktop

Stopping a VM workspace shutdownDesktop

Starting a VM workspace startDesktop

Deleting a VM workspace deleteDesktop

Updating the status of a

desktop

workspace updateDesktopStatus

Deleting user information workspace deleteUser

Exporting user

information

workspace exportUserInfo

Unlocking a user workspace unlockUser

Resetting a password workspace resetUserPassword

Downloading a user

template

workspace downloadUserModel

Deleting an on-demand

task

workspace deleteJob

Applying for modifying

the password (the domain

user)

workspace updateDomainUserPassword

Synchronizing the

resource tenants (Identity

and Access Management)

workspace synIamResourceTenant

Updating the policy

group

workspace updatePolicy

Enabling Workspace workspace openService

Changing the domain

password

workspace updateAdPwd

Disabling Workspace workspace tenantClose

Retrying failed

Workspace enabling and

disabling tasks

workspace tenantRetryServiceTask

Restoring the

infrastructure VM

workspace restoreManagerVmBackup

Modifying the desktop workspace modifyDesktopAttributes

Cloud Trace Service


Issue 09 (2018-01-15) 20


attributes

Updating the domain

name

workspace updateRecordSet

1.4.8 Data Analysis

MapReduce Service (MRS)

MRS is a data processing and analysis service that is based on a cloud computing

platform. It is stable, reliable, scalable, and easy to manage.

With CTS, you can record operations associated with MRS for later query, audit, and


Table 1-19 MRS operations that can be recorded by CTS


Creating a cluster cluster createCluster

Deleting a cluster cluster deleteCluster

Expanding a cluster cluster scaleOutCluster

Downsizing a cluster cluster scaleInCluster

Data Pipeline Service (DPS)

DPS helps you move data among different services and convert data formats. With DPS,

you can predefine the data processing task, execution sequence task, and scheduling plan.

DPS can process complex data according to predefined tasks.

With CTS, you can record operations associated with DPS for later query, audit, and


Table 1-20 DPS operations that can be recorded by CTS


Creating a pipeline pipeline createPipeline

Deleting a pipeline pipeline deletePipeline

Editing a pipeline pipeline putPipelineDefinition

Verifying a pipeline pipeline validatePipelineDefinition

Starting a pipeline pipeline activatePipeline

Stopping a pipeline pipeline deactivatePipeline

Starting a pipeline pipeline schedulePipeline

Restoring a pipeline pipeline restorePipeline

Cloud Trace Service


Issue 09 (2018-01-15) 21


Stopping a pipeline pipeline stopSchedulePipeline

Terminating pipeline

scheduling

pipeline endSchedulePipeline

Verifying the user status pipeline customerVerifiedStatus

Submitting a pipeline

order

pipeline orderPeriodicPipeline

Setting a quota certificate setQuotas

1.5 Accessing CTS

A web-based service management console is provided for you to access CTS. If you have

registered on the public cloud platform, log in to the management console and click Cloud

Trace Service under Management & Deployment.

Cloud Trace Service

User Guide 2 Getting Started

Issue 09 (2018-01-15) 22

2 Getting Started

2.1 Enabling CTS

Scenarios

A tracker will be automatically created after CTS is enabled. All traces recorded by CTS are

associated with a tracker. Currently, only one tracker can be created for each tenant.

Trace files need to be stored in the OBS bucket. Therefore, before enabling CTS, you must

enable OBS first and have full permissions of the OBS bucket you are to use. By default, only

the owner of an OBS bucket has access to the bucket and the objects in it, but the owner can

grant other services and users access to the OBS bucket by configuring the access policy.

The tracker created in a multi-project scenario can only track resources under current projects.

If tracking cloud resources under another project is required, you need to create a tracker

under the project.

This section describes how to enable CTS.

Prerequisites

OBS has been enabled.

Procedure

1. Log in to the management console.

2. Click in the upper left corner of the management console and select the region and

project.

3. Click and select Cloud Trace Service under Management & Deployment.

4. Click Tracker in the left pane.

5. Click Enable CTS.

6. Specify , OBS Bucket, and File Prefix. Table 2-1 lists the parameters.

Table 2-1 Parameter description

Parameter Description Example Value

Cloud Trace Service


Issue 09 (2018-01-15) 23

Parameter Description Example Value

OBS Bucket Name of the OBS bucket in which trace files are to

be stored

buckert-00

1

File Prefix Used for identifying the logs stored in the OBS

bucket. This parameter is optional. The value is a

string of 0–64 characters, and can contain

uppercase and lowercase letters, digits, hyphens

(-), underscores (_), and dots (.). If a tracker is

created, a value will be generated automatically in

the same way as you specify the value manually.

N/A

7. Click OK.

After CTS is enabled, you can view details of the established trackers on the Tracker page.

2.2 Querying Real-Time Traces

Scenarios

After CTS is enabled, the tracker starts recording operations on cloud resources. Operation

records for the last seven days can be viewed on the CTS console.

This section describes how to query operation records of the last seven days on the CTS

console.

Procedure



project.


4. Click Trace List in the left pane.

5. Specify the filters used for querying traces. The following four filters are available:

− Trace Source, Resource Type, and Search By

Select the filter from the drop-down list.

When you select Trace name for Search By, you also need to select a specific trace

name.

When you select Resource ID for Search By, you also need to select or enter a

specific resource ID.

When you select Resource name for Search By, you also need to select or enter a

specific resource name.

− Operator: Select a specific operator (a user other than tenant).

− Trace Rating: Available options include All trace status, normal, warning, and

incident. You can only select one of them.

Cloud Trace Service


Issue 09 (2018-01-15) 24

− Start time and end time: You can specify the time period to query traces.

6. Click on the left of a trace to expand its details.

7. Click View Trace in the Operation column. In the displayed View Trace dialog box,

the trace structure details are displayed.

For details about the key fields in the CTS trace structure, see sections 5.1 Trace

Structure and 5.2 Trace Examples.

2.3 Querying Archived Traces

Scenarios

CTS stores the recorded traces in the form of trace files to an OBS bucket in real time. Trace

files are collections of traces that CTS automatically generates by service and dump interval.

CTS adjusts the number of traces contained in a trace file as the service load changes.

This section describes how to obtain historical operation records from the trace files

downloaded from the OBS bucket.

Procedure



project.



5. Click the OBS bucket name in the OBS Bucket column. You are redirected to the

Manage Objects page on the OBS console that contains the OBS bucket.

6. Select the target trace. Choose OBS bucket name > CloudTraces > Region > Year >

Month > Day > Service type directory. Click Download in the Operation column to

download the trace file to the default path. To download the trace file to a customized

path, click Download As.

− The trace file storage path is as follows:

OBS bucket name > CloudTraces > Region > Year > Month > Day > Service type

directory

An example is User Define > CloudTraces > region > 2016 > 5 > 19 > ECS.

− The trace file naming format is as follows:

Operation trace file prefix_CloudTrace_Region_/Region-projectTime when the log

was uploaded to OBS: year-month-dayThour-minute-secondZ_Character randomly

generated.json.gz

An example is File

Prefix_CloudTrace_region_2016-05-30T16-20-56Z_21d36ced8c8af71e.json.gz.

The OBS bucket name and trace file prefix are user-defined, and other parameters are automatically

generated.

For details about the key fields in the CTS trace structure, see sections 5.1 Trace

Structure and 5.2 Trace Examples.

Cloud Trace Service


Issue 09 (2018-01-15) 25

7. Extract a JSON file with the same name as the downloaded trace file shown in Figure

2-1 and open the JSON file using a text file editor to view the trace logs.

Figure 2-1 JSON file extracted from the downloaded trace file

Cloud Trace Service

User Guide 3 Management

Issue 09 (2018-01-15) 26

3 Management

3.1 Modifying a Tracker

Scenarios

This section describes how to modify the OBS bucket or file prefix of a created tracker on the

Cloud Trace Service console. If you modify the OBS bucket in the tracker, CTS will

automatically add a policy to the new OBS bucket so that trace files can be delivered to the

new OBS bucket for storage. If you modify the operation trace file prefix in the tracker, the

OBS policy will not be affected. After the modification is complete, the system will

immediately start recording operations under the new rule.

This section describes how to modify the tracker configuration.

Prerequisites

You have created a tracker for CTS.

Procedure



project.



5. Click Modify in the Operation column. You can specify an existing OBS bucket for

storing trace files, or rename File Prefix.

6. Click OK.

After the tracker configuration is modified, you can view its new configuration on the

Tracker page.

Traces recorded by CTS are periodically delivered to the OBS bucket for storage. If you change the OBS

bucket for a tracker, traces generated during the current period (generally several minutes) will be

delivered to the new OBS bucket. For example, if the current period is from 12:00 to 12:05 and you

change the OBS bucket for the tracker at 12:02, traces received from 12:00 to 12:02 will be delivered to

the new OBS bucket at 12:05 for storage.

Cloud Trace Service


Issue 09 (2018-01-15) 27

3.2 Disabling or Enabling a Tracker

Scenarios

You can disable a created tracker on the Cloud Trace Service console. After the tracker is

disabled, the system will stop recording operations, but you can still view operation records

that have been recorded.

This section describes how to disable a tracker.

Prerequisites


Procedure



project.



5. Click Disable in the Operation column.

6. Click OK.

7. After the tracker is disabled, Disable in the Operation column changes to Enable. To

enable the tracker again, click Enable. In the displayed dialog box, click OK. The

system will start recording operations again.

3.3 Deleting a Tracker

Scenarios

This section describes how to delete a created tracker on the Cloud Trace Service console.

Deleting the tracker has no impact on the operation records that have been generated. When

you enable CTS again, you can view operation records that have been generated.

This section describes how to delete the tracker.

Prerequisites


Procedure



project.


Cloud Trace Service


Issue 09 (2018-01-15) 28


5. Click Delete in the Operation column.

6. Click OK.

Cloud Trace Service

User Guide 4 CTS Application Examples

Issue 09 (2018-01-15) 29

4 CTS Application Examples

4.1 Security Auditing

Scenarios

This section describes how to query records matching a specified characteristic and to

perform security analysis on the records to check whether the operations are performed by

authorized users.

Prerequisites

CTS has been enabled and the tracker is normal. For details about how to enable CTS, see

section 2.1 Enabling CTS.

Procedure

The following steps take the creation and deletion of EVS disks during the last two weeks as

an example.

1. Log in to the management console using the administrator account.


project.



5. On the trace list page, click Filter. In the displayed box, specify Trace Source,

Resource Type, and Search By, and click Query to query the specified traces. For

example, you can select EVS for Trace Source, evs for Resource Type, and Trace

Name and createVolume (or deleteVolume) for Search By, and click Query to query

all the EVS creation (or deletion) operations.

6. Click Tracker in the left pane to switch to the Tracker page and obtain the OBS bucket

name.

7. Download archived or all trace files by following the instructions in section 2.3 Querying

Archived Traces.

8. In the trace files, search traces using keywords createVolume and deleteVolume.

Cloud Trace Service


Issue 09 (2018-01-15) 30

9. Obtain information about the user who performs the operation from the results in steps 5

and 8. Check whether the user performs any unauthorized operation or operation that

does not conform to the security operation rules.

4.2 Fault Locating

Scenarios

If a specified resource or an operation encounters an exception, you can query operation

records for the resource in the specified time period and view the request and response, which

may support fault locating.

Prerequisites



Procedure

The following steps take the locating of an ECS fault after it occurred on one morning as an

example.



project.




Resource Type, and Search By, and click Query.

For example, you can select ECS for Trace Source, ecs for Resource Type, and Resource ID and ID of

the faulty VM for Search By, and set the time range to 06:00 to 12:00 at a certain date.

6. Check the query result. Pay special attention to the request type and response of each

trace, and traces whose Trace Status is warning or incident and traces whose response

showed a failure.

The following steps use the fault locating after an ECS creation task fails as an example.



project.



5. Specify the filter based on the failed ECS creation task. For example, you can select

ECS for Trace Source, ecs for Resource Type, and warning for Trace Status to query

the operation trace named createSingleServer.

6. Locate the fault based on the error code or error message in the trace.

Cloud Trace Service


Issue 09 (2018-01-15) 31

4.3 Resource Tracing

Scenarios

This section describes how to view operation records for any cloud resource in its life cycle

and how to check the operation details.

Prerequisites



Procedure

The following steps take the records of operations on an ECS as an example.



project.




Resource Type, and Search By, and click Query to query the specified traces.

For example, you can select ECS for Trace Source, ecs for Resource Type, and Resource ID and ID of

the faulty ECS for Search By, and click Query to query traces of the last seven days.

6. Click Tracker in the left pane to switch to the Tracker page and obtain the OBS bucket

name.

7. Download archived or all trace files by following the instructions in section 2.3 Querying

Archived Traces.

8. Check the operation and change records of the ECS in the results of steps 5 and 7.

Cloud Trace Service

User Guide 5 CTS Trace Reference

Issue 09 (2018-01-15) 32

5 CTS Trace Reference

5.1 Trace Structure

Table 5-1 provides the key fields used by CTS to mark each operation trace.

Formats of some fields displayed on the management console are optimized so that you can

understand them easily.

This section describes the key fields of traces displayed on the management console.

Table 5-1 Key fields of traces

Field Mandatory Type Description

time Yes Date Time when a trace occurred

The value is the local standard time

(GMT+local time zone), for

example, 12/08/2016 11:24:04

GMT+08:00. This field is

transmitted and stored in the form

of a timestamp. It is the total

number of milliseconds from

00:00:00 on January 1, 1970

(UTC), or 08:00:00 on January 1,

1970 (CST) to the current time.

user Yes Structure Cloud account used to perform an

operation

This field is displayed in the

Operator column on the Trace

List page.

This field is transmitted and stored

in the API in the form of a string.

request No Structure Content requested by an operation



response No Structure Response to the request by an

operation

Cloud Trace Service


Issue 09 (2018-01-15) 33




service_type Yes String Operation source

resource_type Yes String Resource type

resource_name No String Resource name

resource_id No String Unique resource ID

source_ip Yes String IP address of the user that performs

an operation

The value of this parameter is

empty if the operation is triggered

by the system.

trace_name Yes String Operation name

trace_status Yes String Trace level

The value can be All trace status,

normal, warning, or incident.

trace_type Yes String Operation type

There are three types of operations:

ConsoleAction: operations

performed on the management

console

SystemAction: operations triggered

by the system

ApiCall: operations triggered by

invoking ApiGateway.

api_version No String API version of the cloud service on

which an operation is performed

message No Structure Supplementary information

record_time Yes Number Record time (time stamp) of an

operation

trace_id Yes String Unique operation ID

code No Number Trace HTTP return code, for

example, 200 or 400

request_id No String Record the ID of the request.

location_info No String Additional information required for

fault locating after a request

recording error occurs

endpoint No String Endpoint of the page that displays

details of cloud resources involved

in this operation

Cloud Trace Service


Issue 09 (2018-01-15) 34


resource_url No String Access link (excluding the

endpoint) of the page that displays

details of cloud resources involved

in this operation

5.2 Trace Examples

This section provides pages of two example traces collected by CTS to help you understand

the trace information. You can understand traces of other services in the similar way.

For details about the fields in a trace file, see section 5.1 Trace Structure.

Create an ECS

{

"time": "12/01/2016 11:07:28 GMT+08:00",

"user": {

"name": "aaa/op_service",

"id": "f2fe9fac63414a35a7d03108d5f1ea73",

"domain": {

"name": "aaa",

"id": "1f9b9ba51f6b4061bd5c1736b28469f8"

}

},

"request": {

"server": {

"name": "as-config-15f1_XWO68TFC",

"imageRef": "b2b2c7dc-bbb0-4d6b-81dd-f0904023d54f",

"flavorRef": "m1.tiny",

"personality": [],

"vpcid": "e4c374b9-3675-482c-9b81-4acd59745c2b",

"nics": [

{

"subnet_id": "fff89132-88d4-4e5b-9e27-d9001167d24f",

"nictype": null,

"ip_address": null,

"binding:profile": null,

"extra_dhcp_opts": null

}

],

"adminPass": "********",

"count": 1,

"metadata": {

"op_svc_userid": "26e96eda18034ae9a44130bacb967b96"

},

"availability_zone": "az1.dc1",

"root_volume": {

"volumetype": "SATA",

"extendparam": {

"resourceSpecCode": "SATA"

Cloud Trace Service


Issue 09 (2018-01-15) 35

},

"size": 40

},

"data_volumes": [],

"security_groups": [

{

"id": "dd597fd7-d119-4994-a22c-891fcfc54be1"

}

],

"key_name": "KeyPair-3e51"

}

},

"response": {

"status": "SUCCESS",

"entities": {

"server_id": "42d39b4a-19b7-4ee2-b01b-a9f1353b4c54"

},

"job_id": "4010b39d58b855980158b8574b270018",

"job_type": "createSingleServer",

"begin_time": "2016-12-01T03:04:38.437Z",

"end_time": "2016-12-01T03:07:26.871Z",

"error_code": null,

"fail_reason": null

},

"service_type": "ECS",

"resource_type": "ecs",

"resource_name": "as-config-15f1_XWO68TFC",

"resource_id": "42d39b4a-19b7-4ee2-b01b-a9f1353b4c54",

"source_ip": "",

"trace_name": "createSingleServer",

"trace_status": "normal",

"trace_type": "SystemAction",

"api_version": "1.0",

"record_time": "12/01/2016 11:07:28 GMT+08:00",

"trace_id": "4abc3a67-b773-11e6-8412-8f0ed3cc97c6"

}

Key fields in the preceding information are as follows:

time: indicates the time when the trace occurred. In this example, the time is 11:07:28 on

December 1.

user: indicates the user who performs the operation. In this example, the user is aaa

(name field) under the enterprise account aaa (domain field).

request: indicates the request to create an ECS. It contains some basic information about

the ECS, such as name (as-config-15f1_XWO68TFC) and resource ID

(e4c374b9-3675-482c-9b81-4acd59745c2b).

response: indicates the response to the ECS creation request. It contains status (Success

in this example), error_code (null in this example), and fail_reason (null in this

example).

Create an EVS Disk

{

"time": "12/01/2016 11:24:04 GMT+08:00",

"user": {

Cloud Trace Service


Issue 09 (2018-01-15) 36

"name": "aaa",

"id": "26e96eda18034ae9a44130bacb967b96",

"domain": {

"name": "aaa",

"id": "1f9b9ba51f6b4061bd5c1736b28469f8"

}

},

"request": "",

"response": "",

"service_type": "EVS",

"resource_type": "evs",

"resource_name": "volume-39bc",

"resource_id": "229142c0-2c2e-4f01-a1b4-2dfdf1c678c7",

"source_ip": "10.146.230.124",

"trace_name": "deleteVolume",

"trace_status": "normal",

"trace_type": "ConsoleAction",

"api_version": "1.0",

"record_time": ""12/01/2016 11:24:04 GMT+08:00",

"trace_id": "c529254f-bcf5-11e6-a89a-7fc778a6c92c"

}

Key fields in the preceding information are as follows:

time: indicates the time when the trace occurred. In this example, the time is 11:24:04 on

December 1.

user: indicates the user who performs the operation. In this example, the user is aaa

(name field) under the enterprise account aaa (domain field).

request: optional. It is null in this example.

response: optional. It is null in this example.

trace_status: indicates the level of the trace. It can replace the response field in

indicating the operation result. In this example, the value is normal, indicating that the

operation is successful.

Cloud Trace Service

User Guide 6 FAQs

Issue 09 (2018-01-15) 37

6 FAQs

6.1 Can Multiple Trackers Be Created for One Tenant?

Currently, only one tracker can be created for each tenant.

6.2 Which Type of Information Is Displayed on the Trace List?

The trace list displays details about operations, such as creation, modification, and deletion of

cloud service resources, in your account. The trace list does not record information about

query operations.

6.3 Can Information Be Deleted from the Trace List?

This operation is not allowed. According to the regulations of SAC/TC and international

information and data security management departments, logs used for auditing must be

objective, comprehensive, and accurate. For this reason, the deletion and modification

functions are not provided.

6.4 Which Users May Require CTS?

All cloud users should enable CTS.

From the perspective of policies and industry standards, CTS is essential to information

security audit. It is also important to information system security risk control of

enterprises and organizations, and necessary for many industry standards and audit

specifications.

In terms of application, you can use CTS to accurately locate all operations when the

problem occurs. This narrows the fault locating scope, shortens the fault locating time,

and reduces labor costs.

Cloud Trace Service

User Guide 6 FAQs

Issue 09 (2018-01-15) 38

6.5 How Long Can Trace Files Be Retained?

By default, trace files of the last seven days can be retained on the management console.

Archived trace files stored in the OBS bucket can be permanently retained.

6.6 What Will Happen If I Have Enabled CTS But Have Not Configured a Correct Policy for the OBS Bucket?

In this case, CTS will deliver trace files based on the existing OBS bucket policy. If the policy

is incorrectly configured, CTS cannot deliver trace files to the OBS bucket.

If an OBS bucket has been deleted or encounters an exception, an error message will be

displayed on the management console. In this case, you can choose to create an OBS bucket

or reconfigure the access permissions of the OBS bucket. For detailed operations, see section

"Bucket Management" in the Object Storage Service User Guide.

6.7 Does CTS Support Authentication of Keywords of Trace Files?

Yes. The following fields must be included: time, service_type, resource_type, trace_name,

trace_status, and trace_type. Other fields are defined by different services.

6.8 Does Enabling CTS Affect the Performance of Other Cloud Resources?

Enabling CTS will not affect the performance of other cloud resources.

6.9 Why Are Fields IP, code, request, response, and message of Some Traces Displayed on the View Trace Page Null?

This is because these fields are not mandatory in CTS.

IP: If SystemAction is selected for Trace Type, the operation is triggered by the system.

It is normal that the content of the IP field is left blank.

request, response, and code: The three fields indicate the request content, request result,

and HTTP return code of an operation. In some cases, these fields are empty or have no

service meaning. Therefore, they are left blank based on actual situations.

message: This is a reserved field. Additional information of other cloud services will be

added in this field when necessary. It is normal that it is left blank.

Cloud Trace Service

User Guide 6 FAQs

Issue 09 (2018-01-15) 39

6.10 Why Is the Resource ID of Some Traces in the Trace List a Hyperlink?

For ECS, EVS, VBS, IMS, AS, CES, and VPC, you can click Resource ID of some traces to

go to the resource details page of the corresponding service. Resource ID of these traces is a

hyperlink. More traces will be supported in the future.

6.11 Why Do Some Operation Records Occur Twice in the Trace List?

For an asynchronously invoked trace, two records with the same trace name, resource type,

and resource name will be generated. In the trace list, two records are displayed for the same

trace, for example, the deleteDesktop trace of Workspace. The two records are associated, but

have different content because they are not invoked at the same time. Details are as follows:

The first record contains the request of a user to perform an operation.

The second record contains the response to the user request and operation result, and is

usually several minutes later than the first record.

The two records together indicate the operation result.

6.12 Why Is user_account/op_service Displayed When I Filter Traces by Operator?

If you submit a request that involves operations requiring high permissions or invocation of

other services, you may not have the required permissions. In this case, your permissions will

be elevated temporarily on condition that security requirements are met. Your permissions

will be resumed after the request is processed, but the permissions elevation will be recorded

in CTS logs and the operation user is recorded as user_account/op_service.

6.13 Which Type of OBS Buckets Is Suitable for CTS to Store Traces, Standard Storage, Low-Frequent Access Storage, or Archived Storage?

You must select a standard OBS bucket because CTS needs to frequently access the OBS

bucket that stores traces.

Cloud Trace Service

User Guide A Change History

Issue 09 (2018-01-15) 40

A Change History

Release Date What's New

2018-01-15 This is the ninth official release,

which added the following content:

Description that only standard storage

buckets can be selected for dumping

traces

2017-08-30 This is the eighth official release, which

incorporates the following changes:

Added section 1.1.6 Region.

Added section 1.1.7 Project.

Added the step of selecting the desired

region and project.

Added DCS.

2017-07-27 This is the seventh official release, which

incorporates the following change:

Interconnected CTS with Object Storage

Migration Service.

2017-03-30 This issue is the sixth official release, which


Interconnected with Cloud Container

Engine (CCE).

Interconnected with Distributed Message

Service (DMS).

Interconnected with Workspace.

Interconnected with MapReduce Service

(MRS).

2017-02-27 This issue is the fifth official release, which


Optimized filtering of traces and

modified the description in section 2.2

Querying Real-Time Traces.

Cloud Trace Service

User Guide A Change History

Issue 09 (2018-01-15) 41

Release Date What's New

Modified the description of the user

field in section 5.1 Trace Structure.

2017-02-08 This issue is the fourth official release,

which incorporates the following changes:

Optimized filtering of traces and

modified the description in section 2.2

Querying Real-Time Traces.

Added the description of the trace

delivery period in section3.1 Modifying

a Tracker.

Added the description perspective in

section 5 CTS Trace Reference and

optimized descriptions of some fields of

traces.

2017-02-03 This issue is the third official release, which


Added section 6.11 Why Do Some

Operation Records Occur Twice in the

Trace List?to provide a description of

the asynchronous operation scenarios.

Added the description: The subscription

information deletion operation in the

topic deletion operation in the SMN

service is not recorded by CTS.

Modified the description in section 2.1

Enabling CTS to: The tracker records

operations on cloud resources performed

by the tenant used to create the tracker.

Modified descriptions of parameters

user, request, and response in section

5.1 Trace Structure.

2017-01-20 This issue is the second official release,

which incorporates the following changes:

Allowed CTS to interconnect with ELB

and VBS.

Added redirection to the resource page

of the VBS and IMS console through the

hyperlink in the Resource ID column on

the Trace List page.

2016-12-30 This issue is the first official release.

user guide...cloud trace service user guide contents issue 09 (2018-01-15) ii contents 1 overview 1...

Documents