This section describes how to query records matching a specified characteristic and to perform security analysis on records of operations to check whether the operations are performed by authorized users.
You have enabled CTS and the tracker is normal. For details about how to enable CTS, see Enabling CTS.
The following steps take the creation and deletion of EVS disks in the last two weeks as an example:
- Log in to the management console using the administrator account.
- Click in the upper left corner and select a region and project.
- Click Service List and choose Management & Deployment > Cloud Trace Service.
- Choose Trace List in the navigation pane on the left.
- On the trace list page, click Filter. In the displayed box, specify Trace Source, Resource Type, and Search By, and click Query to query the specified traces.
For example, you can select EVS for Trace Source, evs for Resource Type, and Trace name for Search By, select createVolume or deleteVolume in the right text box, and click Query to query all creation or deletion operations performed on EVS in the last seven days.
- Choose Tracker from the left pane to switch to the Tracker page and obtain the OBS bucket name.
- Download traces generated in the last seven days or all traces. For details, see Querying Archived Traces.
- In the trace files, search traces using keywords createVolume or deleteVolume.
- Obtain information about the user who performs the operation from the results in 5 and 8. Check whether the user performs any unauthorized operation or any operation that does not conform to the security operation rules.