Alibaba Cloud collector

[ 1 Configuration requirements ] [ 2 Overview ] [ 3 Devo collector features ] [ 4 Data sources ] [ 5 Vendor setup ] [ 6 Accepted authentication methods ] [ 7 Run the collector ] [ 8 Collector services detail ] [ 9 Collector operations ] [ 10 Change log ]

Configuration requirements

To run this collector, there are some configurations detailed below that you need to consider.

Configuration	Details

Configuration	Details
Access key ID and Secret ID	You will need to obtain the Access Key ID and Secret ID to configure this collector.
Create a Trail	You will need to create a single account trail.
Log store	You will need to create a log store in the ActionTrail console.

More information

Refer to the Vendor setup section to know more about these configurations.

Overview

A service that monitors and records the actions of your Alibaba Cloud account, including the access to and use of Alibaba Cloud services using the Alibaba Cloud Management Console, calling API operations, or SDKs.

Devo collector features

Feature	Details

Feature	Details
Allow parallel downloading (`multipod`)	`Not allowed`
Running environments	`Collector server` `On-premise`
Populated Devo events	`Table`
Flattening preprocessing	`No`

Data sources

Data Source	Description	API Endpoint	Collector service name	Devo Table	Available from release

Data Source	Description	API Endpoint	Collector service name	Devo Table	Available from release
ActionTrail	ActionTrail events, via API. Data of the last 90 days available.	`ActionTrail core SDK`	`actiontrail`	`cloud.alibaba.actiontrail.events`	`v1.0.0`
ActionTrail (Log Service)	ActionTrail events, using LogService. Ideal for a larger data volumes, and to store (and query) data for more than 90 days.	`Log Service SDK`	`actiontrail_log_service`	`cloud.alibaba.log_service.events`	`v1.0.0`
Access Log	Access Logs, using LogService. Ideal for a larger data volumes, and to store (and query) data for more than 90 days.	`Log Service SDK`	`access_log_service`	`cloud.alibaba.log_service.access_log`	`v1.2.0`
DB Log	DB Logs, using LogService. Ideal for a larger data volumes, and to store (and query) data for more than 90 days.	`Log Service SDK`	`db_log_service`	`cloud.alibaba.log_service.db_log`	`v1.2.0`
Internal Audit Log	Internal audit service Logs, using LogService. Ideal for a larger data volumes, and to store (and query) data for more than 90 days.	`Log Service SDK`	`internal_audit_service`	`cloud.alibaba.log_service.audit_service_log`	`v1.2.0`
SMQ	Message from Simple message queue.	`MNS SDK`	`smq`	`my.app.alibaba.smq`	`v.1.3.0`

For more information on how the events are parsed, visit our page.

Vendor setup

There are some minimal requirements to setup this collector:

A configured ActionTrail trail to query
A Log Store that contains Action Trail events - this is optional-.

Accepted authentication methods

The user must specify an Access Key ID and Secret ID for the account/RAM to authenticate with the ActionTrail API or Log Service API.

Authentication Method	Access Key ID	Access Key Secret

Authentication Method	Access Key ID	Access Key Secret
Access Key ID / Access Key Secret	status:REQUIRED	status:REQUIRED

Run the collector

Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).

Collector services detail

This section is intended to explain how to proceed with specific actions for services.

Events service

Once the collector has been launched, it is important to check if the ingestion is performed in a proper way. To do so, go to the collector’s logs console.

This service has the following components:

Component	Description

Component	Description
Setup	The setup module is in charge of authenticating the service and managing the token expiration when needed.
Puller	The setup module is in charge of pulling the data in a organized way and delivering the events via SDK.

Setup output

A successful run has the following output messages for the setup module:

2025-02-17T17:04:15.744    INFO InputProcess::MainThread -> ActionTrailStandardPuller(alibaba#12341,actiontrail#predefined) - Starting thread
2025-02-17T17:04:16.236    INFO InputProcess::ActionTrailPullerSetup(alibaba#12341,actiontrail#predefined) -> Setup for module <ActionTrailStandardPuller> has been successfully executed

Puller output

A successful initial run has the following output messages for the puller module:

Note that the PrePull action is executed only one time before the first run of the Pull action.

2025-02-17T17:04:16.798    INFO InputProcess::ActionTrailStandardPuller(alibaba#12341,actiontrail#predefined) -> Pull Started
2025-02-17T17:04:16.799    INFO InputProcess::ActionTrailStandardPuller(alibaba#12341,actiontrail#predefined) -> Retrieving timestamp (2025-02-17 11:34:16.792993+00:00) is greater than 2025-02-17 11:24:16.799492+00:00 (datetime.now() - 600 seconds). Setting end datetime to 2025-02-17 11:24:16.799492+00:00.
2025-02-17T17:04:16.799    INFO InputProcess::ActionTrailStandardPuller(alibaba#12341,actiontrail#predefined) -> Setting end_datetime to 2025-02-17 11:24:15.999999+00:00 (end of previous second to account for Alibaba time filtration granularity)
2025-02-17T17:04:17.321    INFO InputProcess::ActionTrailStandardPuller(alibaba#12341,actiontrail#predefined) -> (Partial) Statistics for this pull cycle (@devo_pulling_id=1739792056792):Number of requests made: 1; Number of events received: 50; Number of duplicated events filtered out: 0; Number of events generated and sent: 50; Average of events per second: 95.624.
2025-02-17T17:04:17.683    INFO InputProcess::ActionTrailStandardPuller(alibaba#12341,actiontrail#predefined) -> (Partial) Statistics for this pull cycle (@devo_pulling_id=1739792056792):Number of requests made: 2; Number of events received: 74; Number of duplicated events filtered out: 0; Number of events generated and sent: 74; Average of events per second: 83.660.
2025-02-17T17:04:17.687    INFO InputProcess::ActionTrailStandardPuller(alibaba#12341,actiontrail#predefined) -> Updating the persistence
2025-02-17T17:04:17.689    INFO InputProcess::ActionTrailStandardPuller(alibaba#12341,actiontrail#predefined) -> (Partial) Statistics for this pull cycle (@devo_pulling_id=1739792056792):Number of requests made: 2; Number of events received: 74; Number of duplicated events filtered out: 0; Number of events generated and sent: 74; Average of events per second: 83.107.
2025-02-17T17:04:17.690    INFO InputProcess::ActionTrailStandardPuller(alibaba#12341,actiontrail#predefined) -> Statistics for this pull cycle (@devo_pulling_id=1739792056792):Number of requests made: 2; Number of events received: 74; Number of duplicated events filtered out: 0; Number of events generated and sent: 74; Average of events per second: 82.997.
2025-02-17T17:04:17.692    INFO InputProcess::ActionTrailStandardPuller(alibaba#12341,actiontrail#predefined) -> The data is up to date!
2025-02-17T17:04:17.694    INFO InputProcess::ActionTrailStandardPuller(alibaba#12341,actiontrail#predefined) -> Data collection completed. Elapsed time: 0.901 seconds. Waiting for 59.099 second(s) until the next one

After a successful collector’s execution (that is, no error logs found), you will see the following log message:

25-02-17T17:04:17.690    INFO InputProcess::ActionTrailStandardPuller(alibaba#12341,actiontrail#predefined) -> Statistics for this pull cycle (@devo_pulling_id=1739792056792):Number of requests made: 2; Number of events received: 74; Number of duplicated events filtered out: 0; Number of events generated and sent: 74; Average of events per second: 82.997.

The value @devo_pulling_id is injected in each event to group all events ingested by the same pull action. You can use it to get the exact events downloaded in that Pull action in Devo’s search window.

This collector uses persistent storage to download events in an orderly fashion and avoid duplicates. In case you want to re-ingest historical data or recreate the persistence, you can restart the persistence of this collector by following these steps:

Edit the configuration file.
Change the value of the initial_start_time_in_utc parameter to a different one.
Save the changes.
Restart the collector.

The collector will detect this change and will restart the persistence using the parameters of the configuration file or the default configuration in case it has not been provided.

Note that this action clears the persistence and cannot be recovered in any way. Resetting persistence could result in duplicate or lost events.

Collector operations

This section is intended to explain how to proceed with specific operations of this collector.

To check the memory usage of this collector, look for the following log records in the collector which are displayed every 5 minutes by default, always after running the memory-free process.

The used memory is displayed by running processes and the sum of both values will give the total used memory for the collector.
The global pressure of the available memory is displayed in the global value.
All metrics (Global, RSS, VMS) include the value before freeing and after previous -> after freeing memory

2025-02-17T17:10:55.263    INFO OutputProcess::MainThread -> [GC] global: 61.2% -> 61.3%, process: RSS(77.11MiB -> 77.73MiB), VMS(2.09GiB -> 2.09GiB)
2025-02-17T17:10:55.294    INFO InputProcess::MainThread -> [GC] global: 61.3% -> 61.3%, process: RSS(77.61MiB -> 78.31MiB), VMS(2.16GiB -> 2.16GiB)

Differences between RSS and VMS memory usage:

RSS is the Resident Set Size, which is the actual physical memory the process is using
VMS is the Virtual Memory Size which is the virtual memory that process is using

This collector has different security layers that detect both an invalid configuration and abnormal operation. This table will help you detect and resolve the most common errors.

ErrorType	Error Id	Error Message	Cause	Solution

ErrorType	Error Id	Error Message	Cause	Solution
InitVariablesError	1	`Datetime format is not present in module globals.`	The datetime format is not provided	Contact the developer with exact error message.
InitVariablesError	2	`initial_start_time_in_utc is not set as per the datetime_format : {datetime_format}`	The date in config is not as per required format	Ensure the date format is correct.
InitVariablesError	3	`Date {initial_start_time_str} is in the future`	The date in config is greater than current time	Ensure the datetime is less than current time
SetupError	100	`Failed to build authentication. Reason str(e)`	Issue while creating authentication.	Check the credentials, and service_name. Contact the developer with exact error message.
SetupError	101	`Authentication test failed. Reason str(e)`	Data is not pullable with given credentials.	Check the credentials. Contact the developer with exact error message.
PullError	300	`Error during pull: str(e)`	Alibaba actiontrail events puller is failing.	Contact the developer with exact error message.
PullError	301	`Error during pull: str(e)`	Alibaba log service puller is failing	Contact the developer with exact error message.

Change log

Release	Released on	Release type	Details	Recommendations

Release	Released on	Release type	Details	Recommendations
`v.1.3.0`	Mar 17, 2025	status:IMPROVEMENTS status:Feature	Improvements: Updated DCSDK from 1.14.0 to 1.15.0 Upgraded dcsdk-docker-base-image to 1.4.1 Added: Added new smq service.	`Recommended version`
`v1.2.0`	Feb 21, 2025	status:IMPROVEMENTS status:FEATURE status:BUG FIXES	Improvements: Improved error handling related to incompatible response for actiontrail log service Updated DCSDK from 1.7.2 to 1.14.0 Refactor codebase to align with collector template standards Added metadata to collector definition Improved schema validation Restructured puller classes Restructured internal configuration Upgraded pip dependencies to latest version Upgraded dcsdk-docker-base-image to 1.4.0 Fixed: Fixed unexpected PullError in actiontrail log service for missing eventVersion Added: Added new services Access_log_service Db_log_service Internal_audit_service Added unittests
`v1.1.0`	Jun 1, 2023	status:IMPROVEMENTS	Improvements: Improved log retrieval speed by moving from time-based pagination to cursor/shard-based pagination. Updated DCSDK from 1.5.1 to 1.7.2 Added a lock to enhance sender object Added new class attrs to the setstate and getstate queue methods Fix sending attribute value to the setstate and getstate queue methods Added log traces when queues are full and have to wait Added log traces of queues time waiting every minute in debug mode Added method to calculate queue size in bytes Block incoming events in queues when there are no space left Send telemetry events to Devo platform Upgraded internal Python dependency Redis to v4.5.4 Upgraded internal Python dependency DevoSDK to v5.1.3 Fixed obfuscation not working when messages are sent from templates New method to figure out if a puller thread is stopping Upgraded internal Python dependency DevoSDK to v5.0.6 Improved logging on messages/bytes sent to Devo platform Fixed wrong bytes size calculation for queues New functionality to count bytes sent to Devo Platform (shown in console log) Upgraded internal Python dependency DevoSDK to v5.0.4 Fixed bug in persistence management process, related to persistence reset Aligned source code typing to be aligned with Python 3.9.x Inject environment property from user config Obfuscation service can be now configured from user config and module definiton Obfuscation service can now obfuscate items inside arrays	`Updated`
`v1.0.0`	Nov 30, 2022	status:NEW FEATURE	New features: Ingestion of Actiontrail events. This is a service that monitors and records the actions of your Alibaba Cloud account, including the access to and use of Alibaba Cloud services using the Alibaba Cloud Management console, calling API operations, or SDKs. These are the services provided by this collector to read Actiontrail events: `actiontrail` is a service to fetch all the Actiontrail events from a single account, using the standard API. Events up to 90 days can be pulled using this method. If greater retention is required, go to the next service using LogService. `actiontrail_log_service` is a service to fetch all the Actiontrail events stored in a Log Store. It is recommended to use this service for higher volumes.	`-`

Devo latest