Using the create-trail
command to create a trail
You can run the create-trail
command to create trails that are
specifically configured to meet your business needs. When using the AWS CLI, remember that
your commands run in the AWS Region configured for your profile. If you want to run
the commands in a different Region, either change the default Region for your profile,
or use the --region parameter with the command.
Creating a trail that applies to all Regions
To create a trail that applies to all Regions, use the
--is-multi-region-trail
option. By default, the
create-trail
command creates a trail that logs events only in the
AWS Region where the trail was created. To ensure that you log global service
events and capture all management event activity in your AWS account, you should
create trails that log events in all AWS Regions.
Note
When you create a trail, if you specify an Amazon S3 bucket that was not created with CloudTrail, you need to attach the appropriate policy. See Amazon S3 bucket policy for CloudTrail.
The following example creates a trail with the name
my-trail
and a tag with a key named
Group
with a value of
Marketing
that delivers logs from all Regions to an
existing bucket named amzn-s3-demo-bucket
.
aws cloudtrail create-trail --name
my-trail
--s3-bucket-nameamzn-s3-demo-bucket
--is-multi-region-trail --tags-list [key=Group,value=Marketing]
To confirm that your trail exists in all Regions, the
IsMultiRegionTrail
element in the output shows
true
.
{ "IncludeGlobalServiceEvents": true, "Name": "
my-trail
", "TrailARN": "arn:aws:cloudtrail:us-east-2
:123456789012
:trail/my-trail
", "LogFileValidationEnabled": false, "IsMultiRegionTrail": true, "IsOrganizationTrail": false, "S3BucketName": "amzn-s3-demo-bucket
" }
Note
Use the start-logging
command to start logging for your
trail.
Start logging for the trail
After the create-trail
command completes, run the
start-logging
command to start logging for that trail.
Note
When you create a trail with the CloudTrail console, logging is turned on automatically.
The following example starts logging for a trail.
aws cloudtrail start-logging --name
my-trail
This command doesn't return an output, but you can use the
get-trail-status
command to verify that logging has
started.
aws cloudtrail get-trail-status --name
my-trail
To confirm that the trail is logging, the IsLogging
element in
the output shows true
.
{ "LatestDeliveryTime": 1441139757.497, "LatestDeliveryAttemptTime": "2015-09-01T20:35:57Z", "LatestNotificationAttemptSucceeded": "2015-09-01T20:35:57Z", "LatestDeliveryAttemptSucceeded": "2015-09-01T20:35:57Z", "IsLogging": true, "TimeLoggingStarted": "2015-09-01T00:54:02Z", "StartLoggingTime": 1441068842.76, "LatestDigestDeliveryTime": 1441140723.629, "LatestNotificationAttemptTime": "2015-09-01T20:35:57Z", "TimeLoggingStopped": "" }
Creating a single-Region trail
The following command creates a single-Region trail. The specified Amazon S3 bucket must already exist and have the appropriate CloudTrail permissions applied. For more information, see Amazon S3 bucket policy for CloudTrail.
aws cloudtrail create-trail --name
my-trail
--s3-bucket-nameamzn-s3-demo-bucket
The following is example output.
{ "IncludeGlobalServiceEvents": true, "Name": "
my-trail
", "TrailARN": "arn:aws:cloudtrail:us-east-2
:123456789012
:trail/my-trail
", "LogFileValidationEnabled": false, "IsMultiRegionTrail": false, "IsOrganizationTrail": false, "S3BucketName": "amzn-s3-demo-bucket
" }
Creating a trail that applies to all Regions and that has log file validation enabled
To enable log file validation when using create-trail
, use the
--enable-log-file-validation
option.
For information about log file validation, see Validating CloudTrail log file integrity.
The following example creates a trail that delivers logs from all Regions to the
specified bucket. The command uses the --enable-log-file-validation
option.
aws cloudtrail create-trail --name
my-trail
--s3-bucket-nameamzn-s3-demo-bucket
--is-multi-region-trail --enable-log-file-validation
To confirm that log file validation is enabled, the
LogFileValidationEnabled
element in the output shows
true
.
{ "IncludeGlobalServiceEvents": true, "Name": "
my-trail
", "TrailARN": "arn:aws:cloudtrail:us-east-2
:123456789012
:trail/my-trail
", "LogFileValidationEnabled": true, "IsMultiRegionTrail": true, "IsOrganizationTrail": false, "S3BucketName": "amzn-s3-demo-bucket
" }