# Create a trail to log management events
<a name="tutorial-trail"></a>

For your first trail, we recommend creating a trail that logs all [management events](cloudtrail-concepts.md#cloudtrail-concepts-management-events) and does not log any [data events](cloudtrail-concepts.md#cloudtrail-concepts-data-events) or Insights events. Examples of management events include security events such as IAM `CreateUser` and `AttachRolePolicy` events, resource events such as `RunInstances` and `CreateBucket`, and many more. You will create an Amazon S3 bucket where you will store the log files for the trail as part of creating the trail in the CloudTrail console.

**Note**  
AWS Control Tower sets up a new CloudTrail trail logging management events when you set up a landing zone. It is an organization-level trail, which means that it logs all management events for the management account and all member accounts in the organization. For more information, see [About logging in AWS Control Tower](https://docs.aws.amazon.com/controltower/latest/userguide/about-logging.html) in the *AWS CloudTrail User Guide*.  
This tutorial assumes you are creating your first trail. Depending on the number of trails you have in your AWS account, and how those trails are configured, the following procedure might or might not incur expenses. CloudTrail stores log files in an Amazon S3 bucket, which incurs costs. For more information about pricing, see [AWS CloudTrail Pricing](https://aws.amazon.com/cloudtrail/pricing/) and [Amazon S3 Pricing](https://aws.amazon.com/s3/pricing/).

**To create a trail**

1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail/](https://console.aws.amazon.com/cloudtrail/).

1. In the **Region** selector, choose the AWS Region where you want your trail to be created. This is the home Region for the trail.
**Note**  
The home Region is the only AWS Region where you can update the trail after it is created.

1. On the CloudTrail service home page, the **Trails** page, or the **Trails** section of the **Dashboard** page, choose **Create trail**.

1. In **Trail name**, give your trail a name, such as *management-events*. As a best practice, use a name that quickly identifies the purpose of the trail. In this case, you're creating a trail that logs management events.

1. Leave the default setting for **Enable for all accounts in my organization**. This option won't be available to change unless you have accounts configured in Organizations.

1. For **Storage location**, choose **Create new S3 bucket** to create a bucket. When you create a bucket, CloudTrail creates and applies the required bucket policies. If you choose to create a new S3 bucket, your IAM policy needs to include permission for the `s3:PutEncryptionConfiguration` action because by default server-side encryption is enabled for the bucket. Give your bucket a name that makes it easy to identify.

   To make it easier to find your logs, create a new folder (also known as a *prefix*) in an existing bucket to store your CloudTrail logs.
**Note**  
The name of your Amazon S3 bucket must be globally unique. For more information, see [Bucket naming rules](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html) in the *Amazon Simple Storage Service User Guide*.

1. Clear the check box to disable **Log file SSE-KMS encryption**. By default, your log files are encrypted with SSE-S3 encryption. For more information about this setting, see [Using server-side encryption with Amazon S3 managed keys (SSE-S3)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingServerSideEncryption.html).

1. Leave default settings in **Additional settings**.

1. Leave the default settings for **CloudWatch Logs**. For now, do not send logs to Amazon CloudWatch Logs.

1. (Optional) In **Tags**, you can add up to 50 tag key pairs to help you identify, sort, and control access to your trail. Tags can help you identify your CloudTrail trails and other resources, such as the Amazon S3 buckets that contain CloudTrail log files. For example, you could attach a tag with the name **Compliance** and the value **Auditing**.
**Note**  
Though you can add tags to trails when you create them in the CloudTrail console, and you can create an Amazon S3 bucket to store your log files in the CloudTrail console, you cannot add tags to the Amazon S3 bucket from the CloudTrail console. For more information about viewing and changing the properties of an Amazon S3 bucket, including adding tags to a bucket, see the [https://docs.aws.amazon.com/AmazonS3/latest/userguide/view-bucket-properties.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/view-bucket-properties.html).

   When you are finished creating tags, choose **Next**.

1. On the **Choose log events** page, select event types to log. For this trail, keep the default, **Management events**. In the **Management events** area, choose to log both **Read** and **Write** events, if they are not already selected. Leave the check boxes for **Exclude AWS KMS events** and **Exclude Amazon RDS Data API events** empty, to log all management events.  
![\[The Create trail page, Event type settings\]](http://docs.aws.amazon.com/awscloudtrail/latest/userguide/images/cloudtrail-create-trail-event-type.png)

1. Leave default settings for **Data events**, **Insights events**, and **Network activity events**. This trail will not log any data events, Insights events, or network activity events. Choose **Next**.

1. On the **Review and create** page, review the settings you've chosen for your trail. Choose **Edit** for a section to go back and make changes. When you are ready to create your trail, choose **Create trail**.

1. The **Trails** page shows your new trail in the table. Note that the trail is set to **Multi-region trail** by default, and that logging is turned on for the trail by default.  
![\[The Create trail page, Event type settings\]](http://docs.aws.amazon.com/awscloudtrail/latest/userguide/images/cloudtrail-create-trail-done.png)

For more information about trails, see [Working with CloudTrail trails](cloudtrail-trails.md).

# View your log files
<a name="tutorial-trail-logs"></a>

Within an average of about 5 minutes of creating your first trail, CloudTrail delivers the first set of log files to the Amazon S3 bucket for your trail. You can look at these files and learn about the information they contain.

**Note**  
CloudTrail typically delivers logs within an average of about 5 minutes of an API call. This time is not guaranteed. Review the [AWS CloudTrail Service Level Agreement](https://aws.amazon.com/cloudtrail/sla) for more information.  
If you misconfigure your trail (for example, the S3 bucket is unreachable), CloudTrail will attempt to redeliver the log files to your S3 bucket for 30 days, and these attempted-to-deliver events will be subject to standard CloudTrail charges. To avoid charges on a misconfigured trail, you need to delete the trail.

**To view your log files**

1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail/](https://console.aws.amazon.com/cloudtrail/).

1. In the navigation pane, choose **Trails**. On the **Trails** page, find the name of the trail you just created (in the example, *management-events*).

1. In the row for the trail, choose the value for the S3 bucket.

1. The Amazon S3 console opens and shows two folders for the bucket: `CloudTrail-Digest` and `CloudTrail`. Choose the **CloudTrail** folder to view the log files.

1. If you created a multi-Region trail, there is a folder for each AWS Region. Choose the folder for the AWS Region where you want to review log files. For example, if you want to review the log files for the US East (Ohio) Region, choose **us-east-2**.  
![\[An Amazon S3 bucket for a trail, showing the structure for log files in AWS Regions\]](http://docs.aws.amazon.com/awscloudtrail/latest/userguide/images/cloudtrail-trail-bucket-1.png)

1. Navigate the bucket folder structure to the year, the month, and the day where you want to review logs of activity in that Region. In that day, there are a number of files. The name of the files begin with your AWS account ID, and end with the extension `.gz`. For example, if your account ID is *123456789012*, you would see files with names similar to this: *123456789012*\$1CloudTrail\$1*us-east-2*\$1*20240512T0000Z\$1EXAMPLE*.json.gz.

   To view these files, you can download them, unzip them, and then view them in a plain-text editor or a JSON file viewer. Some browsers also support viewing .gz and JSON files directly. We recommend using a JSON viewer, as it makes it easier to parse the information in CloudTrail log files.