# Using the `update-trail` command to update a trail
<a name="cloudtrail-create-and-update-a-trail-by-using-the-aws-cli-update-trail"></a>

**Important**  
As of November 22, 2021, Amazon CloudTrail makes Amazon CloudFront events available only in the Region where the event was processed, China (Ningxia) Region, cn-northwest-1.  
For trails monitoring global service events, be sure to convert *single-Region trails* in China (Beijing) Region, cn-north-1, to *multi-Region trails*, to include events from China (Ningxia) Region, cn-northwest-1. For more information about capturing CloudFront events, see [Enabling and disabling global service event logging](#cloudtrail-create-and-update-a-trail-by-using-the-aws-cli-examples-gses) later in this section.

You can use the `update-trail` command to change the configuration settings for a trail. You can also use the **add-tags** and **remove-tags** commands to add and remove tags for a trail. You can only update trails from the Amazon Region where the trail was created (its Home Region). When using the Amazon CLI, remember that your commands run in the Amazon Region configured for your profile. If you want to run the commands in a different Region, either change the default Region for your profile, or use the **--region** parameter with the command.

**Note**  
If you use the Amazon CLI or one of the Amazon SDKs to modify a trail, be sure that the trail's bucket policy is up-to-date. In order for your bucket to automatically receive events from a new Amazon Web Services Region, the policy must contain the full service name, `cloudtrail.amazonaws.com`. For more information, see [Amazon S3 bucket policy for CloudTrail](create-s3-bucket-policy-for-cloudtrail.md).

**Topics**
+ [Converting a single-Region trail to a multi-Region trail](#cloudtrail-create-and-update-a-trail-by-using-the-aws-cli-examples-convert)
+ [Converting a multi-Region trail to a single-Region trail](#cloudtrail-create-and-update-a-trail-by-using-the-aws-cli-examples-reduce)
+ [Enabling and disabling global service event logging](#cloudtrail-create-and-update-a-trail-by-using-the-aws-cli-examples-gses)
+ [Enabling log file validation](#cloudtrail-create-and-update-a-trail-by-using-the-aws-cli-examples-lfi)
+ [Disabling log file validation](#cloudtrail-create-and-update-a-trail-by-using-the-aws-cli-examples-lfi-disable)

## Converting a single-Region trail to a multi-Region trail
<a name="cloudtrail-create-and-update-a-trail-by-using-the-aws-cli-examples-convert"></a>

To change an existing single-Region trail to a multi-Region trail, use the `--is-multi-region-trail` option.

```
aws cloudtrail update-trail --name my-trail --is-multi-region-trail
```

To confirm that the trail is now a multi-Region trail, verify that the `IsMultiRegionTrail` element in the output shows `true`.

```
{
    "IncludeGlobalServiceEvents": true,
    "Name": "my-trail",
    "TrailARN": "arn:aws:cloudtrail:us-east-2:123456789012:trail/my-trail",
    "LogFileValidationEnabled": false,
    "IsMultiRegionTrail": true,
    "IsOrganizationTrail": false,
    "S3BucketName": "amzn-s3-demo-bucket"
}
```

## Converting a multi-Region trail to a single-Region trail
<a name="cloudtrail-create-and-update-a-trail-by-using-the-aws-cli-examples-reduce"></a>

To change an existing multi-Region trail so that it applies only to the Region in which it was created, use the `--no-is-multi-region-trail` option. 

```
aws cloudtrail update-trail --name my-trail --no-is-multi-region-trail
```

To confirm that the trail now applies to a single Region, the `IsMultiRegionTrail` element in the output shows `false`.

```
{
    "IncludeGlobalServiceEvents": true,
    "Name": "my-trail",
    "TrailARN": "arn:aws:cloudtrail:us-east-2:123456789012:trail/my-trail",
    "LogFileValidationEnabled": false,
    "IsMultiRegionTrail": false,
    "IsOrganizationTrail": false,
    "S3BucketName": "amzn-s3-demo-bucket"
}
```

## Enabling and disabling global service event logging
<a name="cloudtrail-create-and-update-a-trail-by-using-the-aws-cli-examples-gses"></a>

To change a trail so that it does not log global service events, use the `--no-include-global-service-events` option. 

```
aws cloudtrail update-trail --name my-trail --no-include-global-service-events
```

To confirm that the trail no longer logs global service events, the `IncludeGlobalServiceEvents` element in the output shows `false`.

```
{
    "IncludeGlobalServiceEvents": false,
    "Name": "my-trail",
    "TrailARN": "arn:aws:cloudtrail:us-east-2:123456789012:trail/my-trail",
    "LogFileValidationEnabled": false,
    "IsMultiRegionTrail": false,
    "IsOrganizationTrail": false,
    "S3BucketName": "amzn-s3-demo-bucket"
}
```

To change a trail so that it logs global service events, use the `--include-global-service-events` option.

To capture CloudFront events, convert single-Region trails in `cn-north-1` with global service events turned on to multi-Region trails using the following CLI command. Replace *myExistingSingleRegionTrailWithGSE* with the appropriate trail name for your configuration.

```
aws cloudtrail --region cn-north-1 update-trail --name myExistingSingleRegionTrailWithGSE --is-multi-region-trail
```

Because global service events are only available in the China (Ningxia) Region beginning November 22, 2021, you can also create a single-Region trail in `cn-northwest-1 `to ensure continued logging of CloudFront events.

```
aws cloudtrail --region cn-northwest-1 create-trail --include-global-service-events --name mySingleRegionTrail --s3-bucket-name amzn-s3-demo-bucket
```

## Enabling log file validation
<a name="cloudtrail-create-and-update-a-trail-by-using-the-aws-cli-examples-lfi"></a>

To enable log file validation for a trail, use the `--enable-log-file-validation` option. Digest files are delivered to the Amazon S3 bucket for that trail.

```
aws cloudtrail update-trail --name my-trail --enable-log-file-validation
```

To confirm that log file validation is enabled, the `LogFileValidationEnabled` element in the output shows `true`.

```
{
    "IncludeGlobalServiceEvents": true,
    "Name": "my-trail",
    "TrailARN": "arn:aws:cloudtrail:us-east-2:123456789012:trail/my-trail",
    "LogFileValidationEnabled": true,
    "IsMultiRegionTrail": false,
    "IsOrganizationTrail": false,
    "S3BucketName": "amzn-s3-demo-bucket"
}
```

## Disabling log file validation
<a name="cloudtrail-create-and-update-a-trail-by-using-the-aws-cli-examples-lfi-disable"></a>

To disable log file validation for a trail, use the `--no-enable-log-file-validation` option.

```
aws cloudtrail update-trail --name my-trail-name --no-enable-log-file-validation
```

To confirm that log file validation is disabled, the `LogFileValidationEnabled` element in the output shows `false`.

```
{
    "IncludeGlobalServiceEvents": true,
    "Name": "my-trail",
    "TrailARN": "arn:aws:cloudtrail:us-east-2:123456789012:trail/my-trail",
    "LogFileValidationEnabled": false,
    "IsMultiRegionTrail": false,
    "IsOrganizationTrail": false,
    "S3BucketName": "amzn-s3-demo-bucket"
}
```

To validate log files with the Amazon CLI, see [Validating CloudTrail log file integrity with the Amazon CLI](cloudtrail-log-file-validation-cli.md).