This topic describes the overview, scenarios, scope, and event fields of audit logs.
Overview
MaxCompute records all your operations. After you connect MaxCompute to ActionTrail, MaxCompute delivers operations logs to ActionTrail in real time.
You can view and retrieve the operations logs in ActionTrail. You can also use ActionTrail
to deliver logs to your Log Service Logstore or specified Object Storage Service (OSS)
bucket. This way, you can perform real-time log auditing, event backtracking, and
event analysis.
Scenarios
MaxCompute automatically delivers operations logs to ActionTrail. You can perform
the following operations in the ActionTrail console:
- Query historical events
On the History Search page of the ActionTrail console, query historical events of various services, such as MaxCompute. For more information, see Query historical events in the ActionTrail console.
- Analyze events in real time
On the Trails page of the ActionTrail console, deliver events to an OSS bucket for archiving and analysis. You can also deliver events to a Log Service Logstore for real-time log analysis based on events. For example, you can handle alerts that are triggered by unauthorized access to sensitive data based on the results of real-time log analysis. For more information, see Create a single-account trail.
Scope
ActionTrail audits operations logs on different types of events. These types of events
include instance, table, function, resource, user, role, and privilege. The following
table describes the events.
| Event type | Event name | Description |
|---|---|---|
| Instance | insertJob | A MaxCompute job is submitted. |
| jobChange | The status of a MaxCompute job is changed. For example, a job succeeds or is terminated. | |
| Table | CreateTable | A table is created. |
| ChangeTable | The schema of a table is changed. For example, you execute the ALTER TABLE statement to change the schema of a table. | |
| DropTable | A table is deleted. | |
| DescribeTable | The schema of a table is queried by using the DESC TABLE statement. | |
| ReadTableData | Data is read from a table. | |
| ChangeTableData | Data entries are changed in a table. Statements, such as INSERT INTO, INSERT OVERWRITE, and TRUNCATE, or operations, such as Tunnel-based data import, can trigger this event. | |
| DownloadTable | Data is downloaded from a table by using Tunnel. | |
| UploadTable | Data is uploaded to a table by using Tunnel. | |
| InstanceTunnel | The execution result of an instance is downloaded. For example, you execute a SELECT statement to download the execution result of an instance. | |
| Function | CreateFunction | A user-defined function (UDF) is created. |
| UpdateFunction | A UDF is updated. | |
| DeleteFunction | A UDF is deleted. | |
| Resource | CreateResource | A resource is uploaded. |
| UpdateResource | A resource is updated. | |
| DeleteResource | A resource is deleted. | |
| User | AddUser | A user is added. |
| RemoveUser | A user is removed. | |
| Role | CreateRole | A role is created. |
| DropRole | A role is deleted. | |
| Privilege | GrantACL | Permissions are granted based on an access control list (ACL). |
| GrantLabel | Permissions are granted based on labels. | |
| GrantRoles | Permissions are granted based on roles. | |
| PutRolePolicy | A policy that is embedded in a MaxCompute role is added. | |
| RevokeACL | ACL-based permissions are revoked. | |
| RevokeLabel | Label-based permissions are revoked. | |
| RevokeRoles | Role-based permissions are revoked. | |
| SetProjectPolicy | A policy is set for a project. | |
| SetTableLabel | A label is set for a column in a table. | |
| SetUserLabel | A label is set for a user. |
Event fields
Fields are provided to record specific actions for different types of events. You
can view and analyze the fields for auditing and management.
- Instance
Field Description Example timestamp The time when the event occurred. 2019-08-06T03:33:03Z event_type The type of the event. JobEvent event_name The name of the event. JobChange user_id The ID of the user who submitted the job. 1965501246548481 user_catalog The category of the user who submitted the job. Valid values: sub and customer.
customer source_ip The IP address of the terminal where the MaxCompute client is installed. 10.1.1.1 user_agent The agent of the user. JavaSDK Revision:33acd11,Version:0.30.9,JavaVersion:1.8.0_66,IP:unknown,MAC:unknownproject_name The name of the MaxCompute project. meta project_owner The ID of the Alibaba Cloud account to which the MaxCompute project belongs. 1965501246548481 operation_text The details about the SQL statement. This field contains sensitive information. select * from m_project where ds='20190805';instance_id The ID of the instance. 20190806032128370gef3eqsatask_name The name of the task. console_query_task_1565061688115task_type The type of the task, such as SQL or CUPID. SQL start_time The start time of the task. 2019-08-06T11:21:28+08:00end_time The end time of the task. 2019-08-06T11:21:38+08:00input_tables The input table of the task. ["meta.s_project_ots_meta_raw"]output_tables The output table of the task. ["meta.s_project_owner_map"]input_bytes The volume of data that MaxCompute reads from the input table. 6543210 output_bytes The volume of data in the output table. 716760 input_records The number of records that MaxCompute reads from the input table. 532963 output_records The number of records in the output table. 68713 signature The signature of the task. The signature is used to check the type of the job to which the task belongs. 0c5cafa4aeb03e2e70f8db2e9d1e6c13status The status of the task. Terminated skynet_id The ID of the DataWorks node that is used to submit the task. 700002545585 skynet_nodename The name of the DataWorks node that is used to submit the task. s_project_owner_mapcomplexity The complexity of the SQL statement. 1.0 cost_cpu The CPUs that are consumed by the job. 200 cost_memory The memory that is consumed by the job. 3072 request_id The ID of the request, which is randomly generated. 9e1e42e9-26fe-4f8a-b6e9-e31ae9384de4region The region ID of the project. cn-shanghaierror_code The error code. None error_message The error message. None - Table
Field Description Example timestamp The time when the event occurred. 2019-08-06T04:20:14Z event_type The type of the event. TableEvent event_name The name of the event. DropTable user_id The ID of the user who performed the operation. 1965501246548481 user_catalog The category of the user who submitted the job. Valid values: sub and customer.
customer request_id The ID of the request. 5D4903BA83C08908CCEC9E34project_name The name of the project to which the resource belongs. meta project_owner The ID of the Alibaba Cloud account to which the MaxCompute project belongs. 1965501246548481 operation_text The details about the operation. INSERT_OVERWRITE_PARTITION object_type The type of the resource that you want to manage. The value is TABLE. TABLE object_name The name of the resource. tbl source The method that is used to manage a table. Valid values: INSTANCE, TUNNEL, and SYSTEM. INSTANCE correlation_id The correlation ID of the resource operation. The correlation ID can be the instance ID or Tunnel ID. 20190806055554100ga8ir4pr2region The region ID of the project. cn-shanghaierror_code The error code. None error_message The error message. None - Function
Field Description Example timestamp The time when the event occurred. 2019-08-06T04:20:14Z event_type The type of the event. TableEvent event_name The name of the event. DropTable user_id The ID of the user who performed the operation. 1965501246548481 user_catalog The category of the user who submitted the job. Valid values: sub and customer.
customer request_id The ID of the request. 5D4903BA83C08908CCEC9E34project_name The name of the project to which the resource belongs. meta project_owner The ID of the Alibaba Cloud account to which the MaxCompute project belongs. 1965501246548481 Function The name of the function. case_detecting region The region ID of the project. cn-shanghaierror_code The error code. None error_message The error message. None - Resource
Field Description Example timestamp The time when the event occurred. 2019-08-06T04:20:14Z event_type The type of the event. TableEvent event_name The name of the event. DropTable user_id The ID of the user who performed the operation. 1965501246548481 user_catalog The category of the user who submitted the job. Valid values: sub and customer.
customer request_id The ID of the request. 5D4903BA83C08908CCEC9E34project_name The name of the project to which the resource belongs. meta project_owner The ID of the Alibaba Cloud account to which the MaxCompute project belongs. 1965501246548481 Resource The name of the resource. fastjson-1.2.48-158892824578086453694_0.jarregion The region ID of the project. cn-shanghaierror_code The error code. None error_message The error message. None - User
Field Description Example timestamp The time when the event occurred. 2019-08-06T04:20:14Z event_type The type of the event. UserEvent event_name The name of the event. AddUser user_id The ID of the user who submitted the job. 1965501246548481 user_catalog The category of the user who submitted the job. Valid values: sub and customer.
customer source_ip The IP address of the terminal where the MaxCompute client is installed. 10.154.184.179 request_id The ID of the request. 5D4903BA83C08908CCEC9E34project_name The name of the project. meta project_owner The ID of the Alibaba Cloud account to which the MaxCompute project belongs. 1965501246548481 operation_text The details about the operation. ADD USER ALIYUN$antccopblvxjgsss@aliyun.comprincipal The name of the account to be added. aliyun$antccopblvxjgsss@aliyun.comregion The region ID of the project. cn-shanghaierror_code The error code. None error_message The error message. None - Role
Field Description Example timestamp The time when the event occurred. 2019-08-06T04:20:14Z event_type The type of the event. RoleEvent event_name The name of the event. CreateRole user_id The ID of the user who performed the job. 1965501246548481 user_catalog The category of the user who submitted the job. Valid values: sub and customer.
customer source_ip The IP address of the terminal where the MaxCompute client is installed. 10.154.184.179 request_id The ID of the request. 5D4903BA83C08908CCEC9E34project_name The name of the project. meta project_owner The ID of the Alibaba Cloud account to which the MaxCompute project belongs. 1965501246548481 operation_text The details about the operation. drop role test;principal The name of the account to be added. test region The region ID of the project. cn-shanghaierror_code The error code. None error_message The error message. None - Privilege
Field Description Example timestamp The time when the event occurred. 2019-08-06T04:20:14Z event_type The type of the event. PrivilegeEvent event_name The name of the event. GrantACL user_id The ID of the user who performed the job. 1965501246548481 user_catalog The category of the user who submitted the job. Valid values: sub and customer.
customer source_ip The IP address of the terminal where the MaxCompute client is installed. 10.154.184.179 request_id The ID of the request. 5D4903BA83C08908CCEC9E34current_project The name of the project. meta_dev project_name The name of the project to which the resource belongs. meta project_owner The ID of the Alibaba Cloud account to which the MaxCompute project belongs. 1965501246548481 operation_text The details about the operation. GRANT Describe,Select ON TABLE ads_dy_mkt_union_room_ctag_cm TO USER RAM$ferrodx:superset_admin;principal The account or role to which permissions are granted. aliyun$antccopblvxjgsss@aliyun.comobject_type The type of the resource. Valid values: PROJECT, TABLE, and USER. TABLE object_name The name of the resource. ads_dy_mkt_union_room_ctag_cmregion The region ID of the project. cn-shanghaierror_code The error code. None error_message The error message. None