This topic describes the overview, scenarios, scope, and event fields of audit logs.

Overview

MaxCompute records all your operations. After you connect MaxCompute to ActionTrail, MaxCompute delivers operations logs to ActionTrail in real time.

You can view and retrieve the operations logs in ActionTrail. You can also use ActionTrail to deliver logs to your Log Service Logstore or specified Object Storage Service (OSS) bucket. This way, you can perform real-time log auditing, event backtracking, and event analysis.**

Scenarios

MaxCompute automatically delivers operations logs to ActionTrail. You can perform the following operations in the ActionTrail console:
  • Query historical events

    On the History Search page of the ActionTrail console, query historical events of various services, such as MaxCompute. For more information, see Query historical events in the ActionTrail console.

  • Analyze events in real time

    On the Trails page of the ActionTrail console, deliver events to an OSS bucket for archiving and analysis. You can also deliver events to a Log Service Logstore for real-time log analysis based on events. For example, you can handle alerts that are triggered by unauthorized access to sensitive data based on the results of real-time log analysis. For more information, see Create a single-account trail.

Scope

ActionTrail audits operations logs on different types of events. These types of events include instance, table, function, resource, user, role, and privilege. The following table describes the events.
Event type Event name Description
Instance insertJob A MaxCompute job is submitted.
jobChange The status of a MaxCompute job is changed. For example, a job succeeds or is terminated.
Table CreateTable A table is created.
ChangeTable The schema of a table is changed. For example, you execute the ALTER TABLE statement to change the schema of a table.
DropTable A table is deleted.
DescribeTable The schema of a table is queried by using the DESC TABLE statement.
ReadTableData Data is read from a table.
ChangeTableData Data entries are changed in a table. Statements, such as INSERT INTO, INSERT OVERWRITE, and TRUNCATE, or operations, such as Tunnel-based data import, can trigger this event.
DownloadTable Data is downloaded from a table by using Tunnel.
UploadTable Data is uploaded to a table by using Tunnel.
InstanceTunnel The execution result of an instance is downloaded. For example, you execute a SELECT statement to download the execution result of an instance.
Function CreateFunction A user-defined function (UDF) is created.
UpdateFunction A UDF is updated.
DeleteFunction A UDF is deleted.
Resource CreateResource A resource is uploaded.
UpdateResource A resource is updated.
DeleteResource A resource is deleted.
User AddUser A user is added.
RemoveUser A user is removed.
Role CreateRole A role is created.
DropRole A role is deleted.
Privilege GrantACL Permissions are granted based on an access control list (ACL).
GrantLabel Permissions are granted based on labels.
GrantRoles Permissions are granted based on roles.
PutRolePolicy A policy that is embedded in a MaxCompute role is added.
RevokeACL ACL-based permissions are revoked.
RevokeLabel Label-based permissions are revoked.
RevokeRoles Role-based permissions are revoked.
SetProjectPolicy A policy is set for a project.
SetTableLabel A label is set for a column in a table.
SetUserLabel A label is set for a user.

Event fields

Fields are provided to record specific actions for different types of events. You can view and analyze the fields for auditing and management.
  • Instance
    Field Description Example
    timestamp The time when the event occurred. 2019-08-06T03:33:03Z
    event_type The type of the event. JobEvent
    event_name The name of the event. JobChange
    user_id The ID of the user who submitted the job. 1965501246548481
    user_catalog The category of the user who submitted the job.

    Valid values: sub and customer.

    customer
    source_ip The IP address of the terminal where the MaxCompute client is installed. 10.1.1.1
    user_agent The agent of the user. JavaSDK Revision:33acd11,Version:0.30.9,JavaVersion:1.8.0_66,IP:unknown,MAC:unknown
    project_name The name of the MaxCompute project. meta
    project_owner The ID of the Alibaba Cloud account to which the MaxCompute project belongs. 1965501246548481
    operation_text The details about the SQL statement. This field contains sensitive information. select * from m_project where ds='20190805';
    instance_id The ID of the instance. 20190806032128370gef3eqsa
    task_name The name of the task. console_query_task_1565061688115
    task_type The type of the task, such as SQL or CUPID. SQL
    start_time The start time of the task. 2019-08-06T11:21:28+08:00
    end_time The end time of the task. 2019-08-06T11:21:38+08:00
    input_tables The input table of the task. ["meta.s_project_ots_meta_raw"]
    output_tables The output table of the task. ["meta.s_project_owner_map"]
    input_bytes The volume of data that MaxCompute reads from the input table. 6543210
    output_bytes The volume of data in the output table. 716760
    input_records The number of records that MaxCompute reads from the input table. 532963
    output_records The number of records in the output table. 68713
    signature The signature of the task. The signature is used to check the type of the job to which the task belongs. 0c5cafa4aeb03e2e70f8db2e9d1e6c13
    status The status of the task. Terminated
    skynet_id The ID of the DataWorks node that is used to submit the task. 700002545585
    skynet_nodename The name of the DataWorks node that is used to submit the task. s_project_owner_map
    complexity The complexity of the SQL statement. 1.0
    cost_cpu The CPUs that are consumed by the job. 200
    cost_memory The memory that is consumed by the job. 3072
    request_id The ID of the request, which is randomly generated. 9e1e42e9-26fe-4f8a-b6e9-e31ae9384de4
    region The region ID of the project. cn-shanghai
    error_code The error code. None
    error_message The error message. None
  • Table
    Field Description Example
    timestamp The time when the event occurred. 2019-08-06T04:20:14Z
    event_type The type of the event. TableEvent
    event_name The name of the event. DropTable
    user_id The ID of the user who performed the operation. 1965501246548481
    user_catalog The category of the user who submitted the job.

    Valid values: sub and customer.

    customer
    request_id The ID of the request. 5D4903BA83C08908CCEC9E34
    project_name The name of the project to which the resource belongs. meta
    project_owner The ID of the Alibaba Cloud account to which the MaxCompute project belongs. 1965501246548481
    operation_text The details about the operation. INSERT_OVERWRITE_PARTITION
    object_type The type of the resource that you want to manage. The value is TABLE. TABLE
    object_name The name of the resource. tbl
    source The method that is used to manage a table. Valid values: INSTANCE, TUNNEL, and SYSTEM. INSTANCE
    correlation_id The correlation ID of the resource operation. The correlation ID can be the instance ID or Tunnel ID. 20190806055554100ga8ir4pr2
    region The region ID of the project. cn-shanghai
    error_code The error code. None
    error_message The error message. None
  • Function
    Field Description Example
    timestamp The time when the event occurred. 2019-08-06T04:20:14Z
    event_type The type of the event. TableEvent
    event_name The name of the event. DropTable
    user_id The ID of the user who performed the operation. 1965501246548481
    user_catalog The category of the user who submitted the job.

    Valid values: sub and customer.

    customer
    request_id The ID of the request. 5D4903BA83C08908CCEC9E34
    project_name The name of the project to which the resource belongs. meta
    project_owner The ID of the Alibaba Cloud account to which the MaxCompute project belongs. 1965501246548481
    Function The name of the function. case_detecting
    region The region ID of the project. cn-shanghai
    error_code The error code. None
    error_message The error message. None
  • Resource
    Field Description Example
    timestamp The time when the event occurred. 2019-08-06T04:20:14Z
    event_type The type of the event. TableEvent
    event_name The name of the event. DropTable
    user_id The ID of the user who performed the operation. 1965501246548481
    user_catalog The category of the user who submitted the job.

    Valid values: sub and customer.

    customer
    request_id The ID of the request. 5D4903BA83C08908CCEC9E34
    project_name The name of the project to which the resource belongs. meta
    project_owner The ID of the Alibaba Cloud account to which the MaxCompute project belongs. 1965501246548481
    Resource The name of the resource. fastjson-1.2.48-158892824578086453694_0.jar
    region The region ID of the project. cn-shanghai
    error_code The error code. None
    error_message The error message. None
  • User
    Field Description Example
    timestamp The time when the event occurred. 2019-08-06T04:20:14Z
    event_type The type of the event. UserEvent
    event_name The name of the event. AddUser
    user_id The ID of the user who submitted the job. 1965501246548481
    user_catalog The category of the user who submitted the job.

    Valid values: sub and customer.

    customer
    source_ip The IP address of the terminal where the MaxCompute client is installed. 10.154.184.179
    request_id The ID of the request. 5D4903BA83C08908CCEC9E34
    project_name The name of the project. meta
    project_owner The ID of the Alibaba Cloud account to which the MaxCompute project belongs. 1965501246548481
    operation_text The details about the operation. ADD USER ALIYUN$antccopblvxjgsss@aliyun.com
    principal The name of the account to be added. aliyun$antccopblvxjgsss@aliyun.com
    region The region ID of the project. cn-shanghai
    error_code The error code. None
    error_message The error message. None
  • Role
    Field Description Example
    timestamp The time when the event occurred. 2019-08-06T04:20:14Z
    event_type The type of the event. RoleEvent
    event_name The name of the event. CreateRole
    user_id The ID of the user who performed the job. 1965501246548481
    user_catalog The category of the user who submitted the job.

    Valid values: sub and customer.

    customer
    source_ip The IP address of the terminal where the MaxCompute client is installed. 10.154.184.179
    request_id The ID of the request. 5D4903BA83C08908CCEC9E34
    project_name The name of the project. meta
    project_owner The ID of the Alibaba Cloud account to which the MaxCompute project belongs. 1965501246548481
    operation_text The details about the operation. drop role test;
    principal The name of the account to be added. test
    region The region ID of the project. cn-shanghai
    error_code The error code. None
    error_message The error message. None
  • Privilege
    Field Description Example
    timestamp The time when the event occurred. 2019-08-06T04:20:14Z
    event_type The type of the event. PrivilegeEvent
    event_name The name of the event. GrantACL
    user_id The ID of the user who performed the job. 1965501246548481
    user_catalog The category of the user who submitted the job.

    Valid values: sub and customer.

    customer
    source_ip The IP address of the terminal where the MaxCompute client is installed. 10.154.184.179
    request_id The ID of the request. 5D4903BA83C08908CCEC9E34
    current_project The name of the project. meta_dev
    project_name The name of the project to which the resource belongs. meta
    project_owner The ID of the Alibaba Cloud account to which the MaxCompute project belongs. 1965501246548481
    operation_text The details about the operation. GRANT Describe,Select ON TABLE ads_dy_mkt_union_room_ctag_cm TO USER RAM$ferrodx:superset_admin;
    principal The account or role to which permissions are granted. aliyun$antccopblvxjgsss@aliyun.com
    object_type The type of the resource. Valid values: PROJECT, TABLE, and USER. TABLE
    object_name The name of the resource. ads_dy_mkt_union_room_ctag_cm
    region The region ID of the project. cn-shanghai
    error_code The error code. None
    error_message The error message. None