This topic describes the overview, scenarios, scope, and event fields of audit logs.
Overview
MaxCompute records all user behavior, and pushes user behavior logs to ActionTrail in real time by using the Alibaba Cloud ActionTrail service.

Scenarios
- Query historical events and their detailed information
On the History Search page in the ActionTrail console, query historical events of various services, such as MaxCompute. For more information, see Procedure.
- Analyze events in real time
On the Trails page in the ActionTrail console, deliver events to an OSS bucket for archiving and analysis. You can also deliver events to your Alibaba Cloud Log Service project for real-time log analysis based on events, for example, log analysis triggered by alerts that are generated in the case of unauthorized access to sensitive data. For more information, see Create a single-account trail.
Scope
Event type | Event name | Event description |
---|---|---|
JobEvent | InsertJob | A MaxCompute job is submitted. |
JobChange | The status of a MaxCompute job is changed, for example, a job succeeds or is terminated. | |
TunnelEvent | DownloadTable | Data is downloaded from a table by using Tunnel commands. |
UploadTable | Data is uploaded to a table by using Tunnel commands. | |
InstanceTunnel | The execution result of an instance is downloaded. For example, this event is triggered when you execute a SELECT statement for data queries. | |
RoleEvent | CreateRole | A role is created. |
DropRole | A role is deleted. | |
UserEvent | AddUser | A user is added. |
RemoveUser | A user is removed. | |
TableEvent | CreateTable | A table is created. |
ChangeTable | The schema of a table is modified. For example, this event is triggered when you run the ALTER TABLE command to modify the schema of a table. | |
DropTable | A table is deleted. | |
DescribeTable | The schema of a table is queried by executing the DESC TABLE statement. | |
ReadTableData | Data is read from a table. | |
ChangeTableData | Table data is modified. For example, this event is triggered when you execute statements, including INSERT INTO, INSERT OVERWRITE, and TRUNCATE, or when you import table data by using Tunnel commands. | |
PrivilegeEvent | GrantRole | Role-based privileges are granted. |
RevokeRole | Role-based privileges are revoked. | |
GrantACL | ACL-based privileges are granted. | |
RevokeACL | ACL-based privileges are revoked. | |
GrantLabel | Label-based privileges are granted. | |
RevokeLabel | Label-based privileges are revoked. | |
PutRolePolicy | A policy that is embedded in a MaxCompute role is added. | |
SetProjectPolicy | A policy is configured for a project. | |
SetTableLabel | A label is configured for a column in a table. | |
SetUserLabel | A label is configured for a user. | |
AdminEvent | CreateProject | A MaxCompute project is created. |
UpdateProject | A MaxCompute project is updated. | |
DeleteProject | A MaxCompute project is deleted. |
Event fields
Field | Description | Example |
---|---|---|
eventId | The globally unique identifier (GUID) that ActionTrail generates for each event. | 918510a4-7b63-47d2-b053-8f9db82c431a |
acsRegion | The ID of the region where the event log was recorded. | cn-hangzhou |
eventName | The name of the event. | InsertJob |
eventTime | The time when the event occurred, in UTC. | 2020-01-09T12:12:14Z |
eventType | The type of the event. | JobEvent |
errorCode | The error code reported when an error occurs. | ODPS-10000 |
errorMessage | The error description. | ODPS-0130161:[1,18] Parse exception - invalid token 'bigstring' |
requestId | The ID of the API request. | 6df41e8c-cfd0-4beb-8dd0-13b8490fdf5b |
serviceName | The name of the Alibaba Cloud service to which the event log belongs. | MaxCompute |
sourceIpAddress | The source IP address of the API request. | 192.0.2.1 |
userAgent | The user agent that sends the API request. | JavaSDK Revision:992f8d1 Version:0.35.9 JavaVersion:1.8.0_242 CLT(0.35.3 : a2af3f4);
Mac OS X(127.0.0.1/ali-4c32758ab657) |
userIdentity | The identity information about the requester. The information includes the accountId, principalId, type, and userName parameters. | "userIdentity": { // The identity information of the requester"accountId": "1965501548481",
// The ID of the Alibaba Cloud account"principalId": "100951746285", // The type of
the current requester"type": "root-account", // The ID of the Alibaba Cloud account"userName":
"root" } |
referencedResources | The resources involved in an event, such as InstanceId in JobEvent and TableName in TableEvent. The field is unique for each event. | "referencedResources": { // The resources affected by the event"Instance": ["2020102713575683gc2je4pr"]
} |
additionalEventData | The additional information that is specific to events, such as the job status and query statements. The field is unique for each event. | "additionalEventData": { "Status": "Failed", "ProjectName": "test_audit", "TaskName":
"console_query_task_1603807075919", "InstanceId": "2020102713575683gc2je4pr2", "TaskType":
"SQL", "OperationText": "create table a(a bigstring);" } |
JobEvent
- InsertJob
Field Description Example referencedResources The ID of the job involved in an InsertJob event. "referencedResources": { // The resources affected by the event "Instance": ["2020102713575683gc2je4pr2" ] }
additionalEventData The additional information about an InsertJob event. The additional information includes the following parameters: - ProjectName: the name of the project to which the job belongs.
- TaskName: the name of the task to which the job belongs.
- InstanceId: the ID of the job.
- TaskType: the type of the job. Valid values: SQL, LOT, and CUPID.
- OperationText: the statement to be executed.
"additionalEventData": { "ProjectName": "meta", "TaskName": "console_query_task_1603807075919", "InstanceId": "2020102713575683gc2je4pr2", "TaskType": "SQL", "OperationText": "create table a(a string);" }
- JobChange
Field Description Example referencedResources The ID of the job involved in a JobChange event. "referencedResources": { // The resources affected by the event "Instance": ["2020102713575683gc2je4pr2" ] }
additionalEventData The additional information about a JobChange event. The additional information includes the following parameters: - Status: the status of the job.
- ProjectName: the name of the project to which the job belongs.
- TaskName: the name of the task to which the job belongs.
- InstanceId: the ID of the job.
- TaskType: the type of the job. Valid values: SQL, LOT, and CUPID.
- OperationText: the statement to be executed.
"additionalEventData": { "Status": "Failed", "ProjectName": "meta", "TaskName": "console_query_task_1603807075919", "InstanceId": "2020102713575683gc2je4pr2", "TaskType": "SQL", "OperationText": "create table a(a string);" }
TunnelEvent
- DownloadTable
Field Description Example referencedResources The name of the table involved in a DownloadTable event. "referencedResources": { // The resources affected by the event "Table": [ "source_xml_instid_flt_2" ] }
additionalEventData The additional information about a DownloadTable event. The additional information includes the following parameters: - TableName: the name of the table.
- Partition: the partition information.
- CurrentProject: the name of the project in which the download operation is initiated.
- ProjectName: the name of the project to which the downloaded table belongs.
- SesssionId: the ID of the tunnel session.
"additionalEventData": { "TableName": "source_xml_instid_flt_2", "Partition": "projectname=inst_200233,ds=20201027", "CurrentProject": "project1", "ProjectName": "project2", "SesssionId": "20201027200931a3baca0b037518a7" }
- UploadTable
Field Description Example referencedResources The name of the table involved in an UploadTable event. "referencedResources": { // The resources affected by the event "Table": [ "source_xml_instid_flt_2" ] }
additionalEventData The additional information about an UploadTable event. The additional information includes the following parameters: - TableName: the name of the table.
- Partition: the partition information.
- ProjectName: the name of the project to which the uploaded table belongs.
- SesssionId: the ID of the tunnel session.
"additionalEventData": { "TableName": "m_rt_privilege_event", "Partition": "ds=20201027,hh=22,mm=00", "ProjectName": "meta2", "SesssionId": "202010272209332231f60b08182dfb" }
- InstanceTunnel
Field Description Example referencedResources The ID of the job involved in an InstanceTunnel event. "referencedResources": { // The resources affected by the event "Instance": [ "20201027080131990gf238rsa"] }
additionalEventData The additional information about an InstanceTunnel event. The additional information includes the following parameters: - CurrentProject: the name of the project in which the instance download operation is initiated.
- ProjectName: the name of the project to which the downloaded instance belongs.
- InstanceId: the ID of the instance.
- SesssionId: the ID of the tunnel session.
"additionalEventData": { "CurrentProject": "meta", "ProjectName": "meta", "InstanceId": "20201027080131990gf238rsa", "SesssionId": "2020102716014017c4ca0b036850f6" }
RoleEvent
- CreateRole
Field Description Example referencedResources The name of the role involved in a CreateRole event. "referencedResources": { // The resources affected by the event "Role": [ "test1" ] }
additionalEventData The additional information about a CreateRole event. The additional information includes the following parameters: - RoleName: the name of the role that you created.
- CurrentProject: the name of the project in which the role creation operation is initiated.
- ProjectName: the name of the project to which the role belongs.
- OperationText: the statement to be executed.
"additionalEventData": { "RoleName": "test1", "CurrentProject": "meta_dev", "ProjectName": "dev1", "OperationText": "create role test1;" }
- DropRole
Field Description Example referencedResources The name of the role involved in a DropRole event. "referencedResources": { // The resources affected by the event "Role": [ "test1" ] }
additionalEventData The additional information about a DropRole event. The additional information includes the following parameters: - RoleName: the name of the role that you deleted.
- CurrentProject: the name of the project in which the role deletion operation is initiated.
- ProjectName: the name of the project to which the role belongs.
- OperationText: the statement to be executed.
"additionalEventData": { "RoleName": "test1", "CurrentProject": "meta_dev", "ProjectName": "dev1", "OperationText": "drop role test1;" }
UserEvent
- AddUser
Field Description Example referencedResources The name of the user involved in an AddUser event. "referencedResources": { // The resources affected by the event "User": [ "ram$xxxx@aliyun.com:sub" ] }
additionalEventData The additional information about an AddUser event. The additional information includes the following parameters: - UserName: the name of the user that you added.
- ProjectName: the name of the project to which the user belongs.
- OperationText: the statement to be executed.
"additionalEventData": { "UserName": "ram$xxxx@aliyun.com:sub", "ProjectName": "project1", "OperationText": "add user RAM$xxxx@aliyun.com:sub;" }
- RemoveUser
Field Description Example referencedResources The name of the user involved in a RemoveUser event. "referencedResources": { // The resources affected by the event "User": [ "ram$xxxx@aliyun.com:sub" ] }
additionalEventData The additional information about a RemoveUser event. The additional information includes the following parameters: - UserName: the name of the user that you removed.
- ProjectName: the name of the project to which the user belongs.
- OperationText: the statement to be executed.
"additionalEventData": { "UserName": "ram$xxxx@aliyun.com:sub", "ProjectName": "project1", "OperationText": "remove user RAM$xxxx@aliyun.com:sub;" }
TableEvent
- CreateTable
Field Description Example referencedResources The name of the table involved in a CreateTable event. "referencedResources": { // The resources affected by the event "Table": [ "ttt" ] }
additionalEventData The additional information about a CreateTable event. The additional information includes the following parameters: - TableName: the name of the table that you created.
- ProjectName: the name of the project to which the table belongs.
- CorrelationId: used with Source. If Source is set to INSTANCE, this parameter indicates the job ID. If Source is set to TUNNEL, this parameter indicates the tunnel ID.
- Source: the source. Valid values: INSTANCE and TUNNEL.
- OperationText: CREATE_TABLE.
"additionalEventData": { "TableName": "ttt", "ProjectName": "meta_dev", "CorrelationId": "20201027083345196gsjgpv21", "Source": "INSTANCE", "OperationText": "CREATE_TABLE" }
- DropTable
Field Description Example referencedResources The name of the table involved in a DropTable event. "referencedResources": { // The resources affected by the event "Table": [ "ttt" ] }
additionalEventData The additional information about a DropTable event. The additional information includes the following parameters: - TableName: the name of the table that you deleted.
- ProjectName: the name of the project to which the table belongs.
- CorrelationId: used with Source. If Source is set to INSTANCE, this parameter indicates the job ID. If Source is set to TUNNEL, this parameter indicates the tunnel ID.
- Source: the source. Valid values: INSTANCE and TUNNEL.
- OperationText: This parameter can be set to DROP_TABLE or RECYCLE_TABLE. DROP_TABLE indicates that a user proactively deletes a table. RECYCLE_TABLE indicates that the system reclaims a table whose lifecycle ends.
"additionalEventData": { "TableName": "hot_user_hs_top30", "ProjectName": "prj1", "CorrelationId": "20201023024002372giqvmv21", "Source": "INSTANCE", "OperationText": "DROP_TABLE" }
- ChangeTable
Field Description Example referencedResources The name of the table involved in a ChangeTable event. "referencedResources": { // The resources affected by the event "Table": [ "ttt" ] }
additionalEventData The additional information about a ChangeTable event. The additional information includes the following parameters: - TableName: the name of the table whose data you want to change.
- ProjectName: the name of the project to which the table belongs.
- CorrelationId: used with Source. If Source is set to INSTANCE, this parameter indicates the job ID. If Source is set to TUNNEL, this parameter indicates the tunnel ID.
- Source: the source. Valid values: INSTANCE and TUNNEL.
- OperationText: ALTER_TABLE_RENAME, ADD_PARTITION, ALTER_TABLE_ADD_COLUMNS, ALTER_TABLE_CHANGE_LIFECYCLE, ALTER_TABLE_DROP_PARTITION, and ALTER_PARTITION.
"additionalEventData": { "TableName": "ttt", "ProjectName": "proj1", "CorrelationId": "20201028161651750g05e0tsa", "Source": "INSTANCE", "OperationText": "ADD_PARTITION" }
- DescribeTable
Field Description Example referencedResources The name of the table involved in a DescribeTable event. "referencedResources": { // The resources affected by the event "Table": [ "ttt" ] }
additionalEventData The additional information about a DescribeTable event. The additional information includes the following parameters: - TableName: the name of the table that you viewed.
- ProjectName: the name of the project to which the table belongs.
"additionalEventData": { "TableName": "ttt", "ProjectName": "prj1", }
- ChangeTableData
Field Description Example referencedResources The name of the table involved in a ChangeTableData event. "referencedResources": { // The resources affected by the event "Table": [ "ttt" ] }
additionalEventData The additional information about a ChangeTableData event. The additional information includes the following parameters: - TableName: the name of the table whose data you want to change.
- ProjectName: the name of the project to which the table belongs.
- CorrelationId: used with Source. If Source is set to INSTANCE, this parameter indicates the job ID. If Source is set to TUNNEL, this parameter indicates the tunnel ID.
- Source: the source. Valid values: INSTANCE and TUNNEL.
- OperationText: TRUNCATE_TABLE, INSERT_OVERWRITE_TABLE, INSERT_OVERWRITE_PARTITION, INSERT_PARTITION, or INSERT_TABLE.
"additionalEventData": { "TableName": "ttt", "ProjectName": "meta_dev", "CorrelationId": "20201027083345196gsjgpv21", "Source": "INSTANCE", "OperationText": "DATA_INGESTION" }
- ReadTableData
Field Description Example referencedResources None None additionalEventData The additional information about a ReadTableData event. The additional information includes the following parameters: - TableName: the name of the table from which data is read.
- ProjectName: the name of the project to which the table belongs.
- CorrelationId: used with Source. If Source is set to INSTANCE, this parameter indicates the job ID. If Source is set to TUNNEL, this parameter indicates the tunnel ID.
- Source: the source. Valid values: INSTANCE and TUNNEL.
- OperationText: READ_TABLE.
"additionalEventData": { "TableName": "ttt", "ProjectName": "meta_dev", "CorrelationId": "20201027083345196gsjgpv21", "Source": "INSTANCE", "OperationText": "READ_TABLE" }
PrivilegeEvent
- GrantRole
Field Description Example referencedResources The name of the Alibaba Cloud account involved in a GrantRole event. "referencedResources": { // The resources affected by the event "User": [ "aliyun$xxxx@aliyun.com" ] }
additionalEventData The additional information about a GrantRole event. The additional information includes the following parameters: - UserName: the name of the Alibaba Cloud account to which role-based privileges are granted.
- ProjectName: the name of the project to which the Alibaba Cloud account belongs.
- OperationText: the statement to be executed.
"additionalEventData": { "ObjectType": "PROJECT", "CurrentProject": "meta", "UserName": "aliyun$xxx@aliyun.com", "ProjectName": "meta", "OperationText": "grant test_role to ALIYUN$xxx@aliyun.com" }
- RevokeRole
Field Description Example referencedResources The name of the Alibaba Cloud account involved in a RevokeRole event. "referencedResources": { // The resources affected by the event "User": [ "aliyun$xxxx@aliyun.com" ] }
additionalEventData The additional information about a RevokeRole event. The additional information includes the following parameters: - UserName: the name of the Alibaba Cloud account from which role-based privileges are revoked.
- ProjectName: the name of the project to which the Alibaba Cloud account belongs.
- OperationText: the statement to be executed.
"additionalEventData": { "ObjectType": "PROJECT", "CurrentProject": "meta", "UserName": "aliyun$xxx@aliyun.com", "ProjectName": "meta", "OperationText": "revoke test_role from ALIYUN$xxx@aliyun.com" }
- GrantACL
Field Description Example referencedResources The name of the Alibaba Cloud account involved in a GrantACL event. "referencedResources": { // The resources affected by the event "User": [ "aliyun$xxxx@aliyun.com" ] }
additionalEventData The additional information about a GrantACL event. The additional information includes the following parameters: - ObjectType: the type of the object to which ACL-based privileges are granted. Valid values: PROJECT, RESOURCE, TABLE, and FUNCTION.
- CurrentProject: the name of the project in which the ACL-based privilege assignment is initiated.
- UserName: the name of the Alibaba Cloud account to which ACL-based privileges are granted.
- ProjectName: the name of the project to which the Alibaba Cloud account belongs.
- OperationText: the statement to be executed.
- ObjectName: the name of the object to which label-based privileges are granted.
"additionalEventData": { "ObjectType": "PROJECT", "CurrentProject": "meta", "UserName": "aliyun$xxx@aliyun.com", "ProjectName": "meta", "OperationText": "grant createtable on project meta to ALIYUN$xxx@aliyun.com;", "ObjectName": "meta" }
- RevokeACL
Field Description Example referencedResources The name of the Alibaba Cloud account involved in a RevokeACL event. "referencedResources": { // The resources affected by the event "User": [ "aliyun$xxxx@aliyun.com" ] }
additionalEventData The additional information about a RevokeACL event. The additional information includes the following parameters: - ObjectType: the type of the object from which ACL-based privileges are revoked. Valid values: PROJECT, RESOURCE, TABLE, and FUNCTION.
- CurrentProject: the name of the project in which ACL-based privilege revocation is initiated.
- UserName: the name of the Alibaba Cloud account from which ACL-based privileges are revoked.
- ProjectName: the name of the project to which the Alibaba Cloud account belongs.
- OperationText: the statement to be executed.
- ObjectName: the name of the object from which label-based privileges are revoked.
"additionalEventData": { "ObjectType": "PROJECT", "CurrentProject": "meta", "UserName": "aliyun$xxx@aliyun.com", "ProjectName": "project1", "OperationText": "revoke createtable on project project1 from ALIYUN$xxx@aliyun.com;", "ObjectName": "project1" }
- GrantLabel
Field Description Example referencedResources The name of the Alibaba Cloud account involved in a GrantLabel event. "referencedResources": { // The resources affected by the event "User": [ "aliyun$xxxx@aliyun.com" ] }
additionalEventData The additional information about a GrantLabel event. The additional information includes the following parameters: - ObjectType: the type of the object to which label-based privileges are granted. The value is set to TABLE.
- UserName: the name of the Alibaba Cloud account to which label-based privileges are granted.
- ProjectName: the name of the project to which the Alibaba Cloud account belongs.
- OperationText: the statement to be executed.
- ObjectName: the name of the object to which label-based privileges are granted.
"additionalEventData": { "ObjectType": "TABLE", "UserName": "aliyun$xxx@aliyun.com", "ProjectName": "meta", "OperationText": "GRANT LABEL 4 ON TABLE t1 TO USER ALIYUN$xxx@aliyun.com;", "ObjectName": "meta" }
- RevokeLabel
Field Description Example referencedResources The name of the Alibaba Cloud account involved in a RevokeLabel event. "referencedResources": { // The resources affected by the event "User": [ "aliyun$xxxx@aliyun.com" ] }
additionalEventData The additional information about a RevokeLabel event. The additional information includes the following parameters: - ObjectType: the type of the object from which label-based privileges are revoked. Valid values: PROJECT, RESOURCE, TABLE, and FUNCTION.
- UserName: the name of the Alibaba Cloud account from which label-based privileges are revoked.
- ProjectName: the name of the project to which the Alibaba Cloud account belongs.
- OperationText: the statement to be executed.
- ObjectName: the name of the object from which label-based privileges are revoked.
"additionalEventData": { "ObjectType": "TABLE", "UserName": "aliyun$xxx@aliyun.com", "ProjectName": "meta", "OperationText": "Revoke LABEL 4 ON TABLE t1 from USER ALIYUN$xxx@aliyun.com;", "ObjectName": "t1" }
- PutRolePolicy
Field Description Example referencedResources The name of the role involved in a PutRolePolicy event. "referencedResources": { // The resources affected by the event "Role": [ "test1_role" ] }
additionalEventData The additional information about a PutRolePolicy event. The additional information includes the following parameters: - RoleName: the name of the role.
- CurrentProject: the name of the project in which the role-level policy operation is initiated.
- ProjectName: the name of the project to which the role belongs.
- OperationText: the content of the policy.
"additionalEventData": { "RoleName": "test1_role", "CurrentProject": "meta_dev", "ProjectName": "meta_dev", "OperationText": "{\n \"Statement\": [{\n \"Action\": [\"odps:Read\",\n \"odps:List\"],\n \"Effect\": \"Allow\",\n \"Resource\": [\"acs:odps:*:projects/p1\"]},\n {\n \"Action\": [\"odps:Describe\",\n \"odps:Select\"],\n \"Effect\": \"Allow\",\n \"Resource\": [\"acs:odps:*:projects/p1/tables/m_*\"]}],\n \"Version\": \"1\"}" }
- SetProjectPolicy
Field Description Example referencedResources None None additionalEventData The additional information about a SetProjectPolicy event. CurrentProject: the name of the project in which the project-level policy operation is initiated.
"additionalEventData": { "CurrentProject": "test_prj"}" }
- SetTableLabel
Field Description Example referencedResources None None additionalEventData The additional information about a SetTableLabel event. The additional information includes the following parameters: - ObjectType: the type of the object. The value is set to TABLE.
- OperationText: the statement to be executed.
- ObjectName: the name of the object.
"additionalEventData": { "ObjectType": "TABLE", "OperationText": "SET LABEL 3 TO TABLE t1test(col1);", "ObjectName": "t1test" }
- SetUserLabel
Field Description Example referencedResources The name of the Alibaba Cloud account involved in a SetUserLabel event. "referencedResources": { // The resources affected by the event "User": [ "aliyun$xxxx@aliyun.com" ] }
additionalEventData The additional information about a SetUserLabel event. UserName: the name of the Alibaba Cloud account that configures label-based privileges for users.
"additionalEventData": { "UserName": "aliyun$xxxx@aliyun.com" }
AdminEvent
- CreateProject
Field Description Example referencedResources None None additionalEventData The additional information about a CreateProject event. ProjectName: the name of the MaxCompute project that you created.
"additionalEventData": { "ProjectName": "xxxx" }
- UpdateProject
Field Description Example referencedResources None None additionalEventData The additional information about an UpdateProject event. The additional information includes the following parameters: - ProjectName: the name of the MaxCompute project that you updated.
- Properties: the flag that you updated.
- State: optional. The project status. Valid values: FROZEN and AVAILABLE.
"additionalEventData": { "ProjectName": "xxx", "Properties": "{\"odps.sql.decimal.odps2\":\"true\",\"odps.sql.hive.compatible\":\"false\",\"odps.sql.type.system.odps2\":\"true\"}" }
- DeleteProject
Field Description Example referencedResources None None additionalEventData The additional information about a DeleteProject event. ProjectName: the name of the MaxCompute project that you deleted.
"additionalEventData": { "ProjectName": "xxxx" }