Queries event details.

When you call this operation to query event details, you can query the event details at most twice per second.

Note: Do not frequently call this operation. You can create a trail to deliver events to Log Service. Then, you can query event details in near real time by using the real-time log consumption feature of Log Service.

For more information, see Create a single-account trail, Create a multi-account trail, and Real-time subscription and consumption.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes LookupEvents

The operation that you want to perform. Set the value to LookupEvents.
NextToken String No eyJhY2NvdW50IjoiMTQyNDM3OTU4NjM4NzE2MSIsImV2ZW50SWQiOiI3MkJDRTExRi02OTU3LTQ0NUItQjY0MC1CNEUyMkM4NUEwQzgiLCJsb2dJZCI6IjgyLTE0MjQzNzk1ODYzODcxNjEiLCJ0aW1lIjoxNjAyMzExNTQwMD****

The token used to request the next page of query results.

Note The request parameters must be the same as those of the last request.
MaxResults String No 20

The maximum number of entries to be returned.

Valid values: 0 to 50.
StartTime String No 2020-10-08T11:00:00Z

The beginning of the time range to query. The default time is seven days prior to the current time. Specify the time in the ISO 8601 standard. The time must be in UTC. Format: YYYY-MM-DDThh:mm:ssZ.

Note The maximum time range is 30 days. You can query the detailed information about events that are generated in the recent 90 days.
EndTime String No 2020-10-15T11:00:00Z

The end of the time range to query. The default time is the current time. Specify the time in the ISO 8601 standard. The time must be in UTC. Format: YYYY-MM-DDThh:mm:ssZ.

Note The maximum time range is 30 days. You can query the detailed information about events that are generated in the recent 90 days.
LookupAttribute.N.Key String No ServiceName

The key of the query condition. Valid values:

  • ServiceName: the name of a specific Alibaba Cloud service.
  • EventName: the name of a specific event.
  • User: the name of the RAM user who calls a specific operation.
  • EventId: the ID of a specific event.
  • ResourceType: the type of resources.
  • ResourceName: the name of a specific resource.
  • EventRW: the read/write type of events.
  • EventAccessKeyId: the AccessKey ID used in events.
    Note You can use only one query condition for each query.
LookupAttribute.N.Value String No Ecs

The value of the query condition. Valid values:

  • When LookupAttribute.N.Key is set to ServiceName, you can set this parameter to a value such as Ecs.
  • When LookupAttribute.N.Key is set to EventName, you can set this parameter to a value such as ConsoleSignin.
  • When LookupAttribute.N.Key is set to User, you can set this parameter to a value such as Alice.
  • When LookupAttribute.N.Key is set to EventId, you can set this parameter to a value such as B702AFA3-FD4B-40E3-88E4-C0752FAA****.
  • When LookupAttribute.N.Key is set to ResourceType, you can set this parameter to a value such as ACS::ECS::Instance.
  • When LookupAttribute.N.Key is set to ResourceName, you can set this parameter to a value such as i-bp14664y88udkt45****.
  • When LookupAttribute.N.Key is set to EventRW, you can set this parameter to Read or Write.
  • When LookupAttribute.N.Key is set to EventAccessKeyId, you can set this parameter to a value such as LTAI4FoDkCf4DU1bic1V****.

Response parameters

Parameter Type Example Description
Events List N/A (see sample success responses)

The returned event details.

For more information about the fields in an event log, see ActionTrail event log reference.

NextToken String eyJhY2NvdW50IjoiMTQyNDM3OTU4NjM4NzE2MSIsImV2ZW50SWQiOiI3MkJDRTExRi02OTU3LTQ0NUItQjY0MC1CNEUyMkM4NUEwQzgiLCJsb2dJZCI6IjgyLTE0MjQzNzk1ODYzODcxNjEiLCJ0aW1lIjoxNjAyMzExNTQwMD****

The token used to return the next page of query results.

Note This parameter is not returned if no more results are to be returned.
StartTime String 2020-07-15T14:00:00Z

The beginning of the time range when event details were queried.
EndTime String 2020-07-22T14:00:00Z

The end of the time range when event details were queried.
RequestId String FD79665A-CE8B-49D4-82E6-5EE2E0E791DD

The ID of the request.

Examples

Sample requests

http(s)://[Endpoint]/? Action=LookupEvents
&<Common request parameters>

Sample success responses

JSON format 

{
    "RequestId": "FD79665A-CE8B-49D4-82E6-5EE2E0E791DD"
    "NextToken": "eyJhY2NvdW50IjoiMTQyNDM3OTU4NjM4NzE2MSIsImV2ZW50SWQiOiI3MkJDRTExRi02OTU3LTQ0NUItQjY0MC1CNEUyMkM4NUEwQzgiLCJsb2dJZCI6IjgyLTE0MjQzNzk1ODYzODcxNjEiLCJ0aW1lIjoxNjAyMzExNTQwMD****",
    "EndTime": "2020-07-22T14:00:00Z",
    "Events": [
        {
          "eventId": "B702AFA3-FD4B-40E3-88E4-C0752FAA****",
          "eventVersion": 1,
          "eventSource": "actiontrail.cn-hangzhou.aliyuncs.com",
          "requestParameters": {
                "AcsHost": "actiontrail.cn-hangzhou.aliyuncs.com",
                "RequestId": "B702AFA3-FD4B-40E3-88E4-C0752FAA5A07",
                "AcsProduct": "Actiontrail",
                "Region": "cn-hangzhou",
                "LookupAttribute.1.Value": "Ecs",
                "HostId": "actiontrail.cn-hangzhou.aliyuncs.com",
                "LookupAttribute.1.Key": "ServiceName"
            },
            "sourceIpAddress": "100.68.XX.XX",
            "eventType": "ApiCall",
            "userIdentity": {
                "accessKeyId": "LTAI4GK3D6YtNkNZfjDV****",
                "sessionContext": {
                    "attributes": {
                        "mfaAuthenticated": "false",
                        "creationDate": "2020-10-10T08:31:47Z"
                    }
                },
                "accountId": "142437958638****",
                "principalId": "142437958638****",
                "type": "root-account",
                "userName": "root"
            },
            "serviceName": "Actiontrail",
            "additionalEventData": {
                "Scheme": "http"
            },
            "apiVersion": "2020-07-06",
            "requestId": "B702AFA3-FD4B-40E3-88E4-C0752FAA5A07",
            "eventTime": "2020-10-10T08:31:47Z",
            "isGlobal": false,
            "acsRegion": "cn-hangzhou",
            "eventName": "LookupEvents"
       }
    ],
    "StartTime": "2020-07-15T14:00:00Z",
}

Error codes

HTTP status code Error code Error message Description
400 IncompleteSignature The request signature does not conform to Alibaba Cloud standards. The error message returned because the request signature does not conform to the standards of Alibaba Cloud. Check whether the AccessKey ID and AccessKey secret are valid and whether the signature method is appropriate. For more information, see Signature method.
400 InvalidParameterCombination The end time must be later than the start time. The error message returned because the end of the time range must be later than the beginning.
400 InvalidQueryParameter The specified query parameter is invalid. The error message returned because the specified request parameters are invalid.
400 InvalidParameterDateOutOfRange Query time range exceeds 30 days. The error message returned because the specified time range exceeds 30 days.
400 InvalidParameterEndTime The specified EndTime is invalid. The error message returned because the value of the EndTime parameter is invalid.
400 InvalidParameterStartTime The specified StartTime is invalid. The error message returned because the value of the StartTime parameter is invalid.
400 InvalidParameterStartTimeExceedsCurrent The StartTime exceeds the current time. Use GMT time format for queries. The error message returned because the beginning of the time range is later than the current time. Specify a valid time range in UTC.
400 InvalidParameterStartTimeOutOfDate The StartTime exceeds the limit of 90 days. The error message returned because the beginning of the time range is more than 90 days before the current time.
400 InvalidTimeRangeException The end time must be later than the start time. The time span cannot exceed 30 days. The error message returned because the end of the time range must be later than the beginning and the time range must not exceed 30 days.

For a list of error codes, visit the API Error Center.