All Products
Search
Document Center

Realtime Compute for Apache Flink:View audit events of Realtime Compute for Apache Flink

Last Updated:Jan 15, 2024

This topic describes how to view audit events of Realtime Compute for Apache Flink by using ActionTrail.

Background information

ActionTrail is a service that monitors and records the actions of your Alibaba Cloud account. The actions include your access to and use of cloud services by using the Alibaba Cloud Management Console, APIs, and SDKs. ActionTrail records these operations as events. You can download these events and deliver them to Simple Log Service Logstores or Object Storage Service (OSS) buckets. Then, you can perform behavior analysis, security analysis, resource change tracking, and compliance auditing based on the events. For more information about ActionTrail, see What is ActionTrail?

Fully managed Flink is connected to ActionTrail. You can view operation events of Realtime Compute for Apache Flink resources and related information free of charge in the ActionTrail console.

limits

  • In the ActionTrail console, you can query only the events that are delivered by single-account trails. You can perform queries at most twice per second. You cannot query the events that are delivered by multi-account trails in the ActionTrail console. To query such events, go to the required Object Storage Service (OSS) bucket or Simple Log Service Logstore. For more information, see Create a multi-account trail.

  • You can use the event query feature to query only the events that are generated in the current region in the last 90 days.

    • To query the events that were generated in the current region 90 days ago, you must create a single-account trail to deliver the events to OSS or Simple Log Service. Otherwise, you cannot query the events that were generated 90 days ago. For more information, see Create a single-account trail.

    • To query the events that were generated in multiple regions 90 days ago or filter and query events based on multiple conditions, you can use the advanced event query feature. For more information, see Perform custom event queries.

  • After an event is generated within your Alibaba Cloud account, you must wait 10 minutes before you can query the event in the ActionTrail console.

Procedure

  1. Log on to the ActionTrail console.

  2. In the left-side navigation pane, choose Events > Event Query.

  3. In the top navigation bar, select the region of the event that you want to query from the drop-down list.

  4. On the Event Detail Query page, enter query conditions, specify a time range, and then click the 查询按钮 icon.

    Note
    • You can configure the following query conditions to query events: Read/Write Type, Operator, Service Name, Event Name, Resource Type, Resource Name, AccessKey ID, Sensitive Operation, and Event ID.

    • You can query global events only in the Singapore region.

  5. Find the event that you want to query and click View Event Details in the Operation column to view the details of the event.

    For more information about the events of Realtime Compute for Apache Flink, see Events of Realtime Compute for Apache Flink. The following example shows an event that a deployment is deleted.

    {
      "eventId": "48deee2f-a38b-440b-aae4-168640afd6b8",
      "eventVersion": 1,
      "responseElements": {},
      "errorMessage": "",
      "eventSource": "RealtimeCompute",
      "requestParameters": {},
      "sourceIpAddress": "140.**.**.19",
      "userAgent": "RealtimeCompute",
      "eventRW": "Write",
      "eventType": "ApiCall",
      "referencedResources": {
        "ACS::RealtimeCompute::Deployment": [
          "47eb63e1-79b8-4192-9cd2-059ec5d7****",
          "guiyuan-kafka-writer"
        ]
      },
      "userIdentity": {
        "accessKeyId": "null",
        "sessionContext": {
          "attributes": {
            "mfaAuthenticated": "true",
            "userDisplayName": "25265763711933****",
            "user": "25265763711933****"
          }
        },
        "accountId": "1016954307248737",
        "principalId": "25265763711933****",
        "type": "ram-user",
        "userName": "25265763711933****"
      },
      "serviceName": "RealtimeCompute",
      "additionalEventData": {
        "namespace": "NamespaceRef(name=Optional[daily-instance-not-delete-default])"
      },
      "requestId": "202306021408-LFMZBC059T",
      "eventTime": "2023-06-02T06:08:21Z",
      "isGlobal": false,
      "acsRegion": "cn-beijing",
      "eventName": "DeleteDeployment"
    }

Events of Realtime Compute for Apache Flink

For more information about the events of Realtime Compute for Apache Flink that you can view in the ActionTrail console, see Audit events of Realtime Compute for Apache Flink.