ActionTrail supports the advanced event query feature, which helps you query events that occurred in multiple regions 90 days ago. This topic describes how to use the advanced event query feature in the ActionTrail console.

Prerequisites

The advanced event query feature is enabled for your trail. For more information, see Enable the advanced event query feature.

Scenarios

You can perform advanced event queries in common mode or simple mode. In common mode, you can query events in a visualized manner. In simple mode, you can query events by defining Structured Query Language (SQL) conditions.

Mode Query method Description Example
Common mode Single-condition query You can filter events by service name, event name, resource name, resource type, read/write type, username, AccessKey ID, source IP, account ID, account type, region, event source, or event ID. To query all KMS-related events that occurred in a specified time range, select Key Management Service(Kms) from the Service Name drop-down list.
Multi-condition query You can specify one or more services and one or more regions to query events. To query KMS-related events that occurred in the China (Hangzhou) and China (Shanghai) regions, select Key Management Service(Kms) from the Service Name drop-down list, and China (Hangzhou) and China (Shanghai) from the Region drop-down list.
Simple mode Keyword-based query You can enter a keyword in the search box based on your business requirements. To query all write events, enter Write in the search box.
Single-condition query You can specify a filter condition in the Who, What, Which, Where, or Other category to query events. To query all KMS-related events that occurred in a specified time range, click the search box, select Service Name, and then select Key Management Service(Kms) from the drop-down list.
Multi-condition query You can specify multiple filter conditions in the Who, What, Which, Where, and Other categories to query events. To query events of ActionTrail-related operations performed by User Alex, perform the following steps: Click the search box, select Service Name, and then select Actiontrail(Actiontrail) from the drop-down list. Click the search box, select User Name, and then enter Alex in the field.
NOT operator-based query You can specify multiple filter conditions and change the operator in front of a filter condition that you want to negate to NOT. To query events of ActionTrail-related operations performed by users excluding User Alex, perform the following steps: Click the search box, select Service Name, and then select Actiontrail(Actiontrail) from the drop-down list. Click the search box, select User Name, enter Alex in the field, and then change the operator in front of the filter condition to NOT.

Procedure

  1. Log on to the ActionTrail console.
  2. In the top navigation bar, select the region where the events for which you want to perform advanced event queries occurred.
  3. In the left-side navigation pane, click Advanced Event Query.
  4. On the Advanced Event Query page, query events.
    1. Specify filter conditions.
    2. Click Query.
    3. Click the plus sign (+) to the left of the event you want to query to view the event details.
    4. Optional. Click Event Detail to view the event log.
    1. Click Switch to the simple mode.
    2. Specify filter conditions.
    3. Click Query.
    4. Click the plus sign (+) to the left of the event you want to query to view the event details.
    5. Optional. Click Event Detail to view the event log.