works together with ActionTrail to allow you to query event logs in ActionTrail and deliver the logs to a Logstore in Log Service or an Object Storage Service (OSS) bucket. This way, you can audit logs in real time and backtrace and analyze issues based on the logs. This topic describes how to query event logs of an cluster in the ActionTrail console.

Background information

ActionTrail monitors and records the operations logs of an Alibaba Cloud account. ActionTrail collects the following events for an cluster:

Limits

  • In the ActionTrail console, you can query only the events delivered by single-account trails. You can perform queries at most twice per second. You cannot query the events delivered by multi-account trails in the ActionTrail console. You can query such events in the corresponding Object Storage Service (OSS) bucket or Log Service Logstore. For more information, see Create a multi-account trail.
  • You can use the event query feature to query only the events that occurred in the current region in the last 90 days.
    • To query the events that occurred in the current region 90 days ago, you must create a single-account trail to deliver the events to OSS or Log Service. Otherwise, you cannot query the events that occurred 90 days ago. For more information, see Create a single-account trail.
    • To query the events that occurred in multiple regions 90 days ago or filter and query events based on multiple conditions, you can use the advanced event query feature. For more information, see Perform advanced event queries.
  • After an event occurs within your Alibaba Cloud account, you must wait 10 minutes before you can query the event in the ActionTrail console.

Note

  • ActionTrail is automatically activated. If your Alibaba Cloud account has completed real-name verification and has no overdue payment, you can use the account to log on to the ActionTrail console.
  • If you use ActionTrail to create a trail and deliver events to an Object Storage Service (OSS) bucket or a Log Service Logstore, you are charged based on the billing policies of the service involved.

For more information, see Billing.

Query event logs in ActionTrail

  1. Log on to the ActionTrail console.
  2. In the left-side navigation pane, click Event Detail Query.
  3. In the top navigation bar, select the region where the event that you want to query occurred from the drop-down list.
  4. On the Event Detail Query page, move the pointer over the name of the desired event and view the event details.
    Note On the Event Detail Query page, you can search for events by Read/Write type, Username, Event Name, Resource Type, Resource Name, Service Name, or AccessKeyId.
  5. Optional. To view the details of an event, click the plus sign (+) to the left side of the event and click Event Detail.
    The following sample code shows the details of an event for an ApsaraDB for ClickHouse cluster:
    {
      "ApiVersion": "2019-11-11",
      "RequestId": "76BEA6CF-****-****-****-12393F559EFF",
      "EventType": "ApiCall",
      "UserIdentity": {
        "Type": "ram-user",
        "InvokedBy": "",
        "AccountId": "",
        "UserName": "",
        "PrincipalId": "20**************95",
        "AccessKeyId": "TMP.**********4K99m",
        "Arn": ""
      },
      "AcsRegion": "cn-shenzhen",
      "EventName": "CreateAccountAndAuthority",
      "IsBlack": false,
      "RequestParameters": {
        "AcsHost": "clickhouse-share.aliyuncs.com",
        "RequestId": "76BEA6CF-****-****-****-12393F559EFF",
        "DBClusterId": "cc-2z*********7q",
        "HostId": "clickhouse-share.aliyuncs.com",
        "AllowDatabases": "sh*****g",
        "AccountPassword": "***************",
        "DdlAuthority": true,
        "DmlAuthority": "all",
        "AcsProduct": "clickhouse",
        "TotalDatabases": "de***lt,sh***g",
        "TotalDictionaries": "",
        "AllowDictionaries": "",
        "AcceptLanguage": "zh-CN",
        " charset": "UTF-8",
        "AccountName": "root"
      },
      "EventSource": "clickhouse-share.aliyuncs.com",
      "ServiceName": "ClickHouse",
      "EventTime": "2021-06-08T08:28:57.497+0000",
      "ReferencedResources": {},
      "UserAgent": "clickhouse.console.aliyun.com",
      "EventId": "76BEA6CF-****-****-****-12393F559EFF",
      "ResponseElements": {
        "RequestId": "76BEA6CF-****-****-****-12393F559EFF"
      },
      "ErrorCode": "",
      "ErrorMessage": "",
      "EventVersion": "",
      "SourceIpAddress": "11*.*.*.*7"
    }

More operations

You can deliver event logs collected by ActionTrail to Log Service or OSS. For more information, see Query events in the Log Service or OSS console.

Notice You are charged for delivering event logs. For more information, see Billing.

Events on the buy page

ActionTrail records the following events for an cluster.

Event type Event name Description
AliyunServiceEvent Create Creates a cluster on the buy page.
AliyunServiceEvent Renew Renews a cluster on the buy page.
AliyunServiceEvent Release Releases a cluster on the buy page.

Events for API calls

ActionTrail records the following events for an cluster.

Event name Description
AllocateClusterPublicConnection Creates a public endpoint for a cluster.
CheckScaleOutBalanced Checks whether the conditions for cluster upgrades or downgrades are met.
CheckServiceLinkedRole Checks whether a service-linked role is created.
CreateAccount Creates a privileged account for a cluster.
CreateAccountAndAuthority Creates an account and grants permissions to the account.
CreateBackupPolicy Creates a backup policy.
CreateDBInstance Creates a cluster.
CreateOSSStorage Enables tiered storage.
CreatePortsForClickHouse Creates a port.
CreateServiceLinkedRole Creates a service-linked role.
DeleteAccount Deletes a privileged account from a cluster.
DeleteDBCluster Releases a cluster that uses the pay-as-you-go billing method.
DeleteLorneTask Deletes a task that delivers event logs to Log Service.
DescribeAccountAuthority Queries account permissions.
DescribeAccounts Queries the accounts for logging on to a cluster.
DescribeAllDataSource Enumerates all databases, tables, and columns in a cluster.
DescribeAvailableResource Queries whether resources are available.
DescribeBackupPolicy Queries a backup policy.
DescribeBackups Queries backup sets.
DescribeDBClusters Queries the clusters within an Alibaba Cloud account or the clusters that are accessible to an authorized RAM user.
DescribeDBClusterAccessWhiteList Queries the IP addresses in the whitelist of a cluster.
DescribeDBClusterAttribute Queries the attributes of a cluster.
DescribeDBClusterConfig Queries the configuration of a cluster.
DescribeDBClusterStatusSet Queries the status of a cluster.
DescribeDBClusterNetInfoItems Queries the network details of a cluster.
DescribeDBClusterPerformance Queries the performance data of a cluster.
DescribeDBConfig Queries the configuration of dictionaries.
DescribeLogHubAttribute Queries the attributes of a task that delivers event logs to Log Service.
DescribeLoghubDetail Queries the details of a task that delivers event logs to Log Service.
DescribeLorneLog Queries the logs of a task that delivers event logs to Log Service.
DescribeLorneTasks Queries tasks that deliver event logs to Log Service.
DescribeLorneTasksMCount Queries a metric value for a task that delivers event logs to Log Service.
DescribeLorneTasksMetrics Queries metric values for a task that delivers event logs to Log Service.
DescribeOSSStorage Queries information about tiered storage.
DescribeRegions Queries the regions and zones in which ApsaraDB for ClickHouse is available.
DescribeProcessList Queries SQL statements that are being executed.
DescribeSchemas Queries database schemas.
DescribeSlowLogRecords Queries slow SQL queries.
DescribeSlowLogTrend Queries the trend of slow SQL queries.
DescribeTables Queries table schemas.
KillProcess Stops SQL statements that are being executed.
ModifyAccountAuthority Modifies account permissions.
ModifyAccountDescription Modifies the description of a cluster account.
ModifyBackupPolicy Modifies a backup policy.
ModifyDBCluster Upgrades or downgrades a cluster.
ModifyDBClusterAccessWhiteList Modifies the whitelist of a cluster.
ModifyDBClusterConfig Modifies the configuration of a cluster.
ModifyDBClusterDescription Modifies the description of a cluster.
ModifyDBClusterMaintainTime Modifies the maintenance window of a cluster.
ModifyDBConfig Modifies the configuration of a dictionary.
OperateLogHub Configures a task that delivers event logs to Log Service.
OperateLorneTaskStatus Changes the status of a task that delivers event logs to Log Service.
ReleaseClusterPublicConnection Deletes the public endpoint of a cluster.
ResetAccountPassword Resets the password of a privileged account.