edit-icon download-icon

ActionTrail event log syntax

Last Updated: Aug 08, 2018

apiVersion

  • Type: String
  • Required: Yes
  • Description: The API version to use.

eventId

  • Type: String
  • Required: Yes
  • Description: The GUID generated by ActionTrail for the event.

eventName

  • Type: String
  • Required: Yes
  • Description: The name of the API being called. For example, StopInstance of Ecs. For more information, see API Reference of each Alibaba Cloud service supported by ActionTrail.

eventSource

  • Type: String
  • Required: Yes
  • Description: The URL of the server processing the API request. For example, ram.aliyuncs.com.

eventTime

  • Type: String
  • Required: Yes
  • Description: The date and time when the event occurred. (UTC)

eventType

  • Type: String
  • Required: Yes
  • Description: Includes ApiCall (APIs called by the console or directly by users) and ConsoleSignin (events performed by users logged on to the console).

eventVersion

  • Type: String
  • Required: Yes
  • Description: ActionTrail event format version. The current version is 1.

errorCode

  • Type: String
  • Required: No
  • Description: The error code returned when an error occurs after sending the API request. For example, NoPermission.

errorMessage

  • Type: String
  • Required: No
  • Description: The error message returned when an error occurs after sending the API request. For example, ‘You are not authorized’.

requestId

  • Type: String
  • Required: Yes
  • Description: The ID of the API request generated by the Alibaba Cloud service in use.

requestParameters

  • Type: String
  • Required: No
  • Description: The request parameter. For more information, see API Reference of each Alibaba Cloud service supported by ActionTrail.

serviceName

  • Type: String
  • Required: Yes
  • Description: The name of the Alibaba Cloud service in use. For example, Ecs, Rds, Ram.

sourceIpAddress

  • Type: String
  • Required: Yes
  • Description: The IP address from which the API request is sent. If the API is called by the console, the user’s IP address is recorded, not the IP address of the Web server of the console.

userAgent

  • Type: String
  • Required: Yes
  • Description: The agent through which the API request is sent. AliyunConsole for the console, and aliyuncli/2.0.6 for SDK.

userIdentity

  • Type: String
  • Required: Yes
  • Description: The identity information of the requester.

The userIdentity syntax

Name Required Description
Type Yes Identity type which includes root-account (primary accounts),
ram-user (RAM users), and assumed-role (RAM roles).
principalId Yes The ID of the requester.
- If the request is made by a primary account, the ID of the primary account
is recorded.
- If the request is made by a RAM user, the RAM user ID is recorded.
- If the request is made by a RAM role, RoleID: RoleSessionName is recorded.
accountId Yes Primary account ID.
accessKeyId No AccessKeyID is recorded if the API request is made through SDK. AccessKeyID is not recorded if the API request is made through the console.
userName No - If Type is ram-user, the RAM user ID is recorded.
- If Type is assumed-role, roleName: roleSessionName is recorded.
sessionContext No Recorded when an STS token is used to call an API,
or an operation is performed through the console.
sessionContext includes creationDate (the time when a session occurs)
and mfaAuthenticated (whether multi-factor authentication is used to log on to the console).

userIdentity examples

  • An operation performed by a RAM user through SDK
  1. "userIdentity": {
  2. "type": "ram-user",
  3. "principalId": "288153348682784898",
  4. "accountId": "1122334455667788",
  5. "accessKeyId": "55nCtAwmPLkkt5PB",
  6. "userName": "Bob"
  7. }
  • An operation performed by a RAM user through the console
  1. "userIdentity": {
  2. "type": "ram-user",
  3. "principalId": "288153348682784898",
  4. "accountId": "1122334455667788",
  5. "userName": "Bob",
  6. "sessionContext": {
  7. "attributes": {
  8. "mfaAuthenticated": "true",
  9. "creationDate": "2015-12-31T06:33:14Z"
  10. }
  11. }
  12. }
  • An operation performed by a RAM role through SDK
  1. "userIdentity": {
  2. "type": "assumed-role",
  3. "principalId": "288153348682784898:alice",
  4. "accountId": "1122334455667788",
  5. "accessKeyId": "STS.F24gnHkUE7dER4rsFFQ4n2wCS",
  6. "userName": "manager:alice"
  7. }
Thank you! We've received your feedback.