Key fields in an event log

apiVersion

  • Type: String
  • Required: Yes
  • Description: The version of the API being called.

eventId

  • Type: String
  • Required: Yes
  • Description: The GUID generated by ActionTrail for the event.

eventName

  • Type: String
  • Required: Yes
  • Description: The name of the API being called. For example, StopInstance of Ecs. For more information, see the List of operations by function section of each Alibaba Cloud service supported by ActionTrail.

eventSource

  • Type: String
  • Required: Yes
  • Description: The URL of the server for processing the API request. For example, ram.aliyuncs.com.

eventTime

  • Type: String
  • Required: Yes
  • Description: The UTC date and time when the event occurred.

eventType

  • Type: String
  • Required: Yes
  • Description: The type of the event. Event types include ApiCall (event triggered when a user or the console calls an API) and ConsoleSignin (event triggered when a user uses the primary or RAM account to log on to the console).

eventVersion

  • Type: String
  • Required: Yes
  • Description: The version of the ActionTrail event format. The current version is 1.

errorCode

  • Type: String
  • Required: No
  • Description: The error code returned when an error occurs during API request processing. For example, NoPermission. ·

errorMessage

  • Type: String
  • Required: No
  • Description: The error message returned when an error occurs during API request processing. For example, "You are not authorized."

requestId

  • Type: String
  • Required: Yes
  • Description: The unique ID generated by the Alibaba Cloud service in use for the API request that is received.

requestParameters

  • Type: Dictionary
  • Required: No
  • Description: The parameters in the API request. For more information, see the List of operations by function section of each Alibaba Cloud service supported by ActionTrail.

responseElements

  • Type: Dictionary
  • Required: No
  • Description: The elements in the API response. For more information, see the List of operations by function section of each Alibaba Cloud service supported by ActionTrail.

referencedResources

  • Type: Dictionary
  • Required: No
  • Description: The resources referenced by the API.

serviceName

  • Type: String
  • Required: Yes
  • Description: The name of the Alibaba Cloud service in use. For example, Ecs, Rds, and Ram.

sourceIpAddress

  • Type: String
  • Required: Yes
  • Description: The IP address from which the API request is sent. If the API is called by a user on the console, the user's IP address is recorded, not the IP address of the web server of the console.

userAgent

  • Type: String
  • Required: Yes
  • Description: The agent through which the API request is sent. The value is set to AliyunConsole for the console, and aliyuncli/2.0.6 for SDK.

userIdentity

  • Type: Dictionary
  • Required: Yes
  • Description: The identity information of the requester.

Fields in the userIdentity syntax

Name Required Description
type Yes The identity type. Valid values: root-account (primary accounts), ram-user (RAM users), and assumed-role (RAM roles).
principalId Yes The ID of the requester. If the request is made by a primary account, the ID of the primary account is recorded. If the request is made by a RAM user, the RAM user ID is recorded. If the request is made by a RAM role, RoleID:RoleSessionName is recorded.
accountId Yes The ID of the primary account.
accessKeyId No This parameter is required when the API request is made through SDK, and is not required when the API request is made through the console.
userName No If the request is made by a RAM user, the RAM user ID is recorded. If the request is made by a RAM role, roleName:roleSessionName is recorded.
sessionContext No The session context recorded when an STS token is used to call an API, or an operation is performed through the console. For more information about an STS token, see Configure STS token. sessionContext includes creationDate (the time when a session is created) and mfaAuthenticated (whether multi-factor authentication is used for logging on to the console).

userIdentity examples

  • An operation performed by a RAM user through SDK
"userIdentity": {
    "type": "ram-user",
    "principalId": "28815334868278****",
    "accountId": "112233445566****",
    "accessKeyId": "55nCtAwmPLkk****",
    "userName": "B**"
}
  • An operation performed by a RAM user through the console
"userIdentity": {
    "type": "ram-user",
    "principalId": "28815334868278****",
    "accountId": "112233445566****",
    "userName": "B**",
    "sessionContext": {
        "attributes": {
            "mfaAuthenticated": "true",
            "creationDate": "2015-12-31T06:33:14Z"
        }
    }
}
  • An operation performed by a RAM role through SDK
"userIdentity": {
    "type": "assumed-role",
    "principalId": "28815334868278****:a****",
    "accountId": "112233445566****",
    "accessKeyId": "STS.F24gnHkUE7dER4rsFFQ4n****",
    "userName": "manager:a****"
}