This topic describes the key fields of a management event log with examples.

Key fields of a management event log

Field Type Required Example Description
acsRegion String Yes cn-hangzhou The ID of the region where the management event was generated.
additionalEventData JSON Yes Schema: "http" The additional information about the management event. The following content describes the settings that represent different meanings:
  • This field has no practical significance.
    additionalEventData: {
      Schema: "http"
    }
  • This field provides additional information about a logon event.
    {
        "additionalEventData":{
            "callbackUrl":"https://homenew.console.aliyun.com/",
            "mfaChecked":"true"
        }
    }
  • This field provides the additional information about a MaxCompute-related event.
    {
      "additionalEventData": {
        "TableName": "table_1",
        "Partition": "dt=20210708,hh=17,region=cn-shenzhen",
        "CurrentProject": "project_1",
        "ProjectName": "project_1",
        "SesssionId": "202107081800166d37d****"
      }
    }
apiVersion String No 2014-05-26 The version of the API operation that was called. If the eventType field is set to ApiCall, the management event log records an API operation. In this case, this field indicates the version of the API operation.
eventCategory String Yes Management The type of the generated event. Valid values:
  • Management: indicates a management event.
  • Insight: indicates an insight event.
eventId String Yes F23A3DD5-7842-4EF9-9DA1-3776396A**** The ID of the management event. ActionTrail generates a globally unique identifier (GUID) for each management event.
eventName String Yes CreateNetworkInterface The name of the management event.
  • If the eventType field is set to ApiCall, this field is set to the name of the API operation that was called.
  • If the eventType field is not set to ApiCall, this field is set to a string that indicates the action recorded in the management event log.
eventRW String Yes Write The read/write type of the management event. Valid values:
  • Write: indicates a write event.
  • Read: indicates a read event.
eventSource String Yes ecs.aliyuncs.com The source of the management event.
eventTime String Yes 2020-01-09T12:12:14Z The time when the management event was generated, in UTC.
eventType String Yes ApiCall The type of the action that was recorded in the management event log. Valid values:
  • ApiCall: indicates that an API operation was called. The consoles of most Alibaba Cloud services are developed based on APIs. If an action was performed in these consoles, ActionTrail records the action as ApiCall.
  • ConsoleOperation (ConsoleCall): indicates that a management action was performed in the consoles or on the buy pages of specific Alibaba Cloud services. These consoles or buy pages are not developed based on APIs. If an action was performed in these consoles or on these buy pages, ActionTrail records this action as ConsoleOperation or ConsoleCall. For an action of this type, the value of the eventName field is a string that indicates the action.
  • AliyunServiceEvent: indicates that Alibaba Cloud performed a management action on the resources that you own, such as releasing a subscription instance upon expiration.
  • PasswordReset: indicates that your password was reset.
  • ConsoleSignin: indicates a logon to the Alibaba Cloud Management Console.
  • ConsoleSignout: indicates a logoff from the Alibaba Cloud Management Console.
eventVersion String Yes 1 The version of the event log format. The current version is 1.
errorCode String No NoPermission The error code returned if an error occurred during the processing of the API request.
errorMessage String No You are not authorized. The error message returned if an error occurred during the processing of the API request.
requestId String Yes F23A3DD5-7842-4EF9-9DA1-3776396AD58D The ID of the API request.
requestParameters Dictionary No N/A The parameters specified in the API request.
requestParameterJson String No "{"AcsHost":"actiontrail.cn-hangzhou.aliyuncs.com","AcsProduct":"Actiontrail","RequestId":"32B8BA8F-3738-46D3-BCCA-1B2257AEF9BB","AcceptLanguage":"zh-CN","Region":"cn-hangzhou","HostId":"actiontrail.cn-hangzhou.aliyuncs.com","Name":"create-service-tmp"}" The parameters specified in the API request. This field is in the JSON format and serves the same purpose as the requestParameters field.
Note This field applies only to the management events that are delivered to Log Service.
responseElements Dictionary No N/A The response returned for the API request.
referencedResources Dictionary No N/A The resources that the action recorded in the management event log involves.
serviceName String Yes Ecs The name of the Alibaba Cloud service to which the management event log belongs.
sourceIpAddress String Yes 11.168.XX.XX The IP address from which the management event was generated.
userAgent String Yes Apache-HttpClient/4.5.7 (Java/1.8.0_152) The user agent that sent the API request. Examples:
  • AlibabaCloud (Linux 3.10.0-693.2.2.el7.x86_64;x86_64) Python/2.7.5 Core/2.13.16 python-requests/2.18.3
  • Apache-HttpClient/4.5.7 (Java/1.8.0_152)
userIdentity Dictionary Yes N/A The identity information about the requester.

For more information, see the "Fields contained in UserIdentity" section in this topic.

The following table describes the fields that userIdentity contains.

Table 1. Fields contained in userIdentity
Field Type Required Example Description
type String Yes ram-user The identity type of the requester. Valid values:
  • root-account: indicates an Alibaba Cloud account.
  • ram-user: indicates a RAM user.
  • assumed-role: indicates a RAM role.
  • system: indicates an Alibaba Cloud service.
principalId String Yes 28815334868278**** The ID of the requester.
  • If the type field is set to root-account, this field is set to the ID of the Alibaba Cloud account.
  • If the type field is set to ram-user, this field is set to the ID of the RAM user.
  • If the type field is set to assumed-role, this field is set to a string in the RoleID:RoleSessionName format.
accountId String Yes 112233445566**** The ID of the Alibaba Cloud account.
accessKeyId String No 55nCtAwmPLkk****
  • The AccessKey ID that is used by the requester. If the requester sent an API request by using an SDK, this field is recorded.
  • If the requester performed an action in the Alibaba Cloud Management Console, this field is not recorded.
userName String No Alice
  • The name of the requester. If the type field is set to ram-user, this field is set to the name of the RAM user.
  • If the type field is set to assumed-role, this field is set to a string in the RoleName:RoleSessionName format.
sessionContext String No {"attributes": {"mfaAuthenticated": "true", "creationDate": "2020-01-09T12:12:14Z" } The session context recorded when the requester called an API operation by using a Security Token Service (STS) token or logged on to the Alibaba Cloud Management Console. The session context contains the following attributes:
  • creationDate: the time when the STS token was created.
  • mfaAuthenticated: indicates whether multi-factor authentication (MFA) was enabled for logging on to the Alibaba Cloud Management Console.

Example

{
    "acsRegion":"cn-hangzhou",
    "additionalEventData":{
        "Scheme":"http"
    },
    "apiVersion":"2014-05-26",
    "eventCategory":"Management",
    "eventId":"F7393A43-6A4A-4409-AEDD-8B1C47DE****",
    "eventName":"RunInstances",
    "eventRW":"Write",
    "eventSource":"ecs-cn-hangzhou-inner.aliyuncs.com",
    "eventTime":"2021-07-13T07:33:46Z",
    "eventType":"ApiCall",
    "eventVersion":"1",
    "referencedResources":{
        "ACS::ECS::Instance":[
            "i-0xiiz1v0vw4epqjc****"
        ],
        "ACS::ECS::SecurityGroup":[
            "sg-0xi2js0u6m03jbmv****"
        ],
        "ACS::ECS::Image":[
            "aliyun_2_1903_x64_20G_alibase_20200529.vhd"
        ],
        "ACS::ECS::KeyPair":[
            "sshkey-cn-hangzhou"
        ],
        "ACS::VPC::VSwitch":[
            "vsw-0xikxv8p1akh4ki43****"
        ]
    },
    "requestId":"F7393A43-6A4A-4409-AEDD-8B1C47DE45ED",
    "requestParameters":{
        "Amount":1,
        "VSwitchId":"vsw-0xikxv8p1akh4ki43****"
    },
    "resourceName":"i-0xiiz1v0vw4epqjc****;sg-0xi2js0u6m03jbmv****;aliyun_2_1903_x64_20G_alibase_20200529.vhd;sshkey-cn-hangzhou;vsw-0xikxv8p1akh4ki43****",
    "resourceType":"ACS::ECS::Instance;ACS::ECS::SecurityGroup;ACS::ECS::Image;ACS::ECS::KeyPair;ACS::VPC::VSwitch",
    "responseElements":{
        "RequestId":"F7393A43-6A4A-4409-AEDD-8B1C47DE45ED",
        "InstanceIdSets":{
            "InstanceIdSet":[
                "i-0xiiz1v0vw4epqjc****"
            ]
        }
    },
    "serviceName":"Ecs",
    "sourceIpAddress":"Internal",
    "userAgent":"AlibabaCloud (Linux; amd64) Java/1.8.0_102-b52 Core/4.5.3 HTTPClient/InternalHttpClient",
    "userIdentity":{
        "accessKeyId":"STS.NUQNP4PiGyckMsNiGELCs****",
        "accountId":"116214297662****",
        "principalId":"32886943330935****:ess-session-ecs_default",
        "sessionContext":{
            "attributes":{
                "mfaAuthenticated":"false",
                "creationDate":"2021-07-13T07:33:46Z"
            }
        },
        "type":"assumed-role",
        "userName":"aliyunserviceroleforautoscaling:ess-session-ecs_default"
    }
}