This topic describes the key fields of an event log with examples.

Key fields of an event log

Field Type Required Example Description
acsRegion String Yes cn-hangzhou The ID of the region where the event occurred.
apiVersion String Yes 2014-05-26 The version of the API that was called. This field is required if eventType is set to ApiCall, which indicates that the event was triggered when an API was called.
eventId String Yes F23A3DD5-7842-4EF9-9DA1-3776396A**** The ID of the event. ActionTrail generates a GUID for each delivered event.
eventName String Yes CreateNetworkInterface The name of the event.
  • This field is set to the name of the API operation that was called if eventType is set to ApiCall.
  • This field is set to a string that indicates the action of the event if eventType is not set to ApiCall.
eventSource String Yes ecs.aliyuncs.com The URL of the service that processed the event.
eventTime String Yes 2020-01-09T12:12:14Z The time when the event occurred, in UTC.
eventType String Yes ApiCall The type of the event that generated the event log. Valid values:
  • ApiCall: indicates that an API was called. This is the most common event type. The userAgent field indicates whether the event was triggered by using the Alibaba Cloud console or an SDK.
  • ConsoleOperation (ConsoleCall): indicates that a certain action was performed in the Alibaba Cloud console. The name of this type of event can be the name of the API operation that was called or a string that indicates the action of the event.
  • AliyunServiceEvent: indicates that Alibaba Cloud performed a certain action on resources that you own, for example, releasing a subscription instance upon expiration.
  • PasswordReset: indicates that the password of your Alibaba Cloud account or a RAM user was reset.
  • ConsoleSignin: indicates a logon by using your Alibaba Cloud account or as a RAM user.
  • ConsoleSignout: indicates a logoff by using your Alibaba Cloud account or as a RAM user.
eventVersion String Yes 1 The version of the event format. The current version is 1.
errorCode String No NoPermission The error code returned if an error occurs during the processing of the API request. ·
errorMessage String No You are not authorized. The error message returned if an error occurs during the processing of the API request.
requestId String Yes F23A3DD5-7842-4EF9-9DA1-3776396AD58D The ID of the request.
requestParameters Dictionary No N/A The request parameters that was sent with the API request.
responseElements Dictionary No N/A The response data that was returned.
referencedResources Dictionary No N/A The list of resources accessed in the event.
serviceName String Yes Ecs The name of the Alibaba Cloud service to which the request was sent.
sourceIpAddress String Yes 11.XX.XX.232 The IP address from which the request was sent.
Note If the API operation was called by a user in the console, this field is set to the user's IP address, rather than the IP address of the web server of the console.
userAgent String Yes Apache-HttpClient/4.5.7 (Java/1.8.0_152) The agent through which the API request was sent. Valid values:
  • AlibabaCloud (Linux 3.10.0-693.2.2.el7.x86_64;x86_64) Python/2.7.5 Core/2.13.16 python-requests/2.18.3
  • Apache-HttpClient/4.5.7 (Java/1.8.0_152)
userIdentity Dictionary Yes N/A The identity information about the requester.

The following table describes the fields that userIdentity contains.

Field Type Required Example Description
type String Yes ram-user The type of the identity. Valid values:
  • root-account: indicates an Alibaba Cloud account.
  • ram-user: indicates a RAM user.
  • assumed-role: indicates a RAM role.
  • system: indicates an Alibaba Cloud service.
principalId String Yes 28815334868278**** The ID of the requester.
  • This field is set to the ID of the Alibaba Cloud account if type is set to root-account.
  • This field is set to the ID of the RAM user if type is set to ram-user.
  • This field is set to a string in the RoleID:RoleSessionName format if type is set to assumed-role.
accountId String Yes 112233445566**** The ID of the Alibaba Cloud account that owns the requester.
accessKeyId String No 55nCtAwmPLkk**** The AccessKey ID used to make the API request. This field is required if the API request was made through the SDK, and is not required when the API request was made through the console.
userName String No B**
  • The name of the requester. This field is set to the name of the RAM user if type is set to ram-user.
  • This field is set to a string in the RoleName:RoleSessionName format if type is set to assumed-role.
sessionContext String No {"attributes": {"mfaAuthenticated": "true", "creationDate": "2015-12-31T06:33:14Z" } The session context recorded when the requester uses a Security Token Service (STS) token to call an API operation, or logs on to the Alibaba Cloud console. The session context contains the following attributes:
  • creationDate: indicates the time when the STS token was created.
  • mfaAuthenticated: indicates whether multi-factor authentication was used for logging on to the console.

Example

{
  "eventId": "F23A3DD5-7842-4EF9-9DA1-3776396A****",
  "responseElements": {
    "RequestId": "F23A3DD5-7842-4EF9-9DA1-3776396AD58D",
    "NetworkInterfaceId": "eni-bp12f9rjb****ktzjqau"
  },
  "eventVersion": "1",
  "requestParameters": {
    "securityToken": "********",
    "Tag.1.Key": "CreatedBy",
    "RequestId": "F23A3DD5-7842-4EF9-9DA1-3776396AD58D",
    "SecurityGroupId": "sg-bp10mvd8****lfks143r",
    "Tag.1.Value": "StreamCompute",
    "VSwitchId": "vsw-bp1iqqmaj4****2c81noh",
    "RegionId": "cn-hangzhou",
    "SignatureType": "",
    "stsTokenPlayerUid": 165266****475569
  },
  "eventSource": "ecs.aliyuncs.com",
  "sourceIpAddress": "11. ***. ***.232",
  "userIdentity": {
    "sessionContext": {
      "attributes": {
        "mfaAuthenticated": "false",
        "creationDate": "2020-01-09T12:12:14Z"
      }
    },
    "accessKeyId": "STS.NUnj6********aEoMZGsTnuqK",
    "accountId": "116214****628250",
    "principalId": "3164566****6066448:116214****628250",
    "userName": "aliyunstreamdefaultrole:116214****628250",
    "type": "assumed-role"
  },
  "eventType": "ApiCall",
  "referencedResources": {
    "VSwitch": [
      "vsw-bp1iqqma****402c81noh"
    ],
    "SecurityGroup": [
      "sg-bp10mvd****6lfks143r"
    ]
  },
  "serviceName": "Ecs",
  "additionalEventData": {
    "Scheme": "http"
  },
  "apiVersion": "2014-05-26",
  "requestId": "F23A3DD5-7842-4EF9-9DA1-3776396AD58D",
  "eventTime": "2020-01-09T12:12:14Z",
  "acsRegion": "cn-hangzhou",
  "eventName": "CreateNetworkInterface",
  "__expanded": true
}