ActionTrail records the events that are related to Elastic Compute Service (ECS). If an error occurs when you perform operations on ECS instances, you can query the details of the related events to obtain information such as the time when the event occurred, the region where the event occurred, and the ECS instance involved. This topic provides the logs of four sample ECS-related events and describes the key fields included in the event logs.

Stop an ECS instance by using an Alibaba Cloud account in the ECS console

The following sample event log indicates that an Alibaba Cloud account stopped the ECS instance whose ID is 2zeip56clb391fpf**** in the China (Beijing) region in the ECS console at 14:11:36 on August 04, 2021, UTC+8.

{
  "eventId": "239EB588-CD24-522E-B0B5-174A1A588BE0",
  "eventVersion": 1,
  "eventSource": "ecs-cn-hangzhou-share.aliyuncs.com",
  "requestParameters": {
    "charset": "UTF-8",
    "AcsHost": "ecs-cn-hangzhou-share.aliyuncs.com",
    "AcsProduct": "Ecs",
    "RequestId": "239EB588-CD24-522E-B0B5-174A1A588BE0",
    "InstanceId": "i-2zeip56clb391fpf****",
    "ForceStop": false,
    "AcceptLanguage": "zh-CN"
  },
  "sourceIpAddress": "192.168.XX.XX",
  "userAgent": "Apache-HttpClient/4.5.7 (Java/1.8.0_275)",
  "eventType": "ApiCall",
  "referencedResources": {
    "ACS::ECS::Instance": [
      "i-2zeip56clb391fpf****"
    ]
  },
  "userIdentity": {
    "sessionContext": {
      "attributes": {
        "mfaAuthenticated": "false",
        "creationDate": "2021-08-04T06:11:36Z"
      }
    },
    "accountId": "154735325685****",
    "principalId": "154735325685****",
    "type": "root-account",
    "userName": "root"
  },
  "serviceName": "Ecs",
  "additionalEventData": {
    "Scheme": "http",
    "CallerBid": "26842"
  },
  "apiVersion": "2014-05-26",
  "requestId": "239EB588-CD24-522E-B0B5-174A1A588BE0",
  "eventTime": "2021-08-04T06:11:36Z",
  "isGlobal": false,
  "acsRegion": "cn-beijing",
  "eventName": "StopInstance"
}

The sample event log contains the following key fields:

  • userIdentity.type: the identity type of the requester. The value in the example is root-account, which indicates an Alibaba Cloud account.
  • serviceName: the name of the Alibaba Cloud service related to the event. The value in the example is Ecs, which indicates ECS.
  • eventName: the name of the event. The value in the example is StopInstance, which indicates that an instance was stopped.
  • referencedResources: the one or more resources that are related to the event. The value in the example is {"ACS::ECS::Instance": ["i-2zeip56clb391fpf****"]}, which indicates the ECS instance whose ID is i-2zeip56clb391fpf****.
  • acsRegion: the region in which the event occurred. The value in the example is cn-beijing, which indicates the China (Beijing) region.
  • eventTime: the time when the event occurred in UTC. The value in the example is 2021-08-04T06:11:36Z, which indicates 14:11:36 on August 04, 2021, UTC+8.

Stop an instance as a RAM user in the ECS console

The following sample event log indicates that the RAM user whose username is ecs_operator3 stopped the ECS instance whose ID is i-2zegxcy8f0htnq1o**** in the China (Beijing) region in the ECS console at 13:29:30 on August 04, 2021, UTC+8.

{
  "eventId": "5E197C8B-081F-5A0C-A86A-4B6F266CA80B",
  "eventVersion": 1,
  "eventSource": "ecs-cn-hangzhou.aliyuncs.com",
  "requestParameters": {
    "AcsHost": "ecs-cn-hangzhou.aliyuncs.com",
    "AcsProduct": "Ecs",
    "RequestId": "5E197C8B-081F-5A0C-A86A-4B6F266CA80B",
    "InstanceId": "i-2zegxcy8f0htnq1o****",
    "ForceStop": "True",
    "https": "False"
  },
  "sourceIpAddress": "192.168.XX.XX",
  "userAgent": "ros.console.aliyun.com",
  "eventType": "ApiCall",
  "referencedResources": {
    "ACS::ECS::Instance": [
      "i-2zegxcy8f0htnq1o****"
    ]
  },
  "userIdentity": {
    "sessionContext": {
      "attributes": {
        "mfaAuthenticated": "false",
        "creationDate": "2021-08-04T05:29:30Z"
      }
    },
    "accountId": "182872313731****",
    "principalId": "20499042382297****",
    "type": "ram-user",
    "userName": "ecs_operator3"
  },
  "serviceName": "Ecs",
  "additionalEventData": {
    "Scheme": "http",
    "CallerBid": "26842"
  },
  "apiVersion": "2014-05-26",
  "requestId": "5E197C8B-081F-5A0C-A86A-4B6F266CA80B",
  "eventTime": "2021-08-04T05:29:30Z",
  "isGlobal": false,
  "acsRegion": "cn-beijing",
  "eventName": "StopInstance"
}

The sample event log contains the following key fields:

  • userIdentity.type: the identity type of the requester. The value in the example is ram-user, which indicates a RAM user.
  • userIdentity.userName: the username of the RAM user.
  • serviceName: the name of the Alibaba Cloud service related to the event. The value in the example is Ecs, which indicates ECS.
  • eventName: the name of the event. The value in the example is StopInstance, which indicates that an instance was stopped.
  • referencedResources: the one or more resources that are related to the event. The value in the example is {"ACS::ECS::Instance": ["i-2zegxcy8f0htnq1o****"]}, which indicates the ECS instance whose ID is i-2zegxcy8f0htnq1o****.
  • acsRegion: the region in which the event occurred. The value in the example is cn-beijing, which indicates the China (Beijing) region.
  • eventTime: the time when the event occurred in UTC. The value in the example is 2021-08-04T05:29:30Z, which indicates 13:29:30 on August 04, 2021, UTC+8.

Stop an ECS instance by calling the StopInstance operation as a RAM user with an AccessKey pair used

The following sample event log indicates that a RAM user stopped the ECS instance whose ID is i-bp1buct0j6jywbfp**** in the China (Hangzhou) region by calling the StopInstance operation at 11:42:20 on August 04, 2021, UTC+8. The RAM user used the AccessKey pair whose ID is LTAIIzSdydLc**** to initiate the API call.

{
  "eventId": "A9171DC9-638E-5561-BA2E-69B1B956C8F4",
  "eventVersion": 1,
  "eventSource": "ecs.aliyuncs.com",
  "requestParameters": {
    "AcsHost": "ecs.aliyuncs.com",
    "AcsProduct": "Ecs",
    "RequestId": "A9171DC9-638E-5561-BA2E-69B1B956C8F4",
    "InstanceId": "i-bp1buct0j6jywbfp****",
    "ForceStop": true
  },
  "sourceIpAddress": "192.168.XX.XX",
  "eventType": "ApiCall",
  "referencedResources": {
    "ACS::ECS::Instance": [
      "i-bp1buct0j6jywbfp****"
    ]
  },
  "userIdentity": {
    "accessKeyId": "LTAIIzSdydLc****",
    "sessionContext": {
      "attributes": {
        "mfaAuthenticated": "false",
        "creationDate": "2021-08-04T03:42:20Z"
      }
    },
    "accountId": "122196828764****",
    "principalId": "23079124770506****",
    "type": "ram-user",
    "userName": "hz-perf-cluster"
  },
  "serviceName": "Ecs",
  "additionalEventData": {
    "Scheme": "https",
    "CallerBid": "26842"
  },
  "apiVersion": "2014-05-26",
  "requestId": "A9171DC9-638E-5561-BA2E-69B1B956C8F4",
  "eventTime": "2021-08-04T03:42:20Z",
  "isGlobal": false,
  "acsRegion": "cn-hangzhou",
  "eventName": "StopInstance"
}

The sample event log contains the following key fields:

  • userIdentity.accessKeyId: the AccessKey ID that is used to initiate the API call. The value in the example is LTAIIzSdydLc****.
  • userIdentity.principalId: the ID of the account to which the AccessKey pair belongs. The value in the example is 23079124770506****.
  • serviceName: the name of the Alibaba Cloud service related to the event. The value in the example is Ecs, which indicates ECS.
  • eventName: the name of the event. The value in the example is StopInstance, which indicates that an instance was stopped.
  • referencedResources: the one or more resources that are related to the event. The value in the example is {"ACS::ECS::Instance": ["i-bp1buct0j6jywbfp****"]}, which indicates the ECS instance whose ID is i-bp1buct0j6jywbfp****.
  • acsRegion: the region in which the event occurred. The value in the example is cn-hangzhou, which indicates the China (Hangzhou) region.
  • eventTime: the time when the event occurred in UTC. The value in the example is 2021-08-04T03:42:20Z, which indicates 11:42:20 on August 04, 2021, UTC+8.

Stop an ECS instance by assuming a RAM role

The following sample event log indicates that Auto Scaling (ESS) stopped the ECS instance whose ID is i-2zeeryqubk6402qw**** in the China (Beijing) region by assuming the aliyunserviceroleforautoscaling service-linked role at 14:50:10 on August 04, 2021, UTC+8.

{
  "eventId": "E7233050-120B-5684-93E4-49A6754D8252",
  "eventVersion": 1,
  "eventSource": "ecs-cn-hangzhou-inner.aliyuncs.com",
  "requestParameters": {
    "securityToken": "CAISlQJ1q6Ft5B2yfSjIr5beG4322+YZ0baYaVWElTksTe4VtfD8szz2IH9NenVoA+wetPg+mmtT6/welr5+UIQAXkHfdsp36NFa+hiWb4fPstGx8eThLDMywS/BZSTg1er+Ps/bLrqECNrPBnnAkihsu8iYERypQ12iN7CQlJdjda55dwKkbD1Adrw0T0kY3618D3bKMuu3ORPHm3fZCFES2jBxkmRi86+ysKb+g1j89AShmrJJ9tqoc8P7NpU2Z8xFPo3rjLAsRM3oyzVN7hVGzqBygZFf9C3P1tPnWAYIvUneabaMqIE+clQiO/JmAdlNqPntiPtjt/bNlo/60RFJMO9SSS3CWIe7y8LAGeWmJgLCqWAjiPSnGoABEJShxrqPitmfV2/wirLqZhYsiElHL0LIma0PRByFDMqa3Jo5O1xeeGvbhnLnHiqdTYUjap8X/fiew+pgNlLmjPwZ7AjWKFZVuO3yedhEpUE7aE14PJ2asbOw2b5T1CVH9FHYNWaCUliWBTIjAqI3UYkRktOiecZ2ZExp8g3+****=",
    "stsTokenPrincipalName": "aliyunserviceroleforautoscaling/ess-session-ecs_default",
    "AcsHost": "ecs-cn-hangzhou-inner.aliyuncs.com",
    "ServiceCode": "ecs",
    "AcsProduct": "Ecs",
    "RequestId": "E7233050-120B-5684-93E4-49A6754D8252",
    "InstanceId": "i-2zeeryqubk6402qw****",
    "RegionId": "cn-beijing",
    "stsTokenPlayerUid": 158643649596****
  },
  "sourceIpAddress": "Internal",
  "userAgent": "AlibabaCloud (Linux; amd64) Java/1.8.0_102-b52 Core/4.5.3 HTTPClient/InternalHttpClient",
  "eventType": "ApiCall",
  "referencedResources": {
    "ACS::ECS::Instance": [
      "i-2zeeryqubk6402qw****"
    ]
  },
  "userIdentity": {
    "accessKeyId": "STS.NUkP7B698ftsks5q9yAa9****",
    "sessionContext": {
      "attributes": {
        "mfaAuthenticated": "false",
        "creationDate": "2021-08-04T06:50:10Z"
      }
    },
    "accountId": "138549619371****",
    "principalId": "37164024024963****:ess-session-ecs_default",
    "type": "assumed-role",
    "userName": "aliyunserviceroleforautoscaling:ess-session-ecs_default"
  },
  "serviceName": "Ecs",
  "additionalEventData": {
    "Scheme": "http",
    "CallerBid": "26842"
  },
  "apiVersion": "2014-05-26",
  "requestId": "E7233050-120B-5684-93E4-49A6754D8252",
  "eventTime": "2021-08-04T06:50:10Z",
  "isGlobal": false,
  "acsRegion": "cn-beijing",
  "eventName": "StopInstance"
}

The sample event log contains the following key fields:

  • userIdentity.type: the identity type of the requester. The value in the example is assumed-role, which indicates a RAM role.
  • userIdentity.userName: the username of the requester. The value is in the format of {roleName}:{sessionName}. roleName indicates the name of the RAM role that was assumed. sessionName indicates the name that was specified when the actor assumed the RAM role. The value in the example is aliyunserviceroleforautoscaling:ess-session-ecs_default, which indicates that the name of the RAM role that was assumed is aliyunserviceroleforautoscaling, and the name that was specified when the actor assumed the RAM role is ess-session-ecs_default.
    Note The aliyunserviceroleforautoscaling service-linked role for ESS is a RAM role that enables ESS to access the resources in other Alibaba Cloud services.
  • requestParameters.stsTokenPlayerUid: the ID of the Alibaba Cloud account to which the actor belongs. The value in the example is 158643649596****.
  • referencedResources: the one or more resources that are related to the event. The value in the example is {"ACS::ECS::Instance": ["i-2zeeryqubk6402qw****"]}, which indicates the ECS instance whose ID is i-2zeeryqubk6402qw****.
  • serviceName: the name of the Alibaba Cloud service related to the event. The value in the example is Ecs, which indicates ECS.
  • eventName: the name of the event. The value in the example is StopInstance, which indicates that an instance was stopped.
  • acsRegion: the region in which the event occurred. The value in the example is cn-beijing, which indicates the China (Beijing) region.
  • eventTime: the time when the event occurred in UTC. The value in the example is 2021-08-04T06:50:10Z, which indicates 14:50:10 on August 04, 2021, UTC+8.