All Products
Search

This Product

    WUYING Workspace:View operation logs

    Document Center

    WUYING Workspace:View operation logs

    Last Updated:Mar 29, 2024

    The operation logs of WUYING Workspace (Pro Edition) record the operations that are performed on cloud computers by using Alibaba Cloud accounts. WUYING Workspace supports the following types of operation logs: administrator operation logs and end user operation logs. You can query operation logs based on your business requirements and audit whether anomalies exist in the operations. This topic describes how to view operation logs.

    Background information

    Operation logs help you monitor and record operations that are performed in WUYING Workspace (Pro Edition) by using Alibaba Cloud accounts. For example, the administrator operation logs record the operations that are performed by the administrator to access and use WUYING Workspace in the WUYING Workspace console and OpenAPI Explorer. The end user operation logs record the operations that are performed by end users to start, stop, restart, reset, connect to, and disconnect from cloud computers, and establish and close cloud computer sessions. The operation logs provide valid records when you analyze security, trace resource changes, and audit the compliance of behaviors.

    View administrator operation logs

    You can view administrator operation logs in one of the following modes:

    • Event query: allows you to query events of the past 90 days in the specified region.

    • Advanced query: allows you to query events beyond the past 90 days across multiple regions. Compared with the event query mode, the advanced query mode allows you to configure a larger number of query conditions.

    Event query

    1. Log on to the WUYING Workspace (Pro Edition) console.

    2. In the left-side navigation pane, choose Audit Trails > Audit Logs.

    3. In the upper-left corner of the top navigation bar, select a region.

    4. On the Operation Logs page, click the Administrator Operation Logs tab.

    5. (Optional) On the Administrator Operation Logs tab, determine whether to click Switch to Event Query based on the following rules:

      If the event query mode is enabled, you do not need to switch to event query. If the event query mode is not enabled, click Switch to Event Query.

    6. Configure query conditions and a time range based on your business requirements, and click the Figure - Query icon to query events.

      • Query conditions: You can query events by read/write type, username, or resource type.

      • Time range: By default, the operation logs of the past 24 hours are displayed. You can specify a custom time range.

    7. Find the event whose details you want to view and click the row in which the event resides.

      By default, the Basic Information and Associated Resources sections are displayed for each event. The following figure shows the sections. log1

      Note

      • You can click Event Detail to view the event code.

      • For more information about the fields in the event code, see Management event structure.

    Advanced query

    1. On the Operation Logs page, click the Administrator Operation Logs tab.

    2. On the Administrator Operation Logs tab, determine whether to click Switch to Advanced Query based on the following rules:

      If the advanced query mode is enabled, you do not need to switch to advanced query. If the advanced query mode is not enabled, click Switch to Advanced Query.

    3. Enable the advanced query mode.

      The first time you use the advanced query mode, you must perform the following steps to enable the mode. In other cases, you can skip the following steps.

      1. On the Administrator Operation Logs tab, click Enable Advanced Event Query.

      2. In the Enable Advanced Event Query panel, create a trail, configure the Logstore information, and then click Confirm.

    4. Configure query conditions or enter query statements based on your business requirements.

      You can perform an advanced query in common mode or simple mode. In common mode, you can query events in a visualized manner. In simple mode, you can enter SQL statements to query events in a flexible manner.

      • Common mode

        1. Configure query conditions and a time range and click Query.

          You can query an event by event name, resource name, resource type, and region. You can specify multiple regions.

        2. On the events that are returned, find the event whose details you want to view and click the row in which the event resides.

          You can click Event Detail to view the event code.

      • Simple mode

        1. Enter a query condition or query statement, specify a time range, and then click Query.

          You can enter SQL statements for queries. You can also specify query conditions, such as usernames, operations, associated resources, and regions.

        2. On the events that are returned, find the event whose details you want to view and click the row in which the event resides.

          You can click Event Detail to view the event code.

    View end user operation logs

    You can audit end user operations at the earliest opportunity based on end user operation logs. The following section describes how to view end user operation logs.

    1. Log on to the WUYING Workspace (Pro Edition) console.

    2. In the left-side navigation pane, choose Audit Trails > Audit Logs.

    3. In the upper-left corner of the top navigation bar, select a region.

    4. On the Operation Logs page, click the User Operation Logs tab.

    5. On the User Operation Logs tab, configure an event type and a time range based on your business requirements.

      By default, the operation logs of the past 24 hours are displayed. You can specify a custom time range.

      Each operation log entry consists of the following information:

      • Event information: the information about the event, including the event ID, event type, and occurrence time.

      • User information: the information about the end user who performs the operation. The end user is also the client logon user.

      • Cloud computer information: the information about the cloud computer on which the end user performs the operation, including the ID and name of the cloud computer or cloud computer pool, and the ID and name of the office network to which the cloud computer belongs.

      • Client information: the information about the client that holds the cloud computer, including the OS, version, and IP address of the client.

    6. (Optional) To further analyze operation logs, click Export Logs to export the logs to your on-premises machine.

    What to do next

    You can ship the end user operation logs from WUYING Workspace to the Logstores in Log Service. This way, Log Service can audit and monitor the operation logs, and send alerts at the earliest opportunity to prevent data leak when logs of suspicious activities are detected. For more information about specific operations, see Deliver user operation logs to Logstores.