The instance audit feature allows you to track and analyze instance usage in Container Registry to improve security and controllability of Container Registry instances. This topic describes how to enable instance audit. This topic also describes the fields of audit logs.
Prerequisites
A Container Registry Enterprise Edition instance is created. For more information, see Create a Container Registry Enterprise Edition instance.
Simple Log Service is activated. The first time you use Simple Log Service, you must follow the on-screen instructions in the Simple Log Service console to activate Simple Log Service. For information about the billing rules of Simple Log Service, see Billable items of pay-by-feature.
Enable and view instance audit
After you enable instance audit, you can select push or pull logs based on a cycle. This allows you to monitor and analyze user actions in real time to improve security of Container Registry instances, meet compliance requirements, and troubleshoot issues.
Log on to the Container Registry console.
In the top navigation bar, select a region.
In the left-side navigation pane, click Instances.
On the Instances page, click the Enterprise Edition instance that you want to manage.
In the left-side navigation pane of the instance management page, choose. Then, click the Instance Audit tab and Enable in sequence.
NoteA project named aliyun-product-data-<UID>-<Region> and a logstore named acr_access_log are created in the Simple Log Service console.
The push-pull logs of multiple instances in the same region are stored in the same logstore if delivery is enabled for the instances. You can filter the logs by instance ID.
By default, the logs are retained for 365 days. You can change the retention period in Simple Log Service. For more information, see Manage a logstore.
Fields of audit logs
The following table describes fields of audit logs.
Field | Example | Description |
access_credential_type | Password | The type of your credential. Valid values:
|
action | GetImageManifest | The operation. Valid values:
|
blob_digest | sha256:4f4fxxxx | A unique identifier that is generated based on a hash of the blob content. |
http_request_host | demo-registry.cn-hangzhou.cr.aliyuncs.com | The domain name that is requested. |
http_request_id | 718e09d1-aab5-xxxxx | The request ID. |
http_request_method | GET | The HTTP request method. |
http_request_remote_vpc_id | vpc-xxxxxx | The VPC endpoint of the client. |
http_request_remoteaddr | 140.xx.xx.xx | The IP address of the client. |
http_request_useragent | docker/24.0.2 | The User-Agent header in the HTTP request. |
http_response_status | 200 | The HTTP status code. |
instance_id | cri-xxx | The ID of the instance. |
namespace | test-ns | The namespace to which the image repository belongs. |
repo | test-repo | The name of the image repository. |
namespace_repo | test-ns/test-repo | The full name of the image repository. |
network_type | Internet | The network type of the access.
|
tag | v1 | The version of the image. |
time | 2024-04-12T16:58:30.855892463+08:00 | The time when the server receives the request. |
user_identity_account_id | 135668xxxxxxx | The ID of the Alibaba Cloud account of the requester. |
user_identity_player_account_id | 149134xxxxxxx | The account ID of the player. |
user_identity_principal_id | 300786xxxxxxx:Alice | The ID of the requester. The identity of the requester is determined based on the values of this field and the user_identity_user_type field.
|
user_identity_role_id | 300786xxxxxxx | The ID of the RAM role. |
user_identity_role_name | teststs | The name of the RAM role. |
user_identity_user_type | assumed-role | The type of the identity. Valid values:
|
user_name | sub_user@xxxx | The instance logon name. |