This topic describes the key fields of a management event log with examples.

Key fields of a management event log

Field Type Required Example Description
acsRegion String Yes cn-hangzhou The ID of the region where the management event was generated.
additionalEventData JSON No Schema: "http" The additional information about the management event. The following content describes the settings that represent different meanings:
  • This field has no practical significance.
    additionalEventData: {
      Schema: "http"
    }
  • This field provides additional information about a logon event.
    {
        "additionalEventData":{
            "callbackUrl":"https://homenew.console.aliyun.com/",
            "mfaChecked":"true"
        }
    }
  • This field provides the additional information about a MaxCompute-related event.
    {
      "additionalEventData": {
        "TableName": "table_1",
        "Partition": "dt=20210708,hh=17,region=cn-shenzhen",
        "CurrentProject": "project_1",
        "ProjectName": "project_1",
        "SesssionId": "202107081800166d37d****"
      }
    }
apiVersion String No 2014-05-26 The version of the API operation that was called. If the eventType field is set to ApiCall, the management event log records an API operation call. In this case, this field indicates the version of the API operation.
eventCategory String Yes Management The type of the generated event. Valid values:
  • Management: indicates a management event.
  • Insight: indicates an insight event.
eventId String Yes F23A3DD5-7842-4EF9-9DA1-3776396A**** The ID of the management event. ActionTrail generates a globally unique identifier (GUID) for each management event.
eventName String Yes CreateNetworkInterface The name of the management event.
  • If the eventType field is set to ApiCall, this field is set to the name of the API operation that was called.
  • If the eventType field is not set to ApiCall, this field is set to a string that indicates the action recorded in the management event log.
eventRW String Yes Write The read/write type of the management event. Valid values:
  • Write: indicates a write event.
  • Read: indicates a read event.
eventSource String Yes ecs.aliyuncs.com The source of the management event.
eventTime String Yes 2020-01-09T12:12:14Z The time when the management event was generated, in UTC.
eventType String Yes ApiCall The type of the action that was recorded in the management event log. Valid values:
  • ApiCall: indicates that an API operation was called. The consoles of most Alibaba Cloud services are developed based on APIs. If an action was performed in one of these consoles, ActionTrail records the action as ApiCall.
  • ConsoleOperation (ConsoleCall): indicates that a management action was performed in the console or on the buy page of a specific Alibaba Cloud service. The consoles or buy pages of specific Alibaba Cloud services are not developed based on APIs. If an action was performed in one of these consoles or on one of these buy pages, ActionTrail records this action as ConsoleOperation or ConsoleCall. For an action of this type, the value of the eventName field is a string that indicates the action.
  • AliyunServiceEvent: indicates that Alibaba Cloud performed a management action on the resources that you own, such as releasing a subscription instance upon expiration.
  • PasswordReset: indicates that your password was reset.
  • ConsoleSignin: indicates a logon to the Alibaba Cloud Management Console.
  • ConsoleSignout: indicates a logoff from the Alibaba Cloud Management Console.
eventVersion String Yes 1 The version of the event log format. The current version is 1.
errorCode String No NoPermission The error code returned if an error occurred during the processing of the API request.
errorMessage String No You are not authorized. The error message returned if an error occurred during the processing of the API request.
requestId String Yes F23A3DD5-7842-4EF9-9DA1-3776396AD58D The ID of the API request.
requestParameters Dictionary No N/A The parameters specified in the API request.
requestParameterJson String No "{"AcsHost":"actiontrail.cn-hangzhou.aliyuncs.com","AcsProduct":"Actiontrail","RequestId":"32B8BA8F-3738-46D3-BCCA-1B2257AEF9BB","AcceptLanguage":"zh-CN","Region":"cn-hangzhou","HostId":"actiontrail.cn-hangzhou.aliyuncs.com","Name":"create-service-tmp"}" The parameters specified in the API request. This field is in the JSON format and serves the same purpose as the requestParameters field.
Note This field applies only to the management events that are delivered to Log Service.
resourceName String No "i-0xiiz1v0vw4epqjc****;sg-0xi2js0u6m03jbmv****;aliyun_2_1903_x64_20G_alibase_20200529.vhd;sshkey-cn-hangzhou;vsw-0xikxv8p1akh4ki43****" The name of the event-associated resource. The name is the unique identifier of the resource.

You can use this field as an index in Log Service to query the event.

The format of the value varies based on the number and types of event-associated resources. The following examples show the possible formats:

  • A single event-associated resource of a specific type: i-bp1example1.
  • Multiple event-associated resources of a specific type: i-bp1example1,i-bp1example2.
  • Multiple event-associated resources of different types: i-bp1example1,i-bp1example2;v-bp1example1.
Note The names of the resources of the same type are separated with commas (,). The names of the resources of different types are separated with semicolons (;).
resourceType List No "ACS::ECS::Instance;ACS::ECS::SecurityGroup;ACS::ECS::Image;ACS::ECS::KeyPair;ACS::VPC::VSwitch" The type of the event-associated resource.

You can use this field as an index in Log Service to query the event.

The format of the value varies based on the number and types of event-associated resources. The following examples show the possible formats:

  • A single event-associated resource of a specific type: ACS::ECS::Instance.
  • Multiple event-associated resources of a specific type: ACS::ECS::Instance.
  • Multiple event-associated resources of different types: ACS::ECS::Instance;ACS::VPC::VPC.
Note Multiple resource types are separated with semicolons (;).
responseElements Dictionary No N/A The response returned for the API request.
referencedResources Dictionary No N/A The resources that the action recorded in the management event log involves.
serviceName String Yes Ecs The name of the Alibaba Cloud service to which the management event log belongs.
sourceIpAddress String No 11.168.XX.XX The IP address from which the management event was generated.
userAgent String No Apache-HttpClient/4.5.7 (Java/1.8.0_152) The user agent that sent the API request. Examples:
  • AlibabaCloud (Linux 3.10.0-693.2.2.el7.x86_64;x86_64) Python/2.7.5 Core/2.13.16 python-requests/2.18.3
  • Apache-HttpClient/4.5.7 (Java/1.8.0_152)
userIdentity Dictionary Yes N/A The identity information about the requester.

For more information, see the "Fields contained in userIdentity" section in this topic.

The following table describes the fields that userIdentity contains.

Table 1. Fields contained in userIdentity
Field Type Required Example Description
type String Yes ram-user The identity type of the requester. Valid values:
  • root-account: indicates an Alibaba Cloud account.
  • ram-user: indicates a RAM user.
  • assumed-role: indicates a RAM role.
  • system: indicates an Alibaba Cloud service.
  • cloudsso-user: indicates a CloudSSO user.
  • saml-user: indicates an enterprise-specific identity.
  • alibaba-cloud-account: indicates the identity that is authorized to perform a cross-account action.
principalId String No 28815334868278**** The ID of the requester. You can check the type field and this field to confirm the identity of the requester.
  • If the type field is set to root-account, this field is set to the ID of the Alibaba Cloud account.
  • If the type field is set to ram-user, this field is set to the ID of the RAM user.
  • If the type field is set to assumed-role, this field is set to a string in the RoleID:RoleSessionName format.
  • If the type field is set to cloudsso-user, this field is set to the ID of the CloudSSO user.
  • Possible value formats if the type field is set to alibaba-cloud-account:
    • The ID of the authorized Alibaba Cloud account. This format applies if the requester used the Alibaba Cloud account to perform an action on a resource within another Alibaba Cloud account.
    • The ID of the authorized RAM user. This format applies if the requester performed an action as the RAM user on a resource within another Alibaba Cloud account.
    • RoleID:RoleSessionName. This format applies if the requester assumed the authorized RAM role to perform an action on a resource within another Alibaba Cloud account.
  • If the type field is set to saml-user or system, this field is not recorded.
accountId String No 112233445566**** The ID of the Alibaba Cloud account of the requester.
accessKeyId String No 55nCtAwmPLkk****
  • The AccessKey ID that is used by the requester. If the requester sent an API request by using an SDK, this field is recorded.
  • If the requester performed an action in the Alibaba Cloud Management Console, this field is not recorded.
  • If the requester sent an API request by using a Security Token Service (STS) token, this field is set to the temporary AccessKey ID.
userName String No Alice The name of the requester.
  • If the type field is set to ram-user, this field is set to the name of the RAM user.
  • If the type field is set to assumed-role, this field is set to a string in the RoleName:RoleSessionName format.
  • If the type field is set to root-account, this field is set to root.
  • If the type field is set to cloudsso-user, this field is set to the name of the CloudSSO user.
  • If the type field is set to saml-user, this field is set to the name of the enterprise-specific identity.
  • If the type field is set to alibaba-cloud-account, this field is not recorded.
sessionContext String No {"attributes": {"mfaAuthenticated": "true", "creationDate": "2020-01-09T12:12:14Z" } The session context recorded when the requester called an API operation by using an STS token or performed an action in the Alibaba Cloud Management Console. The session context contains the following attributes:
  • creationDate: the time when the STS token was created.
  • mfaAuthenticated: indicates whether multi-factor authentication (MFA) was enabled for logging on to the Alibaba Cloud Management Console.

Example

{
    "acsRegion":"cn-hangzhou",
    "additionalEventData":{
        "Scheme":"http"
    },
    "apiVersion":"2014-05-26",
    "eventCategory":"Management",
    "eventId":"F7393A43-6A4A-4409-AEDD-8B1C47DE****",
    "eventName":"RunInstances",
    "eventRW":"Write",
    "eventSource":"ecs-cn-hangzhou-inner.aliyuncs.com",
    "eventTime":"2021-07-13T07:33:46Z",
    "eventType":"ApiCall",
    "eventVersion":"1",
    "referencedResources":{
        "ACS::ECS::Instance":[
            "i-0xiiz1v0vw4epqjc****"
        ],
        "ACS::ECS::SecurityGroup":[
            "sg-0xi2js0u6m03jbmv****"
        ],
        "ACS::ECS::Image":[
            "aliyun_2_1903_x64_20G_alibase_20200529.vhd"
        ],
        "ACS::ECS::KeyPair":[
            "sshkey-cn-hangzhou"
        ],
        "ACS::VPC::VSwitch":[
            "vsw-0xikxv8p1akh4ki43****"
        ]
    },
    "requestId":"F7393A43-6A4A-4409-AEDD-8B1C47DE45ED",
    "requestParameters":{
        "Amount":1,
        "VSwitchId":"vsw-0xikxv8p1akh4ki43****"
    },
    "resourceName":"i-0xiiz1v0vw4epqjc****;sg-0xi2js0u6m03jbmv****;aliyun_2_1903_x64_20G_alibase_20200529.vhd;sshkey-cn-hangzhou;vsw-0xikxv8p1akh4ki43****",
    "resourceType":"ACS::ECS::Instance;ACS::ECS::SecurityGroup;ACS::ECS::Image;ACS::ECS::KeyPair;ACS::VPC::VSwitch",
    "responseElements":{
        "RequestId":"F7393A43-6A4A-4409-AEDD-8B1C47DE45ED",
        "InstanceIdSets":{
            "InstanceIdSet":[
                "i-0xiiz1v0vw4epqjc****"
            ]
        }
    },
    "serviceName":"Ecs",
    "sourceIpAddress":"Internal",
    "userAgent":"AlibabaCloud (Linux; amd64) Java/1.8.0_102-b52 Core/4.5.3 HTTPClient/InternalHttpClient",
    "userIdentity":{
        "accessKeyId":"STS.NUQNP4PiGyckMsNiGELCs****",
        "accountId":"116214297662****",
        "principalId":"32886943330935****:ess-session-ecs_default",
        "sessionContext":{
            "attributes":{
                "mfaAuthenticated":"false",
                "creationDate":"2021-07-13T07:33:46Z"
            }
        },
        "type":"assumed-role",
        "userName":"aliyunserviceroleforautoscaling:ess-session-ecs_default"
    }
}