If you want to query events based on custom filter conditions and SQL statements or query events that occurred in multiple regions more than 90 days ago, you can perform custom event queries in the ActionTrail console.

Prerequisites

The advanced event query feature is enabled for your trail. For more information, see Enable the advanced event query feature.

Scenarios

You can perform custom event queries in standard mode or simple mode. In standard mode, you can query events in a visualized manner. In simple mode, you can query events by defining SQL conditions.

Mode Query method Description Example
Standard mode Single-condition query You can filter events by service name, event name, resource name, resource type, read/write type, username, AccessKey ID, source IP address, account ID, account type, region, event source, or event ID. To query all events related to Key Management Service (KMS) that are generated in a specified time range, select Key Management Service(Kms) from the Service Name drop-down list.
Multi-condition query You can specify one or more services and one or more regions to query events. To query KMS-related events that are generated in the China (Hangzhou) and China (Shanghai) regions, select Key Management Service(Kms) from the Service Name drop-down list, and China (Hangzhou) and China (Shanghai) from the Region drop-down list.
Simple mode Keyword-based query You can enter a keyword in the search box based on your business requirements. To query all write events, enter * AND event.eventRW: Write.
Single-condition query You can specify a filter condition in the Who, What, Which, Where, or Other category to query events. To query all KMS-related events that are generated in a specific time range, enter * AND event.serviceName: Kms.
Multi-condition query You can specify multiple filter conditions in the Who, What, Which, Where, and Other categories to query events. To query events generated for operations performed by the user Alex in ActionTrail, enter * AND event.serviceName: Actiontrail AND event.userIdentity.userName: Alex.
NOT operator-based query You can specify multiple filter conditions and change the operator in front of a filter condition that you want to negate to NOT. To query events generated for operations performed by users except for Alex in ActionTrail, enter * AND event.serviceName: Actiontrail AND event.userIdentity.userName: Alex.

Procedure

  1. Log on to the ActionTrail console.
  2. In the left-side navigation pane, click Advanced Event Query.
  3. In the top navigation bar, select the region where the events for which you want to perform advanced event queries are generated.
  4. On the Advanced Event Query page, click the Custom Events tab, and query and view related events.
    Note By default, if you do not set filter conditions, all events are queried.
    1. Specify filter conditions.
    2. Click Query.
    3. Click the plus sign (+) to the left of the event you want to query to view the event details.
    4. Optional. Click Event Detail to view the event log.
    1. Click Switch to the simple mode.
    2. Specify filter conditions.
    3. Click Query.
    4. Click the plus sign (+) to the left of the event you want to query to view the event details.
    5. Optional. Click Event Detail to view the event log.