What is the storage path of an event that is delivered to an OSS bucket? - ActionTrail

If you create a trail to deliver events to a specific Object Storage Service (OSS) bucket, ActionTrail delivers events to the OSS bucket in the form of GZIP log files. The hierarchy of the storage paths is defined based on the region and date information, including the year, month, and day.

Storage paths

The storage path of an event that a trail delivers to an OSS bucket is in one of the following formats based on the trail type:

Single-account trail

oss://<Bucket name>/<Log file name prefix>/AliyunLogs/<Event type>/<Region ID>/<YYYY>/<MM>/<DD>/Actiontrail_<Region ID>_<YYYYMMDDHHMMSS>_1002_<Event count>_<Log file size>_<md5>.gz

Multi-account trail

oss://<Bucket name>/<Log file name prefix>/AliyunLogs/<Event type>/<rd_id>/<accountid>/<Region ID>/<YYYY>/<MM>/<DD>/Actiontrail_<Region ID>_<YYYYMMDDHHMMSS>_1002_<Event count>_<Log file size>_<md5>.gz

The following table describes the fields in storage paths.


Field	Description	Example
Bucket name	The name of the OSS bucket that you specified when you created the trail. You can view the name of the OSS bucket specified for the trail on the Trails page in the ActionTrail console.	MyBucket
Log file name prefix	The log file name prefix that you specified when you created the trail. Note This field is optional. If no log file name prefix was specified when you created the trail, this field is not displayed.	action-logs
AliyunLogs	A fixed string that indicates event logs related to Alibaba Cloud services.	AliyunLogs
Event type	The type of event stored in the log file. Valid values: Actiontrail: user-initiated events. Actiontrail-Insight: insight events. Note To store insight events, you must apply for the required permissions. For more information, see Overview of insight events. Multi-account trails cannot be used to deliver insight events.	Actiontrail
rd_id	The ID of the resource directory to which the management account used to create the multi-account trail belongs.	rd-UG****
accountid	The account within which the events delivered by the multi-account trail are generated. It can be the management account or a member in the resource directory.	181761095690****
Region ID	The ID of the region in which the events stored in the log file are generated.	cn-hangzhou
YYYY	The year when the first event in the log file was generated.	2021
MM	The month when the first event in the log file was generated.	10
DD	The day when the first event in the log file was generated.	09
Event count	The number of events stored in the log file.	564
Log file size	The size of the log file. Unit: byte.	51310
md5	The MD5 hash string of the log file.	2bdf022eef574ce180b5ebc54132e6b2

Note

The storage paths use the UTC time. If you want to query an event based on the UTC+8 time when the event was generated, you must first convert the UTC+8 time to the UTC time. For example, for an event that was generated at 07:00:00 UTC+8 on January 3, 2021, the corresponding UTC time is 23:00:00 on January 2, 2021. If you want to query the event, you must set the DD field to 02 when you specify the storage path to be queried.
When you specify a storage path to query an event, you may need to set the date to a day before the event was generated. For example, if you want to query an event that was generated at 23:00:00 UTC on October 1, 2021, you may need to set the date to 2021/09/30 or earlier when you specify the storage path to be queried.

Examples

Example 1: a storage path of user-initiated events delivered by a single-account trail
The following storage path indicates the following information: A single-account trail was created in the China (Hangzhou) region to deliver user-initiated events in a log file prefixed with action-logs to a storage path in OSS. The first event in the log file was generated at 08:05:03 UTC+8 on October 9, 2021. The log file stores 564 events and is 51,310 bytes in size.
```
action-logs/AliyunLogs/Actiontrail/cn-hangzhou/2021/10/09/Actiontrail_cn-hangzhou_20211009000503_1002_564_51310_2bdf022eef574ce180b5ebc54132e6b2.gz
```
Example 2: a storage path of insight events delivered by a single-account trail
The following storage path indicates the following information: A single-account trail was created in the China (Hangzhou) region to deliver insight events in a log file prefixed with action-logs to a storage path in OSS. The first event in the log file was generated at 08:05:03 UTC+8 on October 9, 2021. The log file stores 564 events and is 51,310 bytes in size.
```
action-logs/AliyunLogs/Actiontrail-Insight/cn-hangzhou/2021/10/09/Actiontrail_cn-hangzhou_20211009000503_1002_564_51310_2bdf022eef574ce180b5ebc54132e6b2.gz
```
Example 3: a storage path of user-initiated events delivered by a multi-account trail
The following storage path indicates the following information: A multi-account trail was created in the China (Shanghai) region to deliver user-initiated events generated within the resource directory whose ID is rd-UG**** in a log file prefixed with rd-logs to a storage path in OSS. The first event in the log file was generated at 14:40:18 UTC+8 on September 30, 2021. The log file stores only one event and is 639 bytes in size. The event is generated within an account whose ID is 181761095690****.
```
rd-logs/AliyunLogs/Actiontrail/rd-UG****/181761095690****/cn-shanghai/2021/09/30/Actiontrail_cn-shanghai_20210930064018_1002_1_639_378e668b76e74e6c465a082b4fb17331.gz
```