ActionTrail records the events that are related to itself. You can query the details of an ActionTrail-related event to obtain information such as the time when the event occurred, the region where the event occurred, and the trail involved. This topic provides the logs of sample events that are related to ActionTrail and describes the key fields included in the event logs.
Modify a trail by using an Alibaba Cloud account in the ActionTrail console
In the following example, an Alibaba Cloud account modified the trail whose name is
alicetest
in the China (Hangzhou) region in the ActionTrail console at 08:25:26, August 5,
2021 (UTC+8).
{
"eventId": "A5A4BB74-EFBC-5D8B-BD8A-1B9131429438",
"eventVersion": 1,
"responseElements": {
"SlsProjectArn": "acs:log:cn-hangzhou:196813227629****:project/limansls",
"EventRW": "Write",
"RequestId": "A5A4BB74-EFBC-5D8B-BD8A-1B9131429438",
"HomeRegion": "cn-hangzhou",
"OssKeyPrefix": "",
"OssBucketName": "",
"SlsWriteRoleArn": "acs:ram::196813227629****:role/aliyunserviceroleforactiontrail",
"OssWriteRoleArn": "",
"TrailRegion": "All",
"Name": "alicetest"
},
"eventSource": "actiontrail-openapi-share.cn-hangzhou.aliyuncs.com",
"requestParameters": {
"SlsLogStore": "actiontrail_test",
"charset": "UTF-8",
"AcsHost": "actiontrail-openapi-share.cn-hangzhou.aliyuncs.com",
"RequestId": "A5A4BB74-EFBC-5D8B-BD8A-1B9131429438",
"HostId": "actiontrail-openapi-share.cn-hangzhou.aliyuncs.com",
"TrailRegion": "All",
"Name": "limantest",
"SlsProjectArn": "acs:log:cn-hangzhou:196813227629****:project/Alicesls",
"EventRW": "Write",
"AcsProduct": "Actiontrail",
"OssKeyPrefix": "",
"AcceptLanguage": "zh-CN",
"Region": "cn-hangzhou",
"OssBucketName": ""
},
"sourceIpAddress": "2409:8a20:4d15:e150:90f5:26ed:cc45:6922",
"userAgent": "actiontrail.console.aliyun.com",
"eventType": "ApiCall",
"referencedResources": {
"ACS::ActionTrail::Trail": [
"alicetest"
]
},
"userIdentity": {
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2021-08-05T00:25:25Z"
}
},
"accountId": "196813227629****",
"principalId": "196813227629****",
"type": "root-account",
"userName": "root"
},
"serviceName": "Actiontrail",
"additionalEventData": {
"Scheme": "http",
"CallerBid": "26842"
},
"apiVersion": "2020-07-06",
"requestId": "A5A4BB74-EFBC-5D8B-BD8A-1B9131429438",
"eventTime": "2021-08-05T00:25:26Z",
"isGlobal": false,
"acsRegion": "cn-hangzhou",
"eventName": "UpdateTrail"
}
The preceding example contains the following key fields:
userIdentity.type
: the identity type of the requester. The value in this example isroot-account
, which indicates an Alibaba Cloud account.serviceName
: the name of the Alibaba Cloud service related to the event. The value in this example isActiontrail
, which indicates ActionTrail.eventName
: the name of the event. The value in this example isUpdateTrail
, which indicates that a trail was modified.referencedResources
: the one or more resources that are related to the event. The value in this example is{"ACS::ActionTrail::Trail": ["alicetest"}
, which indicates thealicetest
trail.acsRegion
: the region in which the event occurred. The value in this example iscn-hangzhou
, which indicates that the event occurred in the China (Hangzhou) region.eventTime
: the time when the event occurred in UTC. The value is2021-08-05T00:25:26Z
, which indicates that the event occurred at 08:25:26 on August 5, 2021 (UTC+8).
Modify a trail as a RAM user in the ActionTrail console
In the following example, the RAM user whose name is Alice
modified the trail whose name is test-trail
in the China (Hangzhou) region in the ActionTrail console at 17:57:32 on August 5,
2021 (UTC+8).
{
"eventId": "86045124-4D86-5AD3-8848-CF78A20402AC",
"eventVersion": 1,
"responseElements": {
"SlsProjectArn": "acs:log:cn-hangzhou:189217171671****:project/test-123",
"EventRW": "Write",
"RequestId": "86045124-4D86-5AD3-8848-CF78A20402AC",
"HomeRegion": "cn-hangzhou",
"OssKeyPrefix": "",
"OssBucketName": "",
"SlsWriteRoleArn": "acs:ram::189217171671****:role/aliyunserviceroleforactiontrail",
"OssWriteRoleArn": "",
"TrailRegion": "All",
"Name": "test-trail"
},
"eventSource": "actiontrail-openapi-share.cn-hangzhou.aliyuncs.com",
"requestParameters": {
"SlsLogStore": "actiontrail_test-trail",
"charset": "UTF-8",
"AcsHost": "actiontrail-openapi-share.cn-hangzhou.aliyuncs.com",
"RequestId": "86045124-4D86-5AD3-8848-CF78A20402AC",
"HostId": "actiontrail-openapi-share.cn-hangzhou.aliyuncs.com",
"TrailRegion": "All",
"Name": "test-nnn",
"SlsProjectArn": "acs:log:cn-hangzhou:189217171671****:project/test-123",
"EventRW": "Write",
"AcsProduct": "Actiontrail",
"OssKeyPrefix": "",
"AcceptLanguage": "zh-CN",
"Region": "cn-hangzhou",
"OssBucketName": ""
},
"sourceIpAddress": "192.168.XX.XX",
"userAgent": "actiontrail.console.aliyun.com",
"eventType": "ApiCall",
"referencedResources": {
"ACS::ActionTrail::Trail": [
"test-trail"
]
},
"userIdentity": {
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2021-08-05T09:57:32Z"
}
},
"accountId": "189217171671****",
"principalId": "26135379175722****",
"type": "ram-user",
"userName": "Alice"
},
"serviceName": "Actiontrail",
"additionalEventData": {
"Scheme": "http",
"CallerBid": "26842"
},
"apiVersion": "2020-07-06",
"requestId": "86045124-4D86-5AD3-8848-CF78A20402AC",
"eventTime": "2021-08-05T09:57:32Z",
"isGlobal": false,
"acsRegion": "cn-hangzhou",
"eventName": "UpdateTrail"
}
The preceding example contains the following key fields:
userIdentity.type
: the identity type of the requester. The value in this example isram-user
, which indicates a RAM user.userIdentity.userName
: the username of the RAM user.serviceName
: the name of the Alibaba Cloud service related to the event. The value in this example isActiontrail
, which indicates ActionTrail.eventName
: the name of the event. The value in this example isUpdateTrail
, which indicates that a trail was mofidied.referencedResources
: the one or more resources that are related to the event. The value in this example is{"ACS::ActionTrail::Trail": ["test-trail"]}
, which indicates thetest-trail
trail.acsRegion
: the region in which the event occurred. The value in this example iscn-hangzhou
, which indicates that the event occurred in the China (Hangzhou) region.eventTime
: the time when the event occurred in UTC. The value in this example is2021-08-05T09:57:32Z
, which indicates that the event occurred at 17:57:32 on August 5, 2021 (UTC+8).
Modify a trail by calling the UpdateTrail operation as a RAM user with an AccessKey pair used
In the following example, the RAM user whose name is Alice
modified the trail whose name is tf-testaccactiontrail
in the China (Hangzhou) region by calling the UpdateTrail operation at 10:29:37 on
August 4, 2021 (UTC+8). The RAM user used the AccessKey pair whose ID is LTAIcgRmWRaj****
to initiate the API call.
{
"eventId": "86C37F50-950C-599D-B07A-88C0493784A9",
"eventVersion": 1,
"responseElements": {
"SlsProjectArn": "",
"EventRW": "Write",
"RequestId": "86C37F50-950C-599D-B07A-88C0493784A9",
"HomeRegion": "cn-hangzhou",
"OssKeyPrefix": "",
"OssBucketName": "tf-testaccactiontrail",
"SlsWriteRoleArn": "",
"OssWriteRoleArn": "acs:ram::118272523431****:role/aliyunactiontraildefaultrole",
"TrailRegion": "All",
"Name": "tf-testaccactiontrail"
},
"eventSource": "actiontrail.cn-hangzhou.aliyuncs.com",
"requestParameters": {
"AcsHost": "actiontrail.cn-hangzhou.aliyuncs.com",
"EventRW": "Write",
"AcsProduct": "Actiontrail",
"RequestId": "86C37F50-950C-599D-B07A-88C0493784A9",
"Region": "cn-hangzhou",
"OssBucketName": "tf-testaccactiontrail",
"OssWriteRoleArn": "acs:ram::118272523431****:role/aliyunactiontraildefaultrole",
"RegionId": "cn-hangzhou",
"HostId": "actiontrail.cn-hangzhou.aliyuncs.com",
"TrailRegion": "All",
"Name": "tf-testaccactiontrail"
},
"sourceIpAddress": "Internal",
"userAgent": "AlibabaCloud (linux; amd64) Golang/1.12.10 Core/0.01 TeaDSL/1 HashiCorp-Terraform/ Terraform-Provider/1.129.0 Terraform-Module/Default/LTAIcgRmWRaj****:41d6e7ac-9fd7-4b05-b80d-9cf147e9fb4f",
"eventType": "ApiCall",
"referencedResources": {
"ACS::ActionTrail::Trail": [
"tf-testaccactiontrail"
]
},
"userIdentity": {
"accessKeyId": "LTAIcgRmWRaj****",
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2021-08-04T23:09:19Z"
}
},
"accountId": "118272523431****",
"principalId": "28544203916248****",
"type": "ram-user",
"userName": "Alice"
},
"serviceName": "Actiontrail",
"additionalEventData": {
"Scheme": "https",
"CallerBid": "26842"
},
"apiVersion": "2020-07-06",
"requestId": "86C37F50-950C-599D-B07A-88C0493784A9",
"eventTime": "2021-08-04T02:29:37Z",
"isGlobal": false,
"acsRegion": "cn-hangzhou",
"eventName": "UpdateTrail"
}
The preceding example contains the following key fields:
userIdentity.accessKeyId
: the AccessKey ID that is used to initiate the API call. The value in this example isLTAIcgRmWRaj****
.userIdentity.principalId
: the ID of the account to which the AccessKey pair belongs. The value in this example is28544203916248****
.userIdentity.type
: the identity type of the requester. The value in this example isram-user
, which indicates a RAM user.serviceName
: the name of the Alibaba Cloud service related to the event. The value in this example isActiontrail
, which indicates ActionTrail.eventName
: the name of the event. The value in this example isUpdateTrail
, which indicates that a trail was modified.referencedResources
: the one or more resources that are related to the event. The value in this example is{"ACS::ActionTrail::Trail": ["tf-testaccactiontrail"]}
, which indicates thetf-testaccactiontrail
trail.acsRegion
: the region in which the event occurred. The value in this example iscn-hangzhou
, which indicates that the event occurred in the China (Hangzhou) region.eventTime
: the time when the event occurred in UTC. The value in this example is2021-08-04T02:29:37Z
, which indicates that the event occurred at 10:29:37 on August 4, 2021 (UTC+8).
Modify a trail by assuming a RAM role as a RAM user
In the following example, a RAM user of the Alibaba Cloud account whose ID is 189217171671****
modified the trail whose name is test-trail
in the China (Hangzhou) region by calling the UpdateTrail operation at 17:59:02 on
August 5, 2021 (UTC+8). The RAM user modified the trail by assuming the trail-role
RAM role that belongs to the Alibaba Cloud account whose ID is 189217171671****
.
{
"eventId": "C8E1ADC3-0DF3-5133-A40E-A0EE2B96A46A",
"eventVersion": 1,
"responseElements": {
"SlsProjectArn": "acs:log:cn-hangzhou:189217171671****:project/test-123",
"EventRW": "All",
"RequestId": "C8E1ADC3-0DF3-5133-A40E-A0EE2B96A46A",
"HomeRegion": "cn-hangzhou",
"OssKeyPrefix": "",
"OssBucketName": "",
"SlsWriteRoleArn": "acs:ram::189217171671****:role/aliyunserviceroleforactiontrail",
"OssWriteRoleArn": "",
"TrailRegion": "All",
"Name": "test-trail"
},
"eventSource": "actiontrail-openapi-share.cn-hangzhou.aliyuncs.com",
"requestParameters": {
"SlsLogStore": "actiontrail_test-trail",
"charset": "UTF-8",
"AcsHost": "actiontrail-openapi-share.cn-hangzhou.aliyuncs.com",
"RequestId": "C8E1ADC3-0DF3-5133-A40E-A0EE2B96A46A",
"HostId": "actiontrail-openapi-share.cn-hangzhou.aliyuncs.com",
"TrailRegion": "All",
"Name": "test-nnn",
"stsTokenPrincipalName": "trail-role/roleTest123",
"SlsProjectArn": "acs:log:cn-hangzhou:189217171671****:project/test-123",
"EventRW": "All",
"AcsProduct": "Actiontrail",
"OssKeyPrefix": "",
"AcceptLanguage": "zh-CN",
"Region": "cn-hangzhou",
"OssBucketName": "",
"stsTokenPlayerUid": 189217171671****
},
"sourceIpAddress": "Internal",
"userAgent": "actiontrail.console.aliyun.com",
"eventType": "ApiCall",
"referencedResources": {
"ACS::ActionTrail::Trail": [
"test-trail"
]
},
"userIdentity": {
"accessKeyId": "STS.NTZxJ8V63CNgtAbsutWVs****",
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2021-08-05T09:59:02Z"
}
},
"accountId": "189217171671****",
"principalId": "39484351102463****:roleTest123",
"type": "assumed-role",
"userName": "trail-role:roleTest123"
},
"serviceName": "Actiontrail",
"additionalEventData": {
"Scheme": "http",
"CallerBid": "26842"
},
"apiVersion": "2020-07-06",
"requestId": "C8E1ADC3-0DF3-5133-A40E-A0EE2B96A46A",
"eventTime": "2021-08-05T09:59:02Z",
"isGlobal": false,
"acsRegion": "cn-hangzhou",
"eventName": "UpdateTrail"
}
The preceding example contains the following key fields:
userIdentity.type
: the identity type of the requester. The value in this example isassumed-role
, which indicates a RAM role.userIdentity.userName
: the username of the requester. The value is in the format of{roleName}:{sessionName}
.roleName
indicates the name of the RAM role that was assumed.sessionName
indicates the name that was specified when the RAM user assumed the role. The value in this example istrail-role:roleTest123
.trail-role
indicates the name of the RAM role that was assumed.roleTest123
indicates the name that was specified when the RAM user assumed the RAM role.requestParameters.stsTokenPlayerUid
: the ID of the Alibaba Cloud account to which the RAM user belongs. The value in this example is189217171671****
.referencedResources
: the one or more resources that are related to the event. The value in this example is{"ACS::ActionTrail::Trail": ["test-trail"]}
, which indicates thetest-trail
trail.serviceName
: the name of the Alibaba Cloud service related to the event. The value in this example isActiontrail
, which indicates ActionTrail.eventName
: the name of the event. The value in this example isUpdateTrail
, which indicates that a trail was modified.acsRegion
: the region in which the event occurred. The value in this example iscn-hangzhou
, which indicates that the event occurred in the China (Hangzhou) region.eventTime
: the time when the event occurred in UTC. The value is2021-08-05T09:59:02Z
, which indicates that the event occurred at 17:59:02 on August 5, 2021 (UTC+8).