All Products
Search
Document Center

Bastionhost:Archive audit logs to Simple Log Service

Last Updated:Mar 31, 2026

Bastionhost retains audit logs — including session command audits and operation logs — for 180 days by default. To keep logs longer, query them with custom filters, or forward them to a SIEM platform like Splunk, archive them to Simple Log Service (SLS). After you configure archiving, Bastionhost forwards audit logs to SLS in real time.

Only logs generated after you complete the configuration are archived. Logs created before the configuration are not.

With log archiving enabled, you can:

  • Retain audit logs beyond the default 180-day period

  • Query and analyze logs using SLS query tools

  • Set a custom retention period to meet compliance requirements

  • Forward logs to third-party platforms such as Splunk

Prerequisites

Before you begin, ensure that you have:

Configure log archiving

Step 1/3. Activate Simple Log Service

  1. Log on to the Simple Log Service console.Simple Log Service console

  2. Follow the on-screen instructions to activate Simple Log Service.

Step 2/3. Enable Bastionhost operation logs

  1. Go to the Log Audit Service page.

    Important

    Starting January 21, 2025, the entry point to the Log Audit Service console was removed. However, it remains visible to users who activated the service before this date. New users who need to use the old version can go to the new Log Audit Service and click Return To Old Version. For more information, see Log Audit (Old Version).

    image

  2. In the left navigation pane, choose Access to Cloud Products > Global Configurations.

  3. From the Region Of Central Project drop-down list, select the region where you want to store logs centrally.

  4. In the cloud products list, turn on the switch for Bastionhost Operation Logs and set the retention period under Storage Method.

    全局配置

Step 3/3. View audit logs

  1. In the left navigation pane, click the 审计查询 icon.

  2. Choose Centralization > Bastionhost to view the archived audit logs.

Archiving does not affect logs stored in Bastionhost. You can still view audit logs on the Session Audit page. For more information, see Search for sessions and view session details.

Log fields

The following table describes the fields in Bastionhost audit logs forwarded to SLS.

FieldDescription
__topic__Log topic. The value is fixed to bastionhost.
owner_idAlibaba Cloud account ID
regionRegion where the Bastionhost instance resides
contentContent of an operation, such as a command or file transfer
event_typeEvent type. For details, see Event types.
instance_idID of the Bastionhost instance
resource_addressIP address of the O&M asset
resource_nameName of the O&M asset
resultResult of an operation, such as a command or file transfer
session_idSession ID. Unique identifier for a session.
user_client_ipSource IP address of the user (the IP used to access Bastionhost)
user_idBastionhost user ID. Unique identifier for a user.
user_nameName of the Bastionhost user

Event types

The event_type field identifies what action triggered the log entry. The following tables list all supported event types.

Session and command events

EventDescription
db.oracle.reqOracle database request
db.mysql.reqMySQL database request
db.pgsql.reqPostgreSQL database request
cmd.CommandCommand character
cmd.Command.policyCommand processed by a control policy
graph.TextGraphical text
graph.KeyboardGraphical keyboard event
file.UploadUpload file
file.DownloadDownload file
file.RenameRename file
file.DeleteDelete file
file.DeleteDirDelete directory
file.CreateDirCreate directory
login.CSLoginUser CS logon
Session.sessionA session

Extended events (V3.2.43 and later)

EventDescription
login.CSPasswordLoginCS username and password logon authentication
login.CSResetPasswordCS password change
login.PortalPasswordLoginPortal user username and password logon authentication
user.PortalResetPasswordPortal password change
user.PortalClearOTPPortal mobile OTP token purge
user.PortalBindOTPPortal mobile OTP token binding
user.PortalLogoutPortal logoff
login.CSTwoFactorLoginCS two-factor authentication
login.PortalTwoFactorLoginPortal two-factor authentication
user.CreateUserCreate user
user.DeleteUserDelete user
user.ModifyUserEdit user
user.LockUserLock user
user.UnlockUserUnlock user
user.CreateUserPublicKeyAdd user SSH public key
user.ModifyUserPublicKeyUpdate user SSH public key
user.DeleteUserPublicKeyDelete user SSH public key
user.ExportUsersExport users
user.SyncRemoteUserDNSync remote user DN
user.NotifyUserOperationAddressModify user logon restrictions
user.SetUserUSBKeyBind user USBKey certificate
user.ResetUserUSBKeyDetach user USBKey certificate
user.CreateUserGroupCreate user group
user.ModifyUserGroupEdit user group
user.DeleteUserGroupDelete user group
user.AddUsersToGroupAdd members to a user group
user.RemoveUsersFromGroupRemove members from a user group
asset.CreateHostCreate host
asset.ModifyHostEdit host
asset.DeleteHostDelete host
asset.EnableHostEnable host
asset.DisableHostDisable host
asset.ResetHostsFingerPrintUpdate host fingerprint
asset.RefreshECSHostStatusCheck ECS host status
asset.RefreshKMSSecretsForECSCheck and update the status of KMS credentials for an ECS host
asset.RefreshAssetNetworkStatusCheck asset network status
asset.ExportHostsExport hosts
asset.CreateDatabaseCreate database asset
asset.ModifyDatabaseModify database asset
asset.DeleteDatabaseDelete database asset
asset.EnableDatabaseEnable database asset
asset.DisableDatabaseDisable database asset
asset.RefreshRDSDatabaseStatusCheck RDS database asset status
asset.ExportDatabasesExport database assets
asset.CreateAssetGroupCreate asset group
asset.ModifyAssetGroupEdit asset group
asset.DeleteAssetGroupDelete asset group
asset.AddHostsToGroupAdd host members to an asset group
asset.RemoveHostsFromGroupRemove host members from an asset group
asset.AddDatabasesToGroupAdd database members to an asset group
asset.RemoveDatabasesFromGroupRemove database members from an asset group
asset.AddAppsToGroupAdd application members to an asset group
asset.RemoveAppsFromGroupRemove application members from an asset group
asset.CreateHostAccountCreate host account
asset.ModifyHostAccountEdit host account
asset.DeleteHostAccountDelete host account
asset.ResetHostAccountCredentialPurge host account credential
asset.CreateDatabaseAccountCreate database account
asset.ModifyDatabaseAccountModify database account
asset.DeleteDatabaseAccountDelete database account
asset.CreateAssetSourceCreate third-party asset source
asset.ModifyAssetSourceEdit third-party asset source
asset.DeleteAssetSourceDelete third-party asset source
authorization.AttachHostAccountsToUserGrant a user permissions to use host accounts
authorization.DetachHostAccountsFromUserRevoke a user's permissions on host accounts
authorization.AttachHostAccountsToUserGroupGrant a user group permissions to use host accounts
authorization.DetachHostAccountsFromUserGroupRevoke a user group's permissions on host accounts
authorization.AttachAssetGroupAccountsToUserGrant a user permissions to use host account names
authorization.DetachAssetGroupAccountsFromUserRevoke a user's permissions on host account names
authorization.AttachAssetGroupAccountsToUserGroupGrant a user group permissions to use host account names
authorization.DetachAssetGroupAccountsFromUserGroupRevoke a user group's permissions on host account names
asset.AttachDatabaseAccountsToUserGrant a user permissions to use database accounts
asset.DetachDatabaseAccountsFromUserRevoke a user's permissions on database accounts
asset.AttachDatabaseAccountsToUserGroupGrant a user group permissions to use database accounts
asset.DetachDatabaseAccountsFromUserGroupRevoke a user group's permissions on database accounts
policy.CreatePolicyCreate control policy
policy.DeletePolicyDelete control policy
policy.ModifyPolicyUpdate control policy
policy.AttachUsersToPolicyAssociate a control policy with users
policy.DetachUsersFromPolicyDetach users from a control policy
policy.AttachUserGroupsToPolicyAssociate a control policy with user groups
policy.DetachUserGroupsFromPolicyDetach user groups from a control policy
policy.AttachHostsToPolicyAssociate a control policy with hosts
policy.DetachHostsFromPolicyDetach hosts from a control policy
policy.AttachAssetGroupsToPolicyAssociate a control policy with host groups
policy.DetachAssetGroupsFromPolicyDetach host groups from a control policy
policy.CreateDatabaseMaskPolicyCreate data masking policy
policy.ModifyDatabaseMaskPolicyModify data masking policy
policy.DeleteDatabaseMaskPolicyDelete data masking policy
policy.AttachDatabasesToPolicyAssociate a control policy with databases
policy.DetachDatabasesFromPolicyDetach databases from a control policy
policy.AttachAppsToPolicyAssociate a control policy with applications
policy.DetachAppsFromPolicyDetach applications from a control policy
policy.SetPolicyUserScopeSet the user scope for a control policy
policy.SetPolicyAssetScopeSet the asset scope for a control policy
policy.SetHostAccountToPolicySet the host accounts for a control policy
policy.SetDatabaseAccountToPolicySet the database accounts for a control policy
policy.SetAppAccountToPolicySet the application accounts for a control policy
policy.SetAssetGroupAccountNamesToPolicySet the asset group accounts for a control policy
policy.GenerateApproveCommandCreate a command approval record
policy.CancelApproveCommandCancel a command approval
policy.AcceptApproveCommandApprove a command
policy.RejectApproveCommandDeny a command approval
task.CreatePasswordTaskCreate a password change task
task.ModifyPasswordTaskUpdate a password change task
task.DeletePasswordTaskDelete a password change task
task.AttachHostAccountsToPasswordTaskAssociate host accounts with a password change task
task.DetachHostAccountsFromPasswordTaskDetach host accounts from a password change task
task.ExecutePasswordTaskExecute a password change task
task.CancelPasswordTaskCancel a password change task
task.EnablePasswordTaskEnable a password change task
task.ExportPasswordTaskHistoryExport password change task history
system.DeleteAuditSessionVideoDelete a session recording file
system.ModifyInstanceTwoFactorModify two-factor authentication configuration
system.InterruptAuditSessionBlock a session
system.ImportBastionHostConfigImport a configuration backup
system.ExportBastionHostConfigExport a configuration backup
system.ModifyInstanceLDAPAuthServerModify LDAP authentication server configuration
system.ModifyInstanceADAuthServerModify AD authentication server configuration
system.AddInstanceMemberAdd an instance RD member account
system.RemoveInstanceMemberRemove an instance RD member account
system.ModifyInstanceTLSConfigModify TLS security configuration
system.ModifyDataEncryptionConfigModify data encryption method configuration
system.VerifyUserInfoSignatureVerify user key information signature
system.BindIDaaSInstanceBind an IDaaS instance
system.UnbindIDaaSInstanceUnbind an IDaaS instance
system.ModifyInstanceLoginPolicyModify user logon and user locking policy configurations
system.ModifyInstanceUserPolicyModify user password security and user status configurations
system.CreateInstanceADAuthServerCreate an instance AD authentication server
system.DeleteInstanceADAuthServerDelete an instance AD authentication server
system.ModifyInstanceIDaaSConfigModify the configuration of a bound IDaaS instance
system.ModifyInstanceOperationConfigModify instance O&M configuration
system.ModifyInstanceAssetPolicyModify the connectivity status check interval configuration
system.AddInstanceNotificationReceiveUserAdd an alert administrator for message notifications
system.RemoveInstanceNotificationReceiveUserRemove an alert administrator for message notifications
system.ModifyInstanceNotificationConfigModify message notification configuration
system.ModifyInstanceStorePolicyModify the automatic deletion configuration for session recordings
system.ModifyInstanceSessionPolicyModify the automatic cleanup configuration for the session list
audit.DownloadOperationEventsBackupDownload O&M event log backup
audit.ExportOperationAuditReportExport O&M report
audit.DownloadAutoOperationTaskOutputDownload automated O&M task results
asset.CreateHostShareKeyCreate shared key
asset.ModifyHostShareKeyEdit shared key
asset.DeleteHostShareKeyDelete shared key
asset.AttachHostAccountsToHostShareKeyAssociate a shared key with host accounts
asset.DetachHostAccountsFromHostShareKeyDetach host accounts from a shared key
asset.CreateNetworkDomainCreate network domain
asset.ModifyNetworkDomainEdit network domain
asset.DeleteNetworkDomainDelete network domain
asset.MoveHostsToNetworkDomainChange the network domain of hosts
asset.MoveDatabasesToNetworkDomainChange the network domain of databases
authorization.CreateRuleCreate authorization rule
authorization.ModifyRuleModify authorization rule
authorization.DeleteRuleDelete authorization rule
authorization.EnableRuleEnable authorization rule
authorization.DisableRuleDisable authorization rule
authorization.ExportAuthorizationRelationExport authorization relationships
operation.CreateOperationTicketCreate an O&M approval ticket
operation.AcceptOperationTicketApprove an O&M request
operation.RejectOperationTicketDeny an O&M request
operation.CancelOperationTicketCancel an O&M request
task.CreateAutoOperationTaskCreate an O&M task
task.ModifyAutoOperationTaskModify an O&M task
task.DeleteAutoOperationTaskDelete an O&M task
task.StartAutoOperationTaskStart an O&M task
task.StopAutoOperationTaskStop an O&M task
task.CreateAutoOperationScriptCreate an O&M script
task.ModifyAutoOperationScriptModify an O&M script
task.DeleteAutoOperationScriptDelete an O&M script
task.AcceptOperationTaskApprovalApprove an automated O&M task ticket
task.RejectOperationTaskApprovalDeny an automated O&M task ticket
task.CancelAutoOperationTaskCancel an O&M task request
asset.ImportKMSSecretsForHostImport KMS credentials
operation.ConnectAssetConnect to an asset
operation.LoginAssetLog on to an asset
operation.LogoutAssetLog off from an asset
operation.SetOperationSSOConfigModify single sign-on (SSO) O&M terminal settings
operation.ModifyOperationUserProfileO&M user modifies personal information
asset.CreateAppServerCreate application server
asset.ModifyAppServerModify application server
asset.DeleteAppServersDelete application servers
asset.SyncAppServerAccountSync application server accounts
asset.CreateAppToolCreate remote client tool
asset.ModifyAppToolModify remote client tool
asset.DeleteAppToolsDelete remote client tools
asset.CreateAppCreate application
asset.ModifyAppModify application
asset.DeleteAppsDelete applications
asset.DeleteAppDelete a single application
asset.CreateAppAccountCreate application account
asset.ModifyAppAccountModify application account
asset.DeleteAppAccountsDelete application accounts
asset.AttachAppAccountsToUserGrant a user permissions on application accounts
asset.DetachAppAccountsFromUserRevoke a user's permissions on application accounts
asset.AttachAppAccountsToUserGroupGrant a user group permissions on application accounts
asset.DetachAppAccountsFromUserGroupRevoke a user group's permissions on application accounts

What's next