If you log on to the Alibaba Cloud Management Console as a RAM user, a logon event (ConsoleSignin) occurs. This topic describes the fields in sample event logs for logons as a RAM user.

Example 1: Logon without MFA enabled

The following sample event log shows that the RAM user named Alice logged on to the Alibaba Cloud Management Console without multi-factor authentication (MFA) enabled at 08:00:00 on January 1, 2021, UTC+8.

{
  "requestId": "1.167_1627549154939_339a",
  "eventType": "ConsoleSignin",
  "userIdentity": {
    "accountId": "159498693826****",
    "principalId": "23890260100229****",
    "type": "ram-user",
    "userName":  "Alice"
  },
  "acsRegion": "cn-hangzhou",
  "eventName": "ConsoleSignin",
  "eventSource": "signin.aliyun.com",
  "serviceName": "AasSub",
  "eventTime": "2021-01-01T00:00:00Z",
  "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.164 Safari/537.36",
  "eventId": "1.167_1627549154939_****",
  "additionalEventData": {
    "callbackUrl": "https://actiontrail.console.aliyun.com/cn-hangzhou/event-list?accounttraceid=******",
    "mfaChecked": "false"
  },
  "errorCode": "",
  "errorMessage": "",
  "eventVersion": "1",
  "sourceIpAddress": "192.168.XX.XX"
}

The sample event log contains the following key fields:

  • eventType: the type of the event. The value is ConsoleSignin, which indicates a console logon event.
  • userIdentity.type: the identity type of the requester. The value is ram-user, which indicates a RAM user.
  • userIdentity.userName: the username of the RAM user used by the requester.
  • eventTime: the time when the event occurred in UTC. The value is 2021-01-01T00:00:00Z, which indicates that the event occurred at 08:00:00 on January 1, 2021, in UTC+8.
  • additionalEventData.isMFAChecked: indicates whether MFA is enabled for the logon of the RAM user. The value is false, which indicates that MFA is not enabled.

Example 2: Logon with MFA enabled

The following sample event log shows that the RAM user named Alice logged on to the Alibaba Cloud Management Console with MFA enabled at 08:00:00 on January 1, 2021, UTC+8.

{
  "requestId": "1.167_1627549154939_339a",
  "eventType": "ConsoleSignin",
  "userIdentity": {
    "accountId": "159498693826****",
    "principalId": "23890260100229****",
    "type": "ram-user",
    "userName":  "Alice"
  },
  "acsRegion": "cn-hangzhou",
  "eventName": "ConsoleSignin",
  "eventSource": "signin.aliyun.com",
  "serviceName": "AasSub",
  "eventTime": "2021-01-01T00:00:00Z",
  "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.164 Safari/537.36",
  "eventId": "1.167_1627549154939_****",
  "additionalEventData":{
    "callbackUrl": "https://actiontrail.console.aliyun.com/cn-hangzhou/event-list?accounttraceid=******",
    "mfaChecked": "true"
  },
  "errorCode": "",
  "errorMessage": "",
  "eventVersion": "1",
  "sourceIpAddress": "192.168.XX.XX"
}

The sample event log contains the following key fields:

  • eventType: the type of the event. The value is ConsoleSignin, which indicates a console logon event.
  • userIdentity.type: the identity type of the requester. The value is ram-user, which indicates a RAM user.
  • userIdentity.userName: the username of the RAM user used by the requester.
  • eventTime: the time when the event occurred in UTC. The value is 2021-01-01T00:00:00Z, which indicates that the event occurred at 08:00:00 on January 1, 2021, in UTC+8.
  • additionalEventData.isMFAChecked: indicates whether MFA is enabled for the logon of the RAM user. The value is true, which indicates that MFA is enabled.

Example 3: Failed logon

The following sample event log shows that the RAM user named Alice failed to log on to the Alibaba Cloud Management Console at 08:00:00 on January 1, 2021, UTC+8.

{
  "eventId": "1.167_1627549154939_****",
  "eventVersion": 1,
  "errorMessage": "Password is error",
  "eventSource": "signin.aliyun.com",
  "errorCode": "Authentication.Failed",
  "sourceIpAddress":"192.168.XX.XX",
  "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36",
  "eventType": "ConsoleSignin",
  "userIdentity": {
    "accountId": "159498693826****",
    "principalId": "23890260100229****",
    "type": "ram-user",
    "userName": "Alice"
  },
  "serviceName": "AasSub",
  "additionalEventData": {
    "callbackUrl": "https://actiontrail.console.aliyun.com/cn-hangzhou/event-list?accounttraceid=****",
    "mfaChecked": "false"
  },
  "extend": "USER_LOGIN",
  "requestId": "1.167_1627549154939_339a",
  "eventTime": "2021-01-01T00:00:00Z",
  "isGlobal": true,
  "acsRegion": "cn-hangzhou",
  "eventName": "ConsoleSignin"
}

The sample event log contains the following key fields:

  • errorCode: the error code. The value is Authentication.Failed, which indicates that the logon failed.
  • eventType: the type of the event. The value is ConsoleSignin, which indicates a console logon event.
  • userIdentity.type: the identity type of the requester. The value is ram-user, which indicates a RAM user.
  • userIdentity.userName: the username of the RAM user used by the requester.
  • eventTime: the time when the event occurred in UTC. The value is 2021-01-01T00:00:00Z, which indicates that the event occurred at 08:00:00 on January 1, 2021, in UTC+8.