ActionTrail records the events that are related to itself. You can query the details of an ActionTrail-related event to obtain information such as the time when the event occurred, the region where the event occurred, and the trail involved. This topic provides the logs of sample events that are related to ActionTrail and describes the key fields included in the event logs.

Modify a trail by using an Alibaba Cloud account in the ActionTrail console

In the following example, an Alibaba Cloud account modified the trail whose name is Alicetest in the China (Hangzhou) region in the ActionTrail console at 08:25:26, August 5, 2021 (UTC+8).

{
  "eventId": "A5A4BB74-EFBC-5D8B-BD8A-1B9131429438",
  "eventVersion": 1,
  "responseElements": {
    "SlsProjectArn": "acs:log:cn-hangzhou:196813227629****:project/limansls",
    "EventRW": "Write",
    "RequestId": "A5A4BB74-EFBC-5D8B-BD8A-1B9131429438",
    "HomeRegion": "cn-hangzhou",
    "OssKeyPrefix": "",
    "OssBucketName": "",
    "SlsWriteRoleArn": "acs:ram::196813227629****:role/aliyunserviceroleforactiontrail",
    "OssWriteRoleArn": "",
    "TrailRegion": "All",
    "Name": "Alicetest"
  },
  "eventSource": "actiontrail-openapi-share.cn-hangzhou.aliyuncs.com",
  "requestParameters": {
    "SlsLogStore": "actiontrail_test",
    "charset": "UTF-8",
    "AcsHost": "actiontrail-openapi-share.cn-hangzhou.aliyuncs.com",
    "RequestId": "A5A4BB74-EFBC-5D8B-BD8A-1B9131429438",
    "HostId": "actiontrail-openapi-share.cn-hangzhou.aliyuncs.com",
    "TrailRegion": "All",
    "Name": "limantest",
    "SlsProjectArn": "acs:log:cn-hangzhou:196813227629****:project/Alicesls",
    "EventRW": "Write",
    "AcsProduct": "Actiontrail",
    "OssKeyPrefix": "",
    "AcceptLanguage": "zh-CN",
    "Region": "cn-hangzhou",
    "OssBucketName": ""
  },
  "sourceIpAddress": "2409:8a20:4d15:e150:90f5:26ed:cc45:6922",
  "userAgent": "actiontrail.console.aliyun.com",
  "eventType": "ApiCall",
  "referencedResources": {
    "ACS::ActionTrail::Trail": [
      "Alicetest"
    ]
  },
  "userIdentity": {
    "sessionContext": {
      "attributes": {
        "mfaAuthenticated": "false",
        "creationDate": "2021-08-05T00:25:25Z"
      }
    },
    "accountId": "196813227629****",
    "principalId": "196813227629****",
    "type": "root-account",
    "userName": "root"
  },
  "serviceName": "Actiontrail",
  "additionalEventData": {
    "Scheme": "http",
    "CallerBid": "26842"
  },
  "apiVersion": "2020-07-06",
  "requestId": "A5A4BB74-EFBC-5D8B-BD8A-1B9131429438",
  "eventTime": "2021-08-05T00:25:26Z",
  "isGlobal": false,
  "acsRegion": "cn-hangzhou",
  "eventName": "UpdateTrail"
}

The preceding example contains the following key fields:

  • userIdentity.type: the identity type of the requester. The value in this example is root-account, which indicates an Alibaba Cloud account.
  • serviceName: the name of the Alibaba Cloud service related to the event. The value in this example is Actiontrail, which indicates ActionTrail.
  • eventName: the name of the event. The value in this example is UpdateTrail, which indicates that a trail was modified.
  • referencedResources: the one or more resources that are related to the event. The value in this example is {"ACS::ActionTrail::Trail": ["Alicetest"}, which indicates the Alicetest trail.
  • acsRegion: the region in which the event occurred. The value in this example is cn-hangzhou, which indicates that the event occurred in the China (Hangzhou) region.
  • eventTime: the time when the event occurred in UTC. The value is 2021-08-05T00:25:26Z, which indicates that the event occurred at 08:25:26 on August 5, 2021 (UTC+8).

Modify a trail as a RAM user in the ActionTrail console

In the following example, the RAM user whose name is Alice modified the trail whose name is test-trail in the China (Hangzhou) region in the ActionTrail console at 17:57:32 on August 5, 2021 (UTC+8).

{
  "eventId": "86045124-4D86-5AD3-8848-CF78A20402AC",
  "eventVersion": 1,
  "responseElements": {
    "SlsProjectArn": "acs:log:cn-hangzhou:189217171671****:project/test-123",
    "EventRW": "Write",
    "RequestId": "86045124-4D86-5AD3-8848-CF78A20402AC",
    "HomeRegion": "cn-hangzhou",
    "OssKeyPrefix": "",
    "OssBucketName": "",
    "SlsWriteRoleArn": "acs:ram::189217171671****:role/aliyunserviceroleforactiontrail",
    "OssWriteRoleArn": "",
    "TrailRegion": "All",
    "Name": "test-trail"
  },
  "eventSource": "actiontrail-openapi-share.cn-hangzhou.aliyuncs.com",
  "requestParameters": {
    "SlsLogStore": "actiontrail_test-trail",
    "charset": "UTF-8",
    "AcsHost": "actiontrail-openapi-share.cn-hangzhou.aliyuncs.com",
    "RequestId": "86045124-4D86-5AD3-8848-CF78A20402AC",
    "HostId": "actiontrail-openapi-share.cn-hangzhou.aliyuncs.com",
    "TrailRegion": "All",
    "Name": "test-nnn",
    "SlsProjectArn": "acs:log:cn-hangzhou:189217171671****:project/test-123",
    "EventRW": "Write",
    "AcsProduct": "Actiontrail",
    "OssKeyPrefix": "",
    "AcceptLanguage": "zh-CN",
    "Region": "cn-hangzhou",
    "OssBucketName": ""
  },
  "sourceIpAddress": "192.168.XX.XX",
  "userAgent": "actiontrail.console.aliyun.com",
  "eventType": "ApiCall",
  "referencedResources": {
    "ACS::ActionTrail::Trail": [
      "test-trail"
    ]
  },
  "userIdentity": {
    "sessionContext": {
      "attributes": {
        "mfaAuthenticated": "false",
        "creationDate": "2021-08-05T09:57:32Z"
      }
    },
    "accountId": "189217171671****",
    "principalId": "26135379175722****",
    "type": "ram-user",
    "userName": "Alice"
  },
  "serviceName": "Actiontrail",
  "additionalEventData": {
    "Scheme": "http",
    "CallerBid": "26842"
  },
  "apiVersion": "2020-07-06",
  "requestId": "86045124-4D86-5AD3-8848-CF78A20402AC",
  "eventTime": "2021-08-05T09:57:32Z",
  "isGlobal": false,
  "acsRegion": "cn-hangzhou",
  "eventName": "UpdateTrail"
}

The preceding example contains the following key fields:

  • userIdentity.type: the identity type of the requester. The value in this example is ram-user, which indicates a RAM user.
  • userIdentity.userName: the username of the RAM user.
  • serviceName: the name of the Alibaba Cloud service related to the event. The value in this example is Actiontrail, which indicates ActionTrail.
  • eventName: the name of the event. The value in this example is UpdateTrail, which indicates that a trail was mofidied.
  • referencedResources: the one or more resources that are related to the event. The value in this example is {"ACS::ActionTrail::Trail": ["test-trail"]}, which indicates the test-trail trail.
  • acsRegion: the region in which the event occurred. The value in this example is cn-hangzhou, which indicates that the event occurred in the China (Hangzhou) region.
  • eventTime: the time when the event occurred in UTC. The value in this example is 2021-08-05T09:57:32Z, which indicates that the event occurred at 17:57:32 on August 5, 2021 (UTC+8).

Modify a trail by calling the UpdateTrail operation as a RAM user with an AccessKey pair used

In the following example, the RAM user whose name is Alice modified the trail whose name is tf-testaccactiontrail in the China (Hangzhou) region by calling the UpdateTrail operation at 10:29:37 on August 4, 2021 (UTC+8). The RAM user used the AccessKey pair whose ID is LTAIcgRmWRaj**** to initiate the API call.

{
  "eventId": "86C37F50-950C-599D-B07A-88C0493784A9",
  "eventVersion": 1,
  "responseElements": {
    "SlsProjectArn": "",
    "EventRW": "Write",
    "RequestId": "86C37F50-950C-599D-B07A-88C0493784A9",
    "HomeRegion": "cn-hangzhou",
    "OssKeyPrefix": "",
    "OssBucketName": "tf-testaccactiontrail",
    "SlsWriteRoleArn": "",
    "OssWriteRoleArn": "acs:ram::118272523431****:role/aliyunactiontraildefaultrole",
    "TrailRegion": "All",
    "Name": "tf-testaccactiontrail"
  },
  "eventSource": "actiontrail.cn-hangzhou.aliyuncs.com",
  "requestParameters": {
    "AcsHost": "actiontrail.cn-hangzhou.aliyuncs.com",
    "EventRW": "Write",
    "AcsProduct": "Actiontrail",
    "RequestId": "86C37F50-950C-599D-B07A-88C0493784A9",
    "Region": "cn-hangzhou",
    "OssBucketName": "tf-testaccactiontrail",
    "OssWriteRoleArn": "acs:ram::118272523431****:role/aliyunactiontraildefaultrole",
    "RegionId": "cn-hangzhou",
    "HostId": "actiontrail.cn-hangzhou.aliyuncs.com",
    "TrailRegion": "All",
    "Name": "tf-testaccactiontrail"
  },
  "sourceIpAddress": "Internal",
  "userAgent": "AlibabaCloud (linux; amd64) Golang/1.12.10 Core/0.01 TeaDSL/1 HashiCorp-Terraform/ Terraform-Provider/1.129.0 Terraform-Module/Default/LTAIcgRmWRajkHnV:41d6e7ac-9fd7-4b05-b80d-9cf147e9fb4f",
  "eventType": "ApiCall",
  "referencedResources": {
    "ACS::ActionTrail::Trail": [
      "tf-testaccactiontrail"
    ]
  },
  "userIdentity": {
    "accessKeyId": "LTAIcgRmWRaj****",
    "sessionContext": {
      "attributes": {
        "mfaAuthenticated": "false",
        "creationDate": "2021-08-04T23:09:19Z"
      }
    },
    "accountId": "118272523431****",
    "principalId": "28544203916248****",
    "type": "ram-user",
    "userName": "Alice"
  },
  "serviceName": "Actiontrail",
  "additionalEventData": {
    "Scheme": "https",
    "CallerBid": "26842"
  },
  "apiVersion": "2020-07-06",
  "requestId": "86C37F50-950C-599D-B07A-88C0493784A9",
  "eventTime": "2021-08-04T02:29:37Z",
  "isGlobal": false,
  "acsRegion": "cn-hangzhou",
  "eventName": "UpdateTrail"
}

The preceding example contains the following key fields:

  • userIdentity.accessKeyId: the AccessKey ID that is used to initiate the API call. The value in this example is LTAIcgRmWRaj****.
  • userIdentity.principalId: the ID of the account to which the AccessKey pair belongs. The value in this example is 28544203916248****.
  • userIdentity.type: the identity type of the requester. The value in this example is ram-user, which indicates a RAM user.
  • serviceName: the name of the Alibaba Cloud service related to the event. The value in this example is Actiontrail, which indicates ActionTrail.
  • eventName: the name of the event. The value in this example is UpdateTrail, which indicates that a trail was modified.
  • referencedResources: the one or more resources that are related to the event. The value in this example is {"ACS::ActionTrail::Trail": ["tf-testaccactiontrail"]}, which indicates the tf-testaccactiontrail trail.
  • acsRegion: the region in which the event occurred. The value in this example is cn-hangzhou, which indicates that the event occurred in the China (Hangzhou) region.
  • eventTime: the time when the event occurred in UTC. The value in this example is 2021-08-04T02:29:37Z, which indicates that the event occurred at 10:29:37 on August 4, 2021 (UTC+8).

Modify a trail by assuming a RAM role as a RAM user

In the following example, a RAM user of the Alibaba Cloud account whose ID is 189217171671**** modified the trail whose name is test-trail in the China (Hangzhou) region by calling the UpdateTrail operation at 17:59:02 on August 5, 2021 (UTC+8). The RAM user modified the trail by assuming the trail-role RAM role that belongs to the Alibaba Cloud account whose ID is 189217171671****.

{
  "eventId": "C8E1ADC3-0DF3-5133-A40E-A0EE2B96A46A",
  "eventVersion": 1,
  "responseElements": {
    "SlsProjectArn": "acs:log:cn-hangzhou:189217171671****:project/test-123",
    "EventRW": "All",
    "RequestId": "C8E1ADC3-0DF3-5133-A40E-A0EE2B96A46A",
    "HomeRegion": "cn-hangzhou",
    "OssKeyPrefix": "",
    "OssBucketName": "",
    "SlsWriteRoleArn": "acs:ram::189217171671****:role/aliyunserviceroleforactiontrail",
    "OssWriteRoleArn": "",
    "TrailRegion": "All",
    "Name": "test-trail"
  },
  "eventSource": "actiontrail-openapi-share.cn-hangzhou.aliyuncs.com",
  "requestParameters": {
    "SlsLogStore": "actiontrail_test-trail",
    "charset": "UTF-8",
    "AcsHost": "actiontrail-openapi-share.cn-hangzhou.aliyuncs.com",
    "RequestId": "C8E1ADC3-0DF3-5133-A40E-A0EE2B96A46A",
    "HostId": "actiontrail-openapi-share.cn-hangzhou.aliyuncs.com",
    "TrailRegion": "All",
    "Name": "test-nnn",
    "stsTokenPrincipalName": "trail-role/roleTest123",
    "SlsProjectArn": "acs:log:cn-hangzhou:189217171671****:project/test-123",
    "EventRW": "All",
    "AcsProduct": "Actiontrail",
    "OssKeyPrefix": "",
    "AcceptLanguage": "zh-CN",
    "Region": "cn-hangzhou",
    "OssBucketName": "",
    "stsTokenPlayerUid": 189217171671****
  },
  "sourceIpAddress": "Internal",
  "userAgent": "actiontrail.console.aliyun.com",
  "eventType": "ApiCall",
  "referencedResources": {
    "ACS::ActionTrail::Trail": [
      "test-trail"
    ]
  },
  "userIdentity": {
    "accessKeyId": "STS.NTZxJ8V63CNgtAbsutWVs****",
    "sessionContext": {
      "attributes": {
        "mfaAuthenticated": "false",
        "creationDate": "2021-08-05T09:59:02Z"
      }
    },
    "accountId": "189217171671****",
    "principalId": "39484351102463****:roleTest123",
    "type": "assumed-role",
    "userName": "trail-role:roleTest123"
  },
  "serviceName": "Actiontrail",
  "additionalEventData": {
    "Scheme": "http",
    "CallerBid": "26842"
  },
  "apiVersion": "2020-07-06",
  "requestId": "C8E1ADC3-0DF3-5133-A40E-A0EE2B96A46A",
  "eventTime": "2021-08-05T09:59:02Z",
  "isGlobal": false,
  "acsRegion": "cn-hangzhou",
  "eventName": "UpdateTrail"
}

The preceding example contains the following key fields:

  • userIdentity.type: the identity type of the requester. The value in this example is assumed-role, which indicates a RAM role.
  • userIdentity.userName: the username of the requester. The value is in the format of {roleName}:{sessionName}. roleName indicates the name of the RAM role that was assumed. sessionName indicates the name that was specified when the RAM user assumed the role. The value in this example is trail-role:roleTest123. trail-role indicates the name of the RAM role that was assumed. roleTest123 indicates the name that was specified when the RAM user assumed the RAM role.
  • requestParameters.stsTokenPlayerUid: the ID of the Alibaba Cloud account to which the RAM user belongs. The value in this example is 189217171671****.
  • referencedResources: the one or more resources that are related to the event. The value in this example is {"ACS::ActionTrail::Trail": ["test-trail"]}, which indicates the test-trail trail.
  • serviceName: the name of the Alibaba Cloud service related to the event. The value in this example is Actiontrail, which indicates ActionTrail.
  • eventName: the name of the event. The value in this example is UpdateTrail, which indicates that a trail was modified.
  • acsRegion: the region in which the event occurred. The value in this example is cn-hangzhou, which indicates that the event occurred in the China (Hangzhou) region.
  • eventTime: the time when the event occurred in UTC. The value is 2021-08-05T09:59:02Z, which indicates that the event occurred at 17:59:02 on August 5, 2021 (UTC+8).