Alibaba Cloud retains the operation records of Elastic Compute Service (ECS) instances and their associated resources for 90 days, including the time, location, and operator of each operation. When you encounter technical issues or failures, you can quickly identify issues, assess the impact scope, and determine responsibility by reviewing the operation records.
The log data for the ECS Operation Records feature is provided by ActionTrail. By default, the data is retained for 90 days. If you want to retain the data for a longer period, you can deliver it to your own storage service. For more information, see Create a single-account trail.
Procedure
Go to ECS console - Instance.
In the top navigation bar, select the region and resource group of the resource that you want to manage.
Click the ID of the ECS instance that you want to query to go to the instance details page, and then click the Operation Records tab.
By default, the tab displays all operation records of the ECS instance and its related resources for the previous seven days.
You can filter the operation records by filter conditions, such as Scope and Action Significance Level. The following table describes the supported filter conditions.
Filter condition
Description
Scope
Filters operations that affect the ECS instance, including the following categories:
Actions on the ECS instance:
Instance Configuration Actions: Modify the hardware configurations of the instance, such as the number of vCPUs, memory size, and disk space.
Instance Status Actions: Change the status of the instance, such as changing the instance from the Running state to the Stopped state.
Instance Attribute Actions: Modify the attributes of the instance, such as the name, description, and tags.
Instance Billing Actions: Change the billing method of the instance, such as changing the billing method from pay-as-you-go to subscription.
Instance Create or Release: Create the instance or release it when you no longer require it.
Instance Startup or Stop: Start or stop the instance.
Economical Mode with Operating System Shutdown: Stop the instance in economical mode to reduce unnecessary costs.
Actions on resources related to the ECS instance:
Security Group Create or Delete: Create security groups for the instance or instance group or delete security groups that you no longer require.
Security Group Configuration Change: Modify security group rules associated with the instance to allow or deny specific types of inbound or outbound network traffic.
Associated Security Group Actions: Update the security group rules associated with the instance and modify the security measures of the instance.
Associated ENI Actions: Modify the configurations of the elastic network interfaces (ENIs) bound to the instance, such as the IP addresses and subnets.
Associated Disk Actions: Modify the configurations of the disks attached to the instance, such as resizing a disk or changing the category of a disk.
Read or Write
Filters operations by the read or write type. Only Write is supported.
Time Range
Filters operations performed within a period of time. You can query operation records in the previous 90 days. The start date and end date of the time range to query can be up to seven days apart.
Action Significance Level
Filters operations by action significance level. Different operations have different action significance levels on the instance. Valid values:
High: Operations at this level may cause service interruption, such as stopping the instance (StopInstance) and restarting the instance (RebootInstance). The operations may affect your business operations, and you must prepare data backup and restoration policies in advance.
Medium: In most cases, operations at this level do not cause service interruption, but may have a brief impact on your business in specific scenarios. The operations include starting the instance (StartInstance). When you perform the operations, we recommend that you take note of the status changes of the instance and handle potential issues at the earliest opportunity.
Low: In most cases, operations at this level do not affect business, such as creating a disk (CreateDisk).
Action Name
Filters operations by API operation name. You can search for and view the description of an API operation in List of operations by function.
User Name
Filters operations by the user who performed the operations.
Associated Resource ID
Filters operations by the ID of the instance on which the operations were performed. The instance ID uniquely identifies the resources associated with the instance.
On the Operation Records tab, click Details in the Actions column of each operation to view the detailed operation records of the instance and its associated resources. For information about the parameters in the detailed operation records, see Management event structure.
Use case
The IT department of a company uses an Alibaba Cloud ECS instance to host its critical business applications. One morning, the company's customer service team receives a large number of reports about the website's slow response. The IT O&M team immediately logs on to the Alibaba Cloud Management Console to troubleshoot the issue.
1. Check for issues
To check for issues, the IT O&M team uses CloudMonitor operation records and Alibaba Cloud ActionTrail to retrieve all recent logs and operation records of the ECS instance.
2. Use ECS operation records
The IT O&M team goes to the Operation Records tab of the ECS instance in the ECS console, reviews all relevant operation records from the previous few days, and discovers some suspicious operations with the high action significance level.
To further identify issues, the team obtains detailed information about the operations by clicking Details in the Actions column of each operation. The following sample code shows an example of operation details:
{
"eventId": "11D139B3-BF38-5E16-B369-******",
"eventVersion": 1,
"responseElements": {
"RequestId": "11D139B3-BF38-5E16-B369-******"
},
"eventSource": "ecs-cn-hangzhou-share.aliyuncs.com",
"requestParameters": {
"SourceRegionId": "cn-shanghai",
"AcsProduct": "Ecs",
"InstanceId": "i-uf******",
"__referer__": "https://ecs.console.aliyun.com/server/region/cn-shanghai?instanceId=i-uf******&__refreshToken=1745474781230",
"AcceptLanguage": "zh-CN",
"ClientPort": 42079,
"X-Acs-Client-Tls-Version": "TLSv1.3",
"RegionId": "cn-shanghai",
"InstanceType": "ecs.******",
"X-Acs-Client-Tls-Cipher-Suite": "TLS_AES_256_GCM_SHA384"
},
"sourceIpAddress": "124.89.******",
"userAgent": "ecs.console.aliyun.com",
"eventRW": "Write",
"eventType": [
"spec",
"instanceCost"
],
"referencedResources": {
"ACS::ECS::Instance": [
"i-uf******"
]
},
"userIdentity": {
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2025-04-24T06:06:54Z"
}
},
"accountId": "5237******",
"principalId": "523******",
"type": "root-account",
"userName": "ZhangSan"
},
"serviceName": "Ecs",
"additionalEventData": {
"CallerBid": "26888"
},
"apiVersion": "2014-05-26",
"requestId": "11D139B3-BF38-5E16-B369-*******",
"eventTime": "2025-04-24T06:06:54Z",
"isGlobal": false,
"acsRegion": "cn-shanghai",
"eventName": "ModifyInstanceSpec",
"resourceName": "i-uf*******",
"userName": "root",
"originEventType": "ConsoleOperation",
"eventLevel": "high"
}eventTimeindicates the time when the operation was performed.sourceIpAddressindicates the IP address that initiated the operation.resourceNameindicates the resource on which the operation was performed.accountIdanduserNameindicate the account ID and name of the operator.eventNameindicates the name of the operation. For example, theModifyInstanceSpecoperation indicates that the ECS instance type was changed.NoteYou can search for and view the description of an API operation in List of operations by function.
3. Analyze operation records
From the ECS operation records, the IT O&M team learns that the configurations were modified the previous afternoon. No issues were immediately discovered after the modification, but as time passed and user traffic increased, CPU utilization continuously rose to 100%, eventually causing damage to the online business.
4. Contact relevant personnel
The IT O&M team contacts the engineer who is responsible for modifying the configurations to obtain the modification details. When modifying the configurations, the engineer may not correctly assess the changes in resource requirements, resulting in insufficient performance after the configuration modification.
5. Use ActionTrail for auxiliary analysis
To further confirm and verify the issue cause, the IT O&M team uses Alibaba Cloud ActionTrail. ActionTrail provides more detailed log information, including specific parameters of API operation calls and event IDs. The team uses Event Query of ActionTrail to confirm that other ECS instances in the same account are not modified.
6. Restore and optimize resource configurations
Based on the information provided by ECS operation records and ActionTrail, the IT O&M team decides to restore the original configurations and re-evaluate and modify resource configurations based on the current actual load. The following steps are performed:
Restore the original configurations. Manually restore the original configurations of the ECS instance, such as the original instance type.
Monitor instance performance. After you restore the original configurations of the ECS instance, continuously monitor the instance performance to ensure that the services on the instance recover.
Re-evaluate resource requirements. Re-evaluate resource requirements and develop a more reasonable resource configuration plan.