The operation logs of Elastic Desktop Service (EDS) record the operations that are performed on cloud desktops by using Alibaba Cloud accounts. EDS supports the following types of operation logs: administrator operation logs and end user operation logs. You can query operation logs based on your business requirements and audit whether anomalies exist in the operations. This topic describes how to view operation logs.
Background information
Operation logs help you monitor and record operations that are performed in Elastic Desktop Service (EDS) by using Alibaba Cloud accounts. For example, the administrator operation logs record the operations that are performed by the administrator to access and use EDS in the EDS console and OpenAPI Explorer. The end user operation logs record the operations that are performed by end users to start, stop, restart, reset, connect to, and disconnect from cloud desktops, and establish and close desktop sessions. The operation logs provide valid records when you analyze security, trace resource changes, and audit the compliance of behaviors.
View administrator operation logs
- Event query: allows you to query events of the past 90 days in the specified region.
- Advanced query: allows you to query events beyond the past 90 days across multiple regions. Compared with the event query mode, the advanced query mode allows you to configure a larger number of query conditions.
Event query
- Log on to the EDS console.
- In the left-side navigation pane, choose .
- In the upper-left corner of the top navigation bar, select a region.
- On the Operation Logs page, click the Administrator Operation Logs tab.
- Optional:On the Administrator Operation Logs tab, determine whether to click Switch to Event Query based on the following rules:
If the event query mode is enabled, you do not need to switch to event query. If the event query mode is not enabled, click Switch to Event Query.
- Configure query conditions and a time range based on your business requirements, and click the
icon to query events.
- Query conditions: You can query events by read/write type, username, or resource type.
- Time range: By default, the operation logs of the past 24 hours are displayed. You can specify a custom time range.
- Find the event whose details you want to view and click the row in which the event resides.
By default, the Basic Information and Associated Resources sections are displayed for each event. The following figure shows the sections.
Note- You can click Event Detail to view the event code.
- For more information about the fields in the event code, see Management event structure.
Advanced query
- On the Operation Logs page, click the Administrator Operation Logs tab.
- On the Administrator Operation Logs tab, determine whether to click Switch to Advanced Query based on the following rules:
If the advanced query mode is enabled, you do not need to switch to advanced query. If the advanced query mode is not enabled, click Switch to Advanced Query.
- Enable the advanced query mode.
The first time you use the advanced query mode, you must perform the following steps to enable the mode. In other cases, you can skip the following steps.
- On the Administrator Operation Logs tab, click Enable Advanced Event Query.
- In the Enable Advanced Event Query panel, create a trail, configure the Logstore information, and then click Confirm.
- Configure query conditions or enter query statements based on your business requirements.
You can perform an advanced query in common mode or simple mode. In common mode, you can query events in a visualized manner. In simple mode, you can enter SQL statements to query events in a flexible manner.
- Common mode
- Configure query conditions and a time range and click Query.
You can query an event by event name, resource name, resource type, and region. You can specify multiple regions.
- On the events that are returned, find the event whose details you want to view and click the row in which the event resides.
You can click Event Detail to view the event code.
- Configure query conditions and a time range and click Query.
- Simple mode
- Enter a query condition or query statement, specify a time range, and then click Query.
You can enter SQL statements for queries. You can also specify query conditions, such as usernames, operations, associated resources, and regions.
- On the events that are returned, find the event whose details you want to view and click the row in which the event resides.
You can click Event Detail to view the event code.
- Enter a query condition or query statement, specify a time range, and then click Query.
- Common mode
View end user operation logs
You can audit end user operations at the earliest opportunity based on end user operation logs. The following section describes how to view end user operation logs.
- Log on to the EDS console.
- In the left-side navigation pane, choose .
- In the upper-left corner of the top navigation bar, select a region.
- On the Operation Logs page, click the User Operation Logs tab.
- On the User Operation Logs tab, configure an event type and a time range based on your business requirements.
By default, the operation logs of the past 24 hours are displayed. You can specify a custom time range.Each operation log entry consists of the following information:
- Event information: the information about the event, including the event ID, event type, and occurrence time.
- User information: the information about the end user who performs the operation. The end user is also the client logon user.
- Desktop information: the information about the cloud desktop on which the end user performs the operation, including the ID and name of the cloud desktop or desktop group, and the ID and name of the workspace to which the cloud desktop belongs.
- Client information: the information about the client that holds the cloud desktop, including the OS, version, and IP address of the client.
- Optional:To further analyze operation logs, click Export Logs to export the logs to your on-premises machine.