ActionTrail records every API call and console operation made against your Realtime Compute for Apache Flink resources. For each event, you can determine who made the request, which IP address it came from, what action was performed, and when it happened — at no additional cost.
How it works
ActionTrail captures management events for Flink resources and makes them available in two ways:
Event query (available by default): Query events from the current region, up to the last 90 days, directly in the ActionTrail console. No trail configuration required.
Trail delivery (requires configuration): Create a single-account trail to deliver events to an Object Storage Service (OSS) bucket or Simple Log Service (SLS) Logstore. Required for events older than 90 days, multi-region queries, or multi-account scenarios.
Limitations
The event query feature covers only the current region and the last 90 days. To query older events, create a single-account trail to deliver them to OSS or SLS first.
For multi-region or advanced filtering, use the advanced event query feature.
Events delivered by multi-account trails are not queryable in the ActionTrail console. Access them directly from the target OSS bucket or SLS Logstore. For more information, see Create a multi-account trail.
The console supports up to two queries per second.
After an event is generated, wait 10 minutes before querying it in the console.
Global events can only be queried in the Singapore region.
Query Flink audit events
Prerequisites
Before you begin, ensure that you have:
Access to the ActionTrail console
Permission to query events in ActionTrail
Procedure
Log on to the ActionTrail console.
In the left-side navigation pane, choose Events > Event Query.
In the top navigation bar, select the region of the events you want to query from the drop-down list.
On the Event Detail Query page, set your query conditions and time range, then click the
icon. Available filter conditions: Read/Write Type, Operator, Service Name, Event Name, Resource Type, Resource Name, AccessKey ID, Sensitive Operation, and Event ID.Global events can only be queried in the Singapore region.
Find the event and click View Details in the Actions column.
Event record reference
The following example shows an event record for a DeleteDeployment operation.
{
"eventId": "48deee2f-a38b-440b-aae4-168640afd6b8",
"eventVersion": 1,
"responseElements": {},
"errorMessage": "",
"eventSource": "RealtimeCompute",
"requestParameters": {},
"sourceIpAddress": "140.**.**.19",
"userAgent": "RealtimeCompute",
"eventRW": "Write",
"eventType": "ApiCall",
"referencedResources": {
"ACS::RealtimeCompute::Deployment": [
"47eb63e1-79b8-4192-9cd2-059ec5d7****",
"guiyuan-kafka-writer"
]
},
"userIdentity": {
"accessKeyId": "null",
"sessionContext": {
"attributes": {
"mfaAuthenticated": "true",
"userDisplayName": "25265763711933****",
"user": "25265763711933****"
}
},
"accountId": "1016954307248737",
"principalId": "25265763711933****",
"type": "ram-user",
"userName": "25265763711933****"
},
"serviceName": "RealtimeCompute",
"additionalEventData": {
"namespace": "NamespaceRef(name=Optional[daily-instance-not-delete-default])"
},
"requestId": "202306021408-LFMZBC059T",
"eventTime": "2023-06-02T06:08:21Z",
"isGlobal": false,
"acsRegion": "cn-beijing",
"eventName": "DeleteDeployment"
}Key fields in the event record:
| Field | Description |
|---|---|
eventId | Unique identifier for the event |
eventName | Name of the API operation that was called, for example, DeleteDeployment |
eventRW | Whether the operation is a read (Read) or write (Write) operation |
eventType | Type of the event. ApiCall indicates an API or console operation |
eventSource | The service that generated the event. For Flink resources, this is RealtimeCompute |
eventTime | Timestamp of the operation in UTC (ISO 8601 format) |
acsRegion | The region where the operation was performed |
isGlobal | Whether the event is a global event |
sourceIpAddress | IP address from which the request originated |
userIdentity | Identity of the requester, including account ID, principal ID, and user type (for example, ram-user) |
userIdentity.sessionContext | Session details, including whether MFA was used during authentication |
referencedResources | Flink resources involved in the operation, identified by resource type and ID |
serviceName | Name of the service. For Flink resources, this is RealtimeCompute |
requestId | Unique ID for the API request |
requestParameters | Parameters included in the API request |
responseElements | Response data returned by the API |
additionalEventData | Additional context, such as the Flink namespace associated with the operation |
What's next
For a complete list of Flink events you can query in ActionTrail, see Audit events for Realtime Compute for Apache Flink.
For more information about ActionTrail, see What is ActionTrail?.