MaxCompute records all user operations in full detail. It sends behavioral logs to the Alibaba Cloud ActionTrail service in real time. Using ActionTrail’s single-account trail feature, you can deliver logs to Simple Log Service (SLS) or a specified Object Storage Service (OSS) bucket. This meets your needs for real-time auditing and issue root-cause analysis. This topic describes the use cases and scope of audit logs.
Flowchart
ActionTrail captures MaxCompute user behavior logs and delivers them to Simple Log Service or Object Storage Service (OSS) as follows:
Scenarios
MaxCompute automatically delivers operation logs generated by MaxCompute usage to ActionTrail in real time. You can then perform the following analyses:
Query historical events and details
In the Event Query page of the ActionTrail console, you can view historical events from MaxCompute and other services. For more information, see Query events in the ActionTrail console.
Analyze real-time behavior events
You can use the Trail feature in ActionTrail to deliver events to OSS for archival analysis. Alternatively, you can deliver events to your Alibaba Cloud Simple Log Service project and analyze real-time logs triggered by those events. For example, you can handle alerts for sensitive data access. For more information, see Create a single-account trail.
Log scope
ActionTrail audits multiple operations on jobs (instances), tables, users, roles, and privileges. For the full list of audited events, see Audit events for MaxCompute. Key points are listed below.
Event type (EventType) | Event name (EventName) | Event description |
Successfully submits a MaxCompute job. | ||
Events that cause changes in MaxCompute job status include successful job execution or job abortion. | ||
A Tunnel download event. | ||
A Tunnel upload event. | ||
Downloads the execution result of an instance. For example, a SELECT query triggers an InstanceTunnel event. | ||
The CreateRole event. | ||
Delete role events. | ||
You can add a user event. | ||
Remove user events. | ||
Creates a table. | ||
Modifies table schema. For example, runs an ALTER TABLE statement. | ||
Drops a table. | ||
Views table schema (DESC table). | ||
Reads table data. | ||
Changes table data. For example, INSERT INTO, INSERT OVERWRITE, TRUNCATE, and Tunnel import operations trigger this event. | ||
This is a role authorization event. | ||
Revokes a role grant. | ||
An ACL authorization event. | ||
ACL authorization revocation event. | ||
Authorization event for labels. | ||
Revocation event for label authorization. | ||
Uploads a MaxCompute role policy. | ||
Sets a project-level access policy. | ||
Sets column-level Label permissions for a table. | ||
Sets Label permissions for a user. | ||
Creates a MaxCompute project. | ||
Update events in a MaxCompute project. | ||
Drops a MaxCompute project. |
Log fields
Fields for each event type record specific operations. Reviewing and analyzing these fields meets your audit requirements. All event types include the following common log fields.
Field name | Description | Example |
eventId | A GUID that ActionTrail assigns to each event. | 918510a4-7b63-47d2-b053-8f9db82c431a |
acsRegion | An Alibaba Cloud region. | cn-hangzhou |
eventName | The event name. | InsertJob |
eventTime | The time when the event occurred, in UTC format. | 2020-01-09T12:12:14Z |
eventType | The event type. | JobEvent |
errorCode | An error code reported if an error occurs. | ODPS-10000 |
errorMessage | An error description. | ODPS-0130161:[1,18] Parse exception - invalid token 'bigstring' |
requestId | An API request ID. | 6df41e8c-cfd0-4beb-8dd0-13b8490fdf5b |
serviceName | The name of the cloud service related to the event. | MaxCompute |
sourceIpAddress | The source IP address of the API request. | 47.100.XX.XX |
userAgent | The client agent identifier used to send the API request. |
|
userIdentity | Identity information about the requester. Includes accountId, principalId, type, and userName. |
|
referencedResources | Resources involved in the event. For example, JobEvent includes InstanceId, and TableEvent includes the table name. The content of this field varies by event type. |
|
additionalEventData | Additional event-specific information. For example, job status or query statements. The content of this field varies by event type. |
|
JobEvent
InsertJob
Field name
Description
Example
referencedResources
The job ID for an InsertJob event.
"referencedResources": { // List of resources affected by the event "Instance": ["2020102713575683gc2j****" ] }additionalEventData
Additional information for an InsertJob event. Includes the following:
ProjectName: Name of the project where the job runs.
TaskName: Name of the task that contains the job.
InstanceId: Job ID.
TaskType: Job type, such as SQL, LOT, or CUPID.
OperationText: Statement executed.
"additionalEventData": { "ProjectName": "meta", "TaskName": "console_query_task_1603807075919", "InstanceId": "2020102713575683gc2j****", "TaskType": "SQL", "OperationText": "create table a(a string);" }JobChange
Field name
Description
Example
referencedResources
The job ID for a JobChange event.
"referencedResources": { // List of resources affected by the event "Instance": ["2020102713575683gc2j****" ] }additionalEventData
Additional information for a JobChange event. Includes the following:
Status: Job status.
ProjectName: Name of the project where the job runs.
TaskName: Name of the task that contains the job.
InstanceId: Job ID.
TaskType: Job type, such as SQL, LOT, or CUPID.
OperationText: Statement executed.
"additionalEventData": { "Status": "Failed", "ProjectName": "meta", "TaskName": "console_query_task_1603807075919", "InstanceId": "2020102713575683gc2j****", "TaskType": "SQL", "OperationText": "create table a(a string);" }
TunnelEvent
DownloadTable
Field name
Description
Example
referencedResources
The table name for a DownloadTable event.
"referencedResources": { // List of resources affected by the event "Table": [ "source_xml_instid_flt_2" ] }additionalEventData
Additional information for a DownloadTable event. Includes the following:
TableName: Table name.
Partition: Partition information.
CurrentProject: Name of the project where the download starts.
ProjectName: Name of the project that owns the downloaded table.
SesssionId: Tunnel session ID.
"additionalEventData": { "TableName": "source_xml_instid_flt_2", "Partition": "projectname=inst_200233,ds=20201027", "CurrentProject": "project1", "ProjectName": "project2", "SesssionId": "20201027200931a3baca0b037518a7" }UploadTable
Field name
Description
Example
referencedResources
The table name for an UploadTable event.
"referencedResources": { // List of resources affected by the event "Table": [ "source_xml_instid_flt_2" ] }additionalEventData
Additional information for an UploadTable event. Includes the following:
TableName: Table name.
Partition: Partition information.
ProjectName: Name of the project that owns the uploaded table.
SessionId: Tunnel session ID.
"additionalEventData": { "TableName": "m_rt_privilege_event", "Partition": "ds=20201027,hh=22,mm=00", "ProjectName": "meta2", "SesssionId": "202010272209332231f60b08182dfb" }InstanceTunnel
Field name
Description
Example
referencedResources
The job ID for an InstanceTunnel event.
"referencedResources": { // List of resources affected by the event "Instance": [ "20201027080131990gf23****"] }additionalEventData
Additional information for an InstanceTunnel event. Includes the following:
CurrentProject: Name of the project where the instance download starts.
ProjectName: Name of the project that owns the downloaded instance.
InstanceId: Job ID.
Session ID: The tunnel session ID.
"additionalEventData": { "CurrentProject": "meta", "ProjectName": "meta", "InstanceId": "20201027080131990gf23****", "SesssionId": "2020102716014017c4ca0b036850f6" }
RoleEvent
CreateRole
Field name
Description
Example
referencedResources
The role name for a CreateRole event.
"referencedResources": { // List of resources affected by the event "Role": [ "test1" ] }additionalEventData
Additional information for a CreateRole event. Includes the following:
RoleName: Name of the created role.
CurrentProject: Name of the project where the role creation starts.
ProjectName: Name of the project that owns the role.
OperationText: Statement executed.
"additionalEventData": { "RoleName": "test1", "CurrentProject": "meta_dev", "ProjectName": "dev1", "OperationText": "create role test1;" }DropRole
Field name
Description
Example
referencedResources
The role name for a DropRole event.
"referencedResources": { // List of resources affected by the event "Role": [ "test1" ] }additionalEventData
Additional information for a DropRole event. Includes the following:
RoleName: Name of the dropped role.
CurrentProject: Name of the project where the role deletion starts.
ProjectName: Name of the project that owns the role.
OperationText: Statement executed.
"additionalEventData": { "RoleName": "test1", "CurrentProject": "meta_dev", "ProjectName": "dev1", "OperationText": "drop role test1;" }
UserEvent
AddUser
Field name
Description
Example
referencedResources
The user name for an AddUser event.
"referencedResources": { // List of resources affected by the event "User": [ "ram$xxxx@aliyun.com:sub" ] }additionalEventData
Additional information for an AddUser event. Includes the following:
UserName: Name of the added user.
ProjectName: Name of the project where the user is added.
OperationText: Statement executed.
"additionalEventData": { "UserName": "ram$xxxx@aliyun.com:sub", "ProjectName": "project1", "OperationText": "add user RAM$xxxx@aliyun.com:sub;" }RemoveUser
Field name
Description
Example
referencedResources
The user name for a RemoveUser event.
"referencedResources": { // List of resources affected by the event "User": [ "ram$xxxx@aliyun.com:sub" ] }additionalEventData
Additional information for a RemoveUser event. Includes the following:
UserName: Name of the removed user.
ProjectName: Name of the project that owns the removed user.
OperationText: Statement executed.
"additionalEventData": { "UserName": "ram$xxxx@aliyun.com:sub", "ProjectName": "project1", "OperationText": "remove user RAM$xxxx@aliyun.com:sub;" }
TableEvent
CreateTable
Field name
Description
Example
referencedResources
The table name for a CreateTable event.
"referencedResources": { // List of resources affected by the event "Table": [ "ttt" ] }additionalEventData
Additional information for a CreateTable event. Includes the following:
TableName: Name of the created table.
ProjectName: Name of the project that owns the table.
CorrelationId: Used with Source. If Source is INSTANCE, CorrelationId is the job ID. If Source is TUNNEL, CorrelationId is the Tunnel request ID.
Source: INSTANCE or TUNNEL.
OperationText: CREATE_TABLE.
"additionalEventData": { "TableName": "ttt", "ProjectName": "meta_dev", "CorrelationId": "20201027083345196gsjgpv21", "Source": "INSTANCE", "OperationText": "CREATE_TABLE" }DropTable
Field name
Description
Example
referencedResources
The table name for a DropTable event.
"referencedResources": { // List of resources affected by the event "Table": [ "ttt" ] }additionalEventData
Additional information for a DropTable event. Includes the following:
TableName: Name of the dropped table.
ProjectName: Name of the project that owns the table.
CorrelationId: Used with Source. If Source is INSTANCE, CorrelationId is the job ID. If Source is TUNNEL, CorrelationId is the Tunnel request ID.
Source: INSTANCE or TUNNEL.
OperationText: DROP_TABLE means the user requested deletion. RECYCLE_TABLE means the system recycled the table due to its lifecycle setting.
"additionalEventData": { "TableName": "hot_user_hs_top30", "ProjectName": "prj1", "CorrelationId": "20201023024002372giqvmv21", "Source": "INSTANCE", "OperationText": "DROP_TABLE" }ChangeTable
Field name
Description
Example
referencedResources
The table name for a ChangeTable event.
"referencedResources": { // List of resources affected by the event "Table": [ "ttt" ] }additionalEventData
Additional information for a ChangeTable event. Includes the following:
TableName: Name of the modified table.
ProjectName: Name of the project that owns the table.
CorrelationId: Used with Source. If Source is INSTANCE, CorrelationId is the job ID. If Source is TUNNEL, CorrelationId is the Tunnel request ID.
Source: INSTANCE or TUNNEL.
OperationText
ALTER_TABLE_RENAME
ALTER_TABLE_TOUCH
ALTER_TABLE_TOUCH_PARTITION
ALTER_TABLE_CLUSTERED
ALTER_TABLE_PARTITION_RENAME
ALTER_TABLE_ADD_COLUMNS
ALTER_TABLE_BATCH_ADD_PARTITIONS
ALTER_TABLE_BATCH_DROP_PARTITIONS
ALTER_TABLE_CHANGE_LIFECYCLE
ALTER_TABLE_CHANGE_OWNER
ALTER_TABLE_CHANGE_COMMENT
ALTER_TABLE_DROP_PARTITION
ALTER_PARTITION
ALTER_COLUMN
ADD_PARTITION
DROP_PARTITIONS
DROP_EXTERNAL_PARTITIONS
"additionalEventData": { "TableName": "ttt", "ProjectName": "proj1", "CorrelationId": "20201028161651750g05e0tsa", "Source": "INSTANCE", "OperationText": "ADD_PARTITION" }DescribeTable
Field name
Description
Example
referencedResources
The table name for a DescribeTable event.
"referencedResources": { // List of resources affected by the event "Table": [ "ttt" ] }additionalEventData
Additional information for a DescribeTable event. Includes the following:
TableName: Name of the table viewed.
ProjectName: Name of the project that owns the table.
"additionalEventData": { "TableName": "ttt", "ProjectName": "prj1", }ChangeTableData
Field name
Description
Example
referencedResources
The table name for a ChangeTableData event.
"referencedResources": { // List of resources affected by the event "Table": [ "ttt" ] }additionalEventData
Additional information for a ChangeTableData event. Includes the following:
TableName: Name of the modified table.
ProjectName: Name of the project that owns the table.
CorrelationId: Used with Source. If Source is INSTANCE, CorrelationId is the job ID. If Source is TUNNEL, CorrelationId is the Tunnel request ID.
Source: INSTANCE or TUNNEL.
OperationText: TRUNCATE_TABLE, INSERT_OVERWRITE_TABLE, INSERT_OVERWRITE_PARTITION, INSERT_PARTITION, or INSERT_TABLE.
"additionalEventData": { "TableName": "ttt", "ProjectName": "meta_dev", "CorrelationId": "20201027083345196gsjgpv21", "Source": "INSTANCE", "OperationText": "DATA_INGESTION" }ReadTableData
Field name
Description
Example
referencedResources
None
None
additionalEventData
Additional information for a ReadTableData event. Includes the following:
TableName: Name of the table whose data is read.
ProjectName: Name of the project that owns the table.
CorrelationId: Used with Source. If Source is INSTANCE, CorrelationId is the job ID. If Source is TUNNEL, CorrelationId is the Tunnel request ID.
Source: INSTANCE or TUNNEL.
OperationText: READ_TABLE.
"additionalEventData": { "TableName": "ttt", "ProjectName": "meta_dev", "CorrelationId": "20201027083345196gsjgpv21", "Source": "INSTANCE", "OperationText": "READ_TABLE" }
PrivilegeEvent
GrantRole
Field
Description
Example
referencedResources
The Alibaba Cloud account name for a GrantRole event.
"referencedResources": { // List of resources affected by the event "User": [ "aliyun$xxxx@aliyun.com" ] }additionalEventData
Additional information for a GrantRole event. Includes the following:
UserName: Name of the Alibaba Cloud account granted access.
ProjectName: Name of the project where the grant applies.
OperationText: Statement executed.
"additionalEventData": { "ObjectType": "PROJECT", "CurrentProject": "meta", "UserName": "aliyun$xxx@aliyun.com", "ProjectName": "meta", "OperationText": "grant test_role to ALIYUN$xxx@aliyun.com" }RevokeRole
Field name
Description
Example
referencedResources
The Alibaba Cloud account name for a RevokeRole event.
"referencedResources": { // List of resources affected by the event "User": [ "aliyun$xxxx@aliyun.com" ] }additionalEventData
Additional information for a RevokeRole event. Includes the following:
UserName: Name of the Alibaba Cloud account whose access is revoked.
ProjectName: Name of the project where the revocation applies.
OperationText: Statement executed.
"additionalEventData": { "ObjectType": "PROJECT", "CurrentProject": "meta", "UserName": "aliyun$xxx@aliyun.com", "ProjectName": "meta", "OperationText": "revoke test_role from ALIYUN$xxx@aliyun.com" }GrantACL
Field name
Description
Example
referencedResources
The name of the cloud account involved in the GrantACL event.
"referencedResources": { // List of resources affected by the event "User": [ "aliyun$xxxx@aliyun.com" ] }additionalEventData
Additional information for a GrantACL event. Includes the following:
ObjectType: Type of authorization object, such as PROJECT, RESOURCE, TABLE, or FUNCTION.
CurrentProject: Name of the project where the grant starts.
UserName: Name of the Alibaba Cloud account granted access.
ProjectName: Name of the project where the grant applies.
OperationText: Statement executed.
ObjectName: Name of the authorization object.
"additionalEventData": { "ObjectType": "PROJECT", "CurrentProject": "meta", "UserName": "aliyun$xxx@aliyun.com", "ProjectName": "meta", "OperationText": "grant createtable on project meta to ALIYUN$xxx@aliyun.com;", "ObjectName": "meta" }RevokeACL
Field name
Description
Example
referencedResources
The Alibaba Cloud account name for a RevokeACL event.
"referencedResources": { // List of resources affected by the event "User": [ "aliyun$xxxx@aliyun.com" ] }additionalEventData
Additional information for a RevokeACL event. Includes the following:
ObjectType: Type of authorization object, such as PROJECT, RESOURCE, TABLE, or FUNCTION.
CurrentProject: Name of the project where the revocation starts.
UserName: Name of the Alibaba Cloud account whose access is revoked.
ProjectName: Name of the project where the revocation applies.
OperationText: Statement executed.
ObjectName: Name of the authorization object.
"additionalEventData": { "ObjectType": "PROJECT", "CurrentProject": "meta", "UserName": "aliyun$xxx@aliyun.com", "ProjectName": "project1", "OperationText": "revoke createtable on project project1 from ALIYUN$xxx@aliyun.com;", "ObjectName": "project1" }GrantLabel
Field name
Description
Example
referencedResources
The Alibaba Cloud account name for a GrantLabel event.
"referencedResources": { // List of resources affected by the event "User": [ "aliyun$xxxx@aliyun.com" ] }additionalEventData
Additional information for a GrantLabel event. Includes the following:
ObjectType: Type of authorization object, TABLE.
UserName: Name of the Alibaba Cloud account granted access.
ProjectName: Name of the project where the grant starts.
OperationText: Statement executed.
ObjectName: Name of the authorization object.
"additionalEventData": { "ObjectType": "TABLE", "UserName": "aliyun$xxx@aliyun.com", "ProjectName": "meta", "OperationText": "GRANT LABEL 4 ON TABLE t1 TO USER ALIYUN$xxx@aliyun.com;", "ObjectName": "meta" }RevokeLabel
Field name
Description
Example
referencedResources
The Alibaba Cloud account name for a RevokeLabel event.
"referencedResources": { // List of resources affected by the event "User": [ "aliyun$xxxx@aliyun.com" ] }additionalEventData
Additional information for a RevokeLabel event. Includes the following:
ObjectType: Type of authorization object, such as PROJECT, RESOURCE, TABLE, or FUNCTION.
UserName: Name of the Alibaba Cloud account whose access is revoked.
ProjectName: Name of the project where the revocation applies.
OperationText: Statement executed.
ObjectName: Name of the authorization object.
"additionalEventData": { "ObjectType": "TABLE", "UserName": "aliyun$xxx@aliyun.com", "ProjectName": "meta", "OperationText": "Revoke LABEL 4 ON TABLE t1 from USER ALIYUN$xxx@aliyun.com;", "ObjectName": "t1" }PutRolePolicy
Field name
Description
Example
referencedResources
The role name for a PutRolePolicy event.
"referencedResources": { // List of resources affected by the event "Role": [ "test1_role" ] }additionalEventData
Additional information for a PutRolePolicy event. Includes the following:
RoleName: Role name.
CurrentProject: Name of the project where the role policy operation starts.
ProjectName: Name of the project that owns the role.
OperationText: Policy content.
"additionalEventData": { "RoleName": "test1_role", "CurrentProject": "meta_dev", "ProjectName": "meta_dev", "OperationText": "{\n \"Statement\": [{\n \"Action\": [\"odps:Read\",\n \"odps:List\"],\n \"Effect\": \"Allow\",\n \"Resource\": [\"acs:odps:*:projects/p1\"]},\n {\n \"Action\": [\"odps:Describe\",\n \"odps:Select\"],\n \"Effect\": \"Allow\",\n \"Resource\": [\"acs:odps:*:projects/p1/tables/m_*\"]}],\n \"Version\": \"1\"}" }SetProjectPolicy
Field name
Description
Example
referencedResources
None
None
additionalEventData
Additional information for a SetProjectPolicy event. CurrentProject is the name of the project where the project-level policy operation starts.
"additionalEventData": { "CurrentProject": "test_prj"}" }SetTableLabel
Field name
Description
Example
referencedResources
None
None
additionalEventData
Additional information for a SetTableLabel event. Includes the following:
ObjectType: Object type, TABLE.
OperationText: Statement executed.
ObjectName: Object name.
"additionalEventData": { "ObjectType": "TABLE", "OperationText": "SET LABEL 3 TO TABLE t1test(col1);", "ObjectName": "t1test" }SetUserLabel
Field name
Description
Example
referencedResources
The Alibaba Cloud account name for a SetUserLabel event.
"referencedResources": { // List of resources affected by the event "User": [ "aliyun$xxxx@aliyun.com" ] }additionalEventData
Additional information for a SetUserLabel event. UserName is the Alibaba Cloud account name for which column-level Label permissions are set.
"additionalEventData": { "UserName": "aliyun$xxxx@aliyun.com" }
AdminEvent
CreateProject
Field name
Description
Example
referencedResources
None
None
additionalEventData
Additional information for a CreateProject event. ProjectName is the name of the new MaxCompute project.
"additionalEventData": { "ProjectName": "xxxx" }UpdateProject
Field name
Description
Example
referencedResources
None
None
additionalEventData
Additional information for an UpdateProject event. Includes the following:
ProjectName: Name of the updated MaxCompute project.
Properties: Updated property flags.
State: Optional. Project state. Valid values: FROZEN (service suspended due to overdue payment) or AVAILABLE (service resumed after renewal).
"additionalEventData": { "ProjectName": "xxx", "Properties": "{\"odps.sql.decimal.odps2\":\"true\",\"odps.sql.hive.compatible\":\"false\",\"odps.sql.type.system.odps2\":\"true\"}" }DeleteProject
Field name
Description
Example
referencedResources
None
None
additionalEventData
Additional information for a DeleteProject event. ProjectName is the name of the deleted MaxCompute project.
"additionalEventData": { "ProjectName": "xxxx" }