All Products
Search

This Product

    Simple Log Service:Log fields

    Document Center

    Simple Log Service:Log fields

    Last Updated:Jun 15, 2026

    ActionTrail records operation logs with the following fields.

    Field

    Description

    __topic__

    The topic of the log. The value is fixed as actiontrail_audit_event.

    event

    The event body in JSON format. The content varies by event.

    event.eventCategory

    The category of the event. Valid values: Management, which indicates a management event.

    event.additionalEventData

    Additional information about the event.

    event.eventId

    The ID of the event.

    event.eventName

    The name of the event.

    event.eventRW

    The read/write type of the event. Valid values:

    • Write: indicates a write event.

    • Read: indicates a read event.

    event.recipientAccountId

    The ID of the Alibaba Cloud account that receives audit logs.

    event.eventSource

    The source of the event.

    event.eventTime

    The time when the event occurred, in UTC.

    event.eventType

    The type of the event.

    event.eventVersion

    The format version of the event. The current version is 1.

    event.acsRegion

    The region where the event occurred.

    event.requestId

    The ID of the API request.

    event.apiVersion

    The version of the API.

    event.errorCode

    The error code returned when the API request fails.

    event.errorMessage

    The error message returned when the API request fails.

    event.serviceName

    The Alibaba Cloud service to which the event belongs, such as VPC.

    event.sourceIpAddress

    The source IP address of the event.

    event.userAgent

    The user agent that sent the API request.

    event.vpcId

    The ID of the source virtual private cloud (VPC).

    event.requestParameters

    The input parameters of the API request.

    event.requestParameterJson

    The requestParameters field in JSON format.

    event.responseElements

    The response parameters of the API request.

    event.referencedResources

    The resources that are associated with the event.

    event.resourceName

    The name of the event-associated resource, which serves as its unique identifier.

    event.resourceType

    The type of the event-associated resource.

    event.isGlobal

    Indicates whether the event is a global event. Valid values:

    • true

    • false

    event.eventAttributes

    The attributes of the event.

    event.userIdentity.accessKeyId

    The AccessKey ID of the Alibaba Cloud account that initiates the API request.

    event.userIdentity.accountId

    The ID of the Alibaba Cloud account that initiates the API request.

    event.userIdentity.principalId

    The requester ID. Use this field together with event.userIdentity.type to determine the requester identity.

    • If the value of the event.userIdentity.type field is root-account, this field is set to the ID of the Alibaba Cloud account.

    • If the value of the event.userIdentity.type field is ram-user, this field is set to the ID of the Resource Access Management (RAM) user.

    • If the value of the event.userIdentity.type field is assumed-role, this field is set to a string in the RoleID:RoleSessionName format.

    • If the value of the event.userIdentity.type field is cloudsso-user, this field is set to the ID of the CloudSSO user.

    • Possible value formats if the value of the event.userIdentity.type field is alibaba-cloud-account:

    • If the requester uses an Alibaba Cloud account to perform an operation on resources within another Alibaba Cloud account, this field is set to the ID of the Alibaba Cloud account that performed the operation.

    • If the requester uses a RAM user to perform an operation on resources within another Alibaba Cloud account, this field is set to the ID of the RAM user.

    • If the requester assumes a RAM role to perform an operation on resources within another Alibaba Cloud account, this field is set to a string in the RoleID:RoleSessionName format.

    • If the value of the event.userIdentity.type field is saml-user, oidc-user, or system, this field is not recorded.

    event.userIdentity.type

    The type of the identity. Valid values:

    • root-account: indicates an Alibaba Cloud account.

    • ram-user: indicates a RAM user.

    • assumed-role: indicates a RAM role.

    • system: indicates an Alibaba Cloud service.

    • cloudsso-user: indicates a CloudSSO user.

    • saml-user: indicates an enterprise-specific identity based on Security Assertion Markup Language (SAML).

    • alibaba-cloud-account: indicates the identity that is authorized to perform a cross-account operation.

    • oidc-user: indicates an enterprise-specific identity based on OpenID Connect (OIDC).

    event.userIdentity.userName

    The name of the identity.

    • If the value of the event.userIdentity.type field is ram-user, this field is set to the name of the RAM user.

    • If the value of the event.userIdentity.type field is assumed-role, this field is set to a string in the RoleName:RoleSessionName format.

    • If the value of the event.userIdentity.type field is root-account, this field is set to root.

    • If the value of the event.userIdentity.type field is cloudsso-user, this field is set to the name of the CloudSSO user.

    • If the value of the event.userIdentity.type field is saml-user, this field is set to the username of the enterprise-specific identity based on SAML.

    • If the value of the event.userIdentity.type field is alibaba-cloud-account or system, this field is not recorded.

    • If the value of the event.userIdentity.type field is oidc-user, this field is set to the username of the enterprise-specific identity based on OIDC.

    event.userIdentity.sessionContext

    Information about the temporary security token, such as the creation time.