Simple Log Service:Log fields

Field

Description

__topic__

The topic of the log. The value is fixed as actiontrail_audit_event.

event

The event in the JSON format. The content of the event varies based on the event.

event.eventCategory

The category of the event. Valid values: Management, which indicates a management event.

event.additionalEventData

The additional information about the event.

event.eventId

The ID of the event.

event.eventName

The name of the event.

event.eventRW

The read/write type of the event. Valid values:

• Write: indicates a write event.

• Read: indicates a read event.

event.recipientAccountId

The ID of the Alibaba Cloud account that receives audit logs.

event.eventSource

The source of the event.

event.eventTime

The time when the event occurred. The value is displayed in UTC.

event.eventType

The type of the event.

event.eventVersion

The format version of the event. The current version is 1.

event.acsRegion

The region where the event occurred.

event.requestId

The ID of the API request.

event.apiVersion

The version of the API.

event.errorCode

The error code that is returned when an error occurs during the processing of the API request.

event.errorMessage

The error message that is returned when an error occurs during the processing of the API request.

event.serviceName

The name of the Alibaba Cloud service to which the event belongs. Example: VPC.

event.sourceIpAddress

The source IP address of the event.

event.userAgent

The user agent that sends the API request.

event.vpcId

The ID of the recognizable source virtual private cloud (VPC).

event.requestParameters

The input parameters of the API request.

event.requestParameterJson

The JSON-formatted representation of the requestParameters parameter.

event.responseElements

The response parameters of the API request.

event.referencedResources

The resources that are associated with the event.

event.resourceName

The name of the event-associated resource. The name is the unique identifier of the resource.

event.resourceType

The type of the event-associated resource.

event.isGlobal

Indicates whether the event is a global event. Valid values:

• true

• false

event.eventAttributes

The attributes of the event.

event.userIdentity.accessKeyId

The AccessKey ID of the Alibaba Cloud account that initiates the API request.

event.userIdentity.accountId

The ID of the Alibaba Cloud account that initiates the API request.

event.userIdentity.principalId

The ID of the requester. You can confirm the identity of the requester based on the values of this field and the event.userIdentity.type field.

• If the value of the event.userIdentity.type field is root-account, this field is set to the ID of the Alibaba Cloud account.

• If the value of the event.userIdentity.type field is ram-user, this field is set to the ID of the Resource Access Management (RAM) user.

• If the value of the event.userIdentity.type field is assumed-role, this field is set to a string in the RoleID:RoleSessionName format.

• If the value of the event.userIdentity.type field is cloudsso-user, this field is set to the ID of the CloudSSO user.

• Possible value formats if the value of the event.userIdentity.type field is alibaba-cloud-account:

• If the requester uses an Alibaba Cloud account to perform an operation on resources within another Alibaba Cloud account, this field is set to the ID of the Alibaba Cloud account that performed the operation.

• If the requester uses a RAM user to perform an operation on resources within another Alibaba Cloud account, this field is set to the ID of the RAM user.

• If the requester assumes a RAM role to perform an operation on resources within another Alibaba Cloud account, this field is set to a string in the RoleID:RoleSessionName format.

• If the value of the event.userIdentity.type field is saml-user, oidc-user, or system, this field is not recorded.

event.userIdentity.type

The type of the identity. Valid values:

• root-account: indicates an Alibaba Cloud account.

• ram-user: indicates a RAM user.

• assumed-role: indicates a RAM role.

• system: indicates an Alibaba Cloud service.

• cloudsso-user: indicates a CloudSSO user.

• saml-user: indicates an enterprise-specific identity based on Security Assertion Markup Language (SAML).

• alibaba-cloud-account: indicates the identity that is authorized to perform a cross-account operation.

• oidc-user: indicates an enterprise-specific identity based on OpenID Connect (OIDC).

event.userIdentity.userName

The name of the identity.

• If the value of the event.userIdentity.type field is ram-user, this field is set to the name of the RAM user.

• If the value of the event.userIdentity.type field is assumed-role, this field is set to a string in the RoleName:RoleSessionName format.

• If the value of the event.userIdentity.type field is root-account, this field is set to root.

• If the value of the event.userIdentity.type field is cloudsso-user, this field is set to the name of the CloudSSO user.

• If the value of the event.userIdentity.type field is saml-user, this field is set to the username of the enterprise-specific identity based on SAML.

• If the value of the event.userIdentity.type field is alibaba-cloud-account or system, this field is not recorded.

• If the value of the event.userIdentity.type field is oidc-user, this field is set to the username of the enterprise-specific identity based on OIDC.

event.userIdentity.sessionContext

The information about the temporary security token, such as the creation time.